public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [GIT PULL] integrity: subsystem fixes for v7.1
@ 2026-04-16 13:18 Mimi Zohar
  2026-04-17 22:58 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2026-04-16 13:18 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-integrity, linux-kernel, Roberto Sassu

Hi Linus,

There are 2 main changes, 1 feature removal, some code cleanup, and            
a number of bug fixes.

Main changes:
- Detecting secure boot mode was limited to IMA.  Make detecting secure boot
mode accessible to EVM and other LSMs.
- IMA sigv3 support was limited to fsverity.  Add IMA sigv3 support for IMA
regular file hashes and EVM portable signatures.

Remove:
- Remove IMA support for asychronous hash calculation originally added for
hardware acceleration.

Cleanup:
- Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG tests.
- Add descriptions of the IMA atomic flags.

Bug fixes:
- Like IMA, properly limit EVM "fix" mode.
- Define and call evm_fix_hmac() to update security.evm.
- Fallback to using i_version to detect file change for filesystems that do not
support STATX_CHANGE_COOKIE.
- Address missing kernel support for configured (new) TPM hash algorithms.
- Add missing crypto_shash_final() return value.

Thanks,

Mimi

The following changes since commit 11439c4635edd669ae435eec308f4ab8a0804808:

  Linux 7.0-rc2 (2026-03-01 15:39:31 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/ tags/integrity-v7.1

for you to fetch changes up to 82bbd447199ff1441031d2eaf9afe041550cf525:

  evm: Enforce signatures version 3 with new EVM policy 'bit 3' (2026-04-01 10:16:53 -0400)

----------------------------------------------------------------
integrity-v7.1

----------------------------------------------------------------
Coiby Xu (5):
      integrity: Make arch_ima_get_secureboot integrity-wide
      evm: Don't enable fix mode when secure boot is enabled
      s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
      evm: fix security.evm for a file with IMA signature
      ima: Add code comments to explain IMA iint cache atomic_flags

Daniel Hodges (1):
      ima: check return value of crypto_shash_final() in boot aggregate

Dmitry Safonov (1):
      ima_fs: Correctly create securityfs files for unsupported hash algos

Eric Biggers (1):
      ima: remove buggy support for asynchronous hashes

Mimi Zohar (4):
      ima: fallback to using i_version to detect file change
      ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures
      ima: add regular file data hash signature version 3 support
      ima: add support to require IMA sigv3 signatures

Nathan Chancellor (1):
      integrity: Eliminate weak definition of arch_get_secureboot()

Roberto Sassu (1):
      ima: Define and use a digest_size field in the ima_algo_desc structure

Stefan Berger (2):
      integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
      evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Thomas Weißschuh (2):
      ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
      powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG

 Documentation/ABI/testing/evm                   |   1 +
 Documentation/ABI/testing/ima_policy            |  10 +-
 Documentation/admin-guide/kernel-parameters.txt |  17 --
 MAINTAINERS                                     |   1 +
 arch/Kconfig                                    |   3 +
 arch/powerpc/Kconfig                            |   1 +
 arch/powerpc/kernel/ima_arch.c                  |   8 +-
 arch/powerpc/kernel/secure_boot.c               |   6 +
 arch/s390/Kconfig                               |   2 +-
 arch/s390/kernel/Makefile                       |   1 -
 arch/s390/kernel/ima_arch.c                     |  14 -
 arch/s390/kernel/ipl.c                          |   6 +
 arch/x86/include/asm/efi.h                      |   4 +-
 arch/x86/platform/efi/efi.c                     |   2 +-
 include/linux/evm.h                             |   8 +
 include/linux/ima.h                             |   7 +-
 include/linux/secure_boot.h                     |  23 ++
 security/integrity/Makefile                     |   1 +
 security/integrity/digsig.c                     |   8 +-
 security/integrity/digsig_asymmetric.c          |  59 ++++
 security/integrity/efi_secureboot.c             |  56 ++++
 security/integrity/evm/evm.h                    |   3 +-
 security/integrity/evm/evm_main.c               |  69 ++++-
 security/integrity/ima/ima.h                    |  29 +-
 security/integrity/ima/ima_api.c                |  13 +-
 security/integrity/ima/ima_appraise.c           |  79 ++---
 security/integrity/ima/ima_crypto.c             | 390 +-----------------------
 security/integrity/ima/ima_efi.c                |  53 +---
 security/integrity/ima/ima_fs.c                 |  34 ++-
 security/integrity/ima/ima_main.c               |  37 ++-
 security/integrity/ima/ima_policy.c             |  22 +-
 security/integrity/integrity.h                  |  15 +-
 security/integrity/platform_certs/load_uefi.c   |   2 +-
 33 files changed, 398 insertions(+), 586 deletions(-)
 delete mode 100644 arch/s390/kernel/ima_arch.c
 create mode 100644 include/linux/secure_boot.h
 create mode 100644 security/integrity/efi_secureboot.c

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-17 22:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16 13:18 [GIT PULL] integrity: subsystem fixes for v7.1 Mimi Zohar
2026-04-17 22:58 ` pr-tracker-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox