<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/rss.xsl.xml"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
    <title>Changes in ima_policy</title>
    <description></description>
    <language>en</language>
    <copyright>Copyright 2015</copyright>
    <generator>Java</generator><item>
        <title>f20765fd - integrity: Always reference the blacklist keyring with appraisal</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#f20765fd</link>
        <description>integrity: Always reference the blacklist keyring with appraisalCommit 273df864cf746 (&quot;ima: Check against blacklisted hashes for files withmodsig&quot;) introduced an appraise_flag option for referencing the blacklistkeyring.  Any matching binary found on this keyring fails signaturevalidation. This flag only works with module appended signatures.An important part of a PKI infrastructure is to have the ability to dorevocation at a later time should a vulnerability be found.  Expand therevocation flag usage to all appraisal functions. The flag is nowenabled by default. Setting the flag with an IMA policy has beendeprecated. Without a revocation capability like this in place, onlyauthenticity can be maintained. With this change, integrity can now beachieved with digital signature based IMA appraisal.Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;Reviewed-by: Nayna Jain &lt;nayna@linux.ibm.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Wed, 26 Jul 2023 21:17:25 +0000</pubDate>
        <dc:creator>Eric Snowberg &lt;eric.snowberg@oracle.com&gt;</dc:creator>
    </item>
<item>
        <title>4958db32 - ima: Introduce MMAP_CHECK_REQPROT hook</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#4958db32</link>
        <description>ima: Introduce MMAP_CHECK_REQPROT hookCommit 98de59bfe4b2f (&quot;take calculation of final prot insecurity_mmap_file() into a helper&quot;) caused ima_file_mmap() to receive theprotections requested by the application and not those applied by thekernel.After restoring the original MMAP_CHECK behavior, existing attestationservers might be broken due to not being ready to handle new entries(previously missing) in the IMA measurement list.Restore the original correct MMAP_CHECK behavior, instead of keeping thecurrent buggy one and introducing a new hook with the correct behavior.Otherwise, there would have been the risk of IMA users not noticing theproblem at all, as they would actively have to update the IMA policy, toswitch to the correct behavior.Also, introduce the new MMAP_CHECK_REQPROT hook to keep the currentbehavior, so that IMA users could easily fix a broken attestation server,although this approach is discouraged due to potentially missingmeasurements.Signed-off-by: Roberto Sassu &lt;roberto.sassu@huawei.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Tue, 31 Jan 2023 17:42:44 +0000</pubDate>
        <dc:creator>Roberto Sassu &lt;roberto.sassu@huawei.com&gt;</dc:creator>
    </item>
<item>
        <title>398c42e2 - ima: support fs-verity file digest based version 3 signatures</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#398c42e2</link>
        <description>ima: support fs-verity file digest based version 3 signaturesIMA may verify a file&apos;s integrity against a &quot;good&quot; value stored in the&apos;security.ima&apos; xattr or as an appended signature, based on policy.  Whenthe &quot;good value&quot; is stored in the xattr, the xattr may contain a filehash or signature.  In either case, the &quot;good&quot; value is preceded by aheader.  The first byte of the xattr header indicates the type of data- hash, signature - stored in the xattr.  To support storing fs-veritysignatures in the &apos;security.ima&apos; xattr requires further differentiatingthe fs-verity signature from the existing IMA signature.In addition the signatures stored in &apos;security.ima&apos; xattr, need to bedisambiguated.  Instead of directly signing the fs-verity digest, a newsignature format version 3 is defined as the hash of the ima_file_idstructure, which identifies the type of signature and the digest.The IMA policy defines &quot;which&quot; files are to be measured, verified, and/oraudited.  For those files being verified, the policy rules indicate &quot;how&quot;the file should be verified.  For example to require a file be signed,the appraise policy rule must include the &apos;appraise_type&apos; option.	appraise_type:= [imasig] | [imasig|modsig] | [sigv3]           where &apos;imasig&apos; is the original or signature format v2 (default),           where &apos;modsig&apos; is an appended signature,           where &apos;sigv3&apos; is the signature format v3.The policy rule must also indicate the type of digest, if not the IMAdefault, by first specifying the digest type:	digest_type:= [verity]The following policy rule requires fsverity signatures.  The rule may beconstrained, for example based on a fsuuid or LSM label.      appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3Acked-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Wed, 24 Nov 2021 15:56:33 +0000</pubDate>
        <dc:creator>Mimi Zohar &lt;zohar@linux.ibm.com&gt;</dc:creator>
    </item>
<item>
        <title>54f03916 - ima: permit fsverity&apos;s file digests in the IMA measurement list</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#54f03916</link>
        <description>ima: permit fsverity&apos;s file digests in the IMA measurement listPermit fsverity&apos;s file digest (a hash of struct fsverity_descriptor) tobe included in the IMA measurement list, based on the new measurementpolicy rule &apos;digest_type=verity&apos; option.To differentiate between a regular IMA file hash from an fsverity&apos;sfile digest, use the new d-ngv2 format field included in the ima-ngv2template.The following policy rule requires fsverity file digests and specifiesthe new &apos;ima-ngv2&apos; template, which contains the new &apos;d-ngv2&apos; field.  Thepolicy rule may be constrained, for example based on a fsuuid or LSMlabel.measure func=FILE_CHECK digest_type=verity template=ima-ngv2Acked-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Thu, 23 Dec 2021 17:29:56 +0000</pubDate>
        <dc:creator>Mimi Zohar &lt;zohar@linux.ibm.com&gt;</dc:creator>
    </item>
<item>
        <title>40224c41 - ima: add gid support</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#40224c41</link>
        <description>ima: add gid supportIMA currently supports the concept of rules based on uid where the ruleis based on the uid of the file owner or the uid of the user accessingthe file. Provide the ability to have similar rules based on gid.Signed-off-by: Curtis Veit &lt;veit@vpieng.com&gt;Co-developed-by: Alex Henrie &lt;alexh@vpitech.com&gt;Signed-off-by: Alex Henrie &lt;alexh@vpitech.com&gt;Reviewed-by: Petr Vorel &lt;pvorel@suse.cz&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Thu, 07 Oct 2021 20:03:02 +0000</pubDate>
        <dc:creator>Curtis Veit &lt;veit@vpieng.com&gt;</dc:creator>
    </item>
<item>
        <title>18e49b30 - ABI: security: fix location for evm and ima_policy</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#18e49b30</link>
        <description>ABI: security: fix location for evm and ima_policyThe What: definitions there are wrong, pointing to differentlocations than what&apos;s expected.Reviewed-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;Signed-off-by: Mauro Carvalho Chehab &lt;mchehab+huawei@kernel.org&gt;Link: https://lore.kernel.org/r/b2563ac34c2e234cdd728f0c701b57ac9023c45a.1631782432.git.mchehab+huawei@kernel.orgSigned-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Thu, 16 Sep 2021 08:59:31 +0000</pubDate>
        <dc:creator>Mauro Carvalho Chehab &lt;mchehab+huawei@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>4f2946aa - IMA: introduce a new policy option func=SETXATTR_CHECK</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#4f2946aa</link>
        <description>IMA: introduce a new policy option func=SETXATTR_CHECKWhile users can restrict the accepted hash algorithms for thesecurity.ima xattr file signature when appraising said file, userscannot restrict the algorithms that can be set on that attribute:any algorithm built in the kernel is accepted on a write.Define a new value for the ima policy option &apos;func&apos; that restrictsglobally the hash algorithms accepted when writing the security.imaxattr.When a policy contains a rule of the form	appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512only values corresponding to one of these three digest algorithmswill be accepted for writing the security.ima xattr.  Attempting towrite the attribute using another algorithm (or &quot;free-form&quot; data)will be denied with an audit log message.  In the absence of such apolicy rule, the default is still to only accept hash algorithmsbuilt in the kernel (with all the limitations that entails).Signed-off-by: THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;Reviewed-by: Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Mon, 16 Aug 2021 08:11:01 +0000</pubDate>
        <dc:creator>THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;</dc:creator>
    </item>
<item>
        <title>583a80ae - IMA: add a policy option to restrict xattr hash algorithms on appraisal</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#583a80ae</link>
        <description>IMA: add a policy option to restrict xattr hash algorithms on appraisalThe kernel has the ability to restrict the set of hash algorithms itaccepts for the security.ima xattr when it appraises files.Define a new IMA policy rule option &quot;appraise_algos=&quot;, using thementioned mechanism to expose a user-toggable policy knob to opt-into that restriction and select the desired set of algorithms thatmust be accepted.When a policy rule uses the &apos;appraise_algos&apos; option, appraisal of afile referenced by that rule will now fail if the digest algorithmemployed to hash the file was not one of those explicitly listed inthe option.  In its absence, any hash algorithm compiled in thekernel will be accepted.For example, on a system where SELinux is properly deployed, the rule	appraise func=BPRM_CHECK obj_type=iptables_exec_t \		appraise_algos=sha256,sha384will block the execution of iptables if the xattr security.ima of itsexecutables were not hashed with either sha256 or sha384.Signed-off-by: THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;Reviewed-by: Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Mon, 16 Aug 2021 08:11:00 +0000</pubDate>
        <dc:creator>THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;</dc:creator>
    </item>
<item>
        <title>c418eed8 - docs: ABI: testing: ima_policy: Fixed missing bracket</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#c418eed8</link>
        <description>docs: ABI: testing: ima_policy: Fixed missing bracketThis fixes a minor typo.Fixes: 34433332841d (&quot;docs: ABI: testing: make the files compatible with ReST output&quot;)Signed-off-by: Michael Wei&#223; &lt;michael.weiss@aisec.fraunhofer.de&gt;Link: https://lore.kernel.org/r/20210215102031.10622-1-michael.weiss@aisec.fraunhofer.deSigned-off-by: Jonathan Corbet &lt;corbet@lwn.net&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Mon, 15 Feb 2021 10:20:29 +0000</pubDate>
        <dc:creator>Michael Wei&#223; &lt;michael.weiss@aisec.fraunhofer.de&gt;</dc:creator>
    </item>
<item>
        <title>b3f82afc - IMA: Measure kernel version in early boot</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#b3f82afc</link>
        <description>IMA: Measure kernel version in early bootThe integrity of a kernel can be verified by the boot loader on coldboot, and during kexec, by the current running kernel, before it isloaded. However, it is still possible that the new kernel beingloaded is older than the current kernel, and/or has knownvulnerabilities. Therefore, it is imperative that an attestationservice be able to verify the version of the kernel being loaded onthe client, from cold boot and subsequent kexec system calls,ensuring that only kernels with versions known to be good are loaded.Measure the kernel version using ima_measure_critical_data() early onin the boot sequence, reducing the chances of known kernelvulnerabilities being exploited. With IMA being part of the kernel,this overall approach makes the measurement itself more trustworthy.To enable measuring the kernel version &quot;ima_policy=critical_data&quot;needs to be added to the kernel command line arguments.For example,        BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset ima_policy=critical_dataIf runtime measurement of the kernel version is ever needed, thefollowing should be added to /etc/ima/ima-policy:        measure func=CRITICAL_DATA label=kernel_infoTo extract the measured data after boot, the following command can be used:        grep -m 1 &quot;kernel_version&quot; \        /sys/kernel/security/integrity/ima/ascii_runtime_measurementsSample output from the command above:        10 a8297d408e9d5155728b619761d0dd4cedf5ef5f ima-buf        sha256:5660e19945be0119bc19cbbf8d9c33a09935ab5d30dad48aa11f879c67d70988        kernel_version 352e31312e302d7263332d31363138372d676564623634666537383234342d6469727479The above hex-ascii string corresponds to the kernel version(e.g. xxd -r -p):        5.11.0-rc3-16187-gedb64fe78244-dirtySigned-off-by: Raphael Gianotti &lt;raphgi@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Tue, 26 Jan 2021 19:14:53 +0000</pubDate>
        <dc:creator>Raphael Gianotti &lt;raphgi@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>fdd1ffe8 - selinux: include a consumer of the new IMA critical data hook</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#fdd1ffe8</link>
        <description>selinux: include a consumer of the new IMA critical data hookSELinux stores the active policy in memory, so the changes to this dataat runtime would have an impact on the security guarantees providedby SELinux.  Measuring in-memory SELinux policy through IMA subsystemprovides a secure way for the attestation service to remotely validatethe policy contents at runtime.Measure the hash of the loaded policy by calling the IMA hookima_measure_critical_data().  Since the size of the loaded policycan be large (several MB), measure the hash of the policy instead ofthe entire policy to avoid bloating the IMA log entry.To enable SELinux data measurement, the following steps are required:1, Add &quot;ima_policy=critical_data&quot; to the kernel command line arguments   to enable measuring SELinux data at boot time.For example,  BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data2, Add the following rule to /etc/ima/ima-policy   measure func=CRITICAL_DATA label=selinuxSample measurement of the hash of SELinux policy:To verify the measured data with the current SELinux policy runthe following commands and verify the output hash values match.  sha256sum /sys/fs/selinux/policy | cut -d&apos; &apos; -f 1  grep &quot;selinux-policy-hash&quot; /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d&apos; &apos; -f 6Note that the actual verification of SELinux policy would require loadingthe expected policy into an identical kernel on a pristine/known-safesystem and run the sha256sum /sys/kernel/selinux/policy there to getthe expected hash.Signed-off-by: Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;Suggested-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;Acked-by: Paul Moore &lt;paul@paul-moore.com&gt;Reviewed-by: Tyler Hicks &lt;tyhicks@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Thu, 14 Jan 2021 19:15:22 +0000</pubDate>
        <dc:creator>Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>47d76a48 - IMA: limit critical data measurement based on a label</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#47d76a48</link>
        <description>IMA: limit critical data measurement based on a labelIntegrity critical data may belong to a single subsystem or it mayarise from cross subsystem interaction.  Currently there is no mechanismto group or limit the data based on certain label.  Limiting andgrouping critical data based on a label would make it flexible andconfigurable to measure.Define &quot;label:=&quot;, a new IMA policy condition, for the IMA funcCRITICAL_DATA to allow grouping and limiting measurement of integritycritical data.Limit the measurement to the labels that are specified in the IMApolicy - CRITICAL_DATA+&quot;label:=&quot;.  If &quot;label:=&quot; is not provided withthe func CRITICAL_DATA, measure all the input integrity critical data.Signed-off-by: Tushar Sugandhi &lt;tusharsu@linux.microsoft.com&gt;Reviewed-by: Tyler Hicks &lt;tyhicks@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Fri, 08 Jan 2021 04:07:05 +0000</pubDate>
        <dc:creator>Tushar Sugandhi &lt;tusharsu@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>c4e43aa2 - IMA: add policy rule to measure critical data</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#c4e43aa2</link>
        <description>IMA: add policy rule to measure critical dataA new IMA policy rule is needed for the IMA hookima_measure_critical_data() and the corresponding func CRITICAL_DATA formeasuring the input buffer.  The policy rule should ensure the bufferwould get measured only when the policy rule allows the action.  Thepolicy rule should also support the necessary constraints (flags etc.)for integrity critical buffer data measurements.Add policy rule support for measuring integrity critical data.Signed-off-by: Tushar Sugandhi &lt;tusharsu@linux.microsoft.com&gt;Reviewed-by: Tyler Hicks &lt;tyhicks@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Fri, 08 Jan 2021 04:07:04 +0000</pubDate>
        <dc:creator>Tushar Sugandhi &lt;tusharsu@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>34433332 - docs: ABI: testing: make the files compatible with ReST output</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#34433332</link>
        <description>docs: ABI: testing: make the files compatible with ReST outputSome files over there won&apos;t parse well by Sphinx.Fix them.Acked-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt; # for IIOAcked-by: Fabrice Gasnier &lt;fabrice.gasnier@st.com&gt;Acked-by: Jonathan Corbet &lt;corbet@lwn.net&gt;Signed-off-by: Mauro Carvalho Chehab &lt;mchehab+huawei@kernel.org&gt;Link: https://lore.kernel.org/r/58cf3c2d611e0197fb215652719ebd82ca2658db.1604042072.git.mchehab+huawei@kernel.orgSigned-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Fri, 30 Oct 2020 07:40:39 +0000</pubDate>
        <dc:creator>Mauro Carvalho Chehab &lt;mchehab+huawei@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>e9085e0a - IMA: Add support to limit measuring keys</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#e9085e0a</link>
        <description>IMA: Add support to limit measuring keysLimit measuring keys to those keys being loaded onto a given set ofkeyrings only and when the user id (uid) matches if uid is specifiedin the policy.This patch defines a new IMA policy option namely &quot;keyrings=&quot; thatcan be used to specify a set of keyrings. If this option is specifiedin the policy for &quot;measure func=KEY_CHECK&quot; then only the keysloaded onto a keyring given in the &quot;keyrings=&quot; option are measured.If uid is specified in the policy then the key is measured only ifthe current user id matches the one specified in the policy.Added a new parameter namely &quot;keyring&quot; (name of the keyring) toprocess_buffer_measurement(). The keyring name is passed toima_get_action() to determine the required action.ima_match_rules() is updated to check keyring in the policy, ifspecified, for KEY_CHECK function.Signed-off-by: Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Wed, 11 Dec 2019 16:47:06 +0000</pubDate>
        <dc:creator>Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>5808611c - IMA: Add KEY_CHECK func to measure keys</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#5808611c</link>
        <description>IMA: Add KEY_CHECK func to measure keysMeasure keys loaded onto any keyring.This patch defines a new IMA policy func namely KEY_CHECK tomeasure keys. Updated ima_match_rules() to check for KEY_CHECKand ima_parse_rule() to handle KEY_CHECK.Signed-off-by: Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Wed, 11 Dec 2019 16:47:03 +0000</pubDate>
        <dc:creator>Lakshmi Ramasubramanian &lt;nramas@linux.microsoft.com&gt;</dc:creator>
    </item>
<item>
        <title>273df864 - ima: Check against blacklisted hashes for files with modsig</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#273df864</link>
        <description>ima: Check against blacklisted hashes for files with modsigAsymmetric private keys are used to sign multiple files. The kernelcurrently supports checking against blacklisted keys. However, if thepublic key is blacklisted, any file signed by the blacklisted key willautomatically fail signature verification. Blacklisting the public keyis not fine enough granularity, as we might want to only blacklist aparticular file.This patch adds support for checking against the blacklisted hash ofthe file, without the appended signature, based on the IMA policy. Itdefines a new policy option &quot;appraise_flag=check_blacklist&quot;.In addition to the blacklisted binary hashes stored in the firmware&quot;dbx&quot; variable, the Linux kernel may be configured to load blacklistedbinary hashes onto the .blacklist keyring as well. The followingexample shows how to blacklist a specific kernel module hash.  $ sha256sum kernel/kheaders.ko  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3  kernel/kheaders.ko  $ grep BLACKLIST .config  CONFIG_SYSTEM_BLACKLIST_KEYRING=y  CONFIG_SYSTEM_BLACKLIST_HASH_LIST=&quot;blacklist-hash-list&quot;  $ cat certs/blacklist-hash-list  &quot;bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3&quot;Update the IMA custom measurement and appraisal policyrules (/etc/ima-policy):  measure func=MODULE_CHECK template=ima-modsig  appraise func=MODULE_CHECK appraise_flag=check_blacklist  appraise_type=imasig|modsigAfter building, installing, and rebooting the kernel:   545660333 ---lswrv      0     0   \_ blacklist:  bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3  measure func=MODULE_CHECK template=ima-modsig  appraise func=MODULE_CHECK appraise_flag=check_blacklist  appraise_type=imasig|modsig  modprobe: ERROR: could not insert &apos;kheaders&apos;: Permission denied  10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40  2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko  10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40  2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko  sha256:77fa889b3  5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3  3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648  016503040201300b06092a864886f70d01070131820264....  10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf  sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132  b blacklisted-hash  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3Signed-off-by: Nayna Jain &lt;nayna@linux.ibm.com&gt;[zohar@linux.ibm.com: updated patch description]Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;Signed-off-by: Michael Ellerman &lt;mpe@ellerman.id.au&gt;Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Thu, 31 Oct 2019 03:31:32 +0000</pubDate>
        <dc:creator>Nayna Jain &lt;nayna@linux.ibm.com&gt;</dc:creator>
    </item>
<item>
        <title>9044d627 - ima: Add modsig appraise_type option for module-style appended signatures</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#9044d627</link>
        <description>ima: Add modsig appraise_type option for module-style appended signaturesIntroduce the modsig keyword to the IMA policy syntax to specify thata given hook should expect the file to have the IMA signature appendedto it. Here is how it can be used in a rule:appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsigWith this rule, IMA will accept either a signature stored in the extendedattribute or an appended signature.For now, the rule above will behave exactly the same as ifappraise_type=imasig was specified. The actual modsig implementationwill be introduced separately.Suggested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;Signed-off-by: Thiago Jung Bauermann &lt;bauerman@linux.ibm.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Fri, 28 Jun 2019 02:19:28 +0000</pubDate>
        <dc:creator>Thiago Jung Bauermann &lt;bauerman@linux.ibm.com&gt;</dc:creator>
    </item>
<item>
        <title>b0935123 - IMA: Define a new hook to measure the kexec boot command line arguments</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#b0935123</link>
        <description>IMA: Define a new hook to measure the kexec boot command line argumentsCurrently during soft reboot(kexec_file_load) boot command linearguments are not measured. Define hooks needed to measure kexeccommand line arguments during soft reboot(kexec_file_load).- A new ima hook ima_kexec_cmdline is defined to be called by thekexec code.- A new function process_buffer_measurement is defined to measurethe buffer hash into the IMA measurement list.- A new func policy KEXEC_CMDLINE is defined to control the measurement.Signed-off-by: Prakhar Srivastava &lt;prsriva02@gmail.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Mon, 24 Jun 2019 06:23:29 +0000</pubDate>
        <dc:creator>Prakhar Srivastava &lt;prsriva02@gmail.com&gt;</dc:creator>
    </item>
<item>
        <title>19453ce0 - IMA: support for per policy rule template formats</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/Documentation/ABI/testing/ima_policy#19453ce0</link>
        <description>IMA: support for per policy rule template formatsAdmins may wish to log different measurements using different IMAtemplates. Add support for overriding the default template on a per-rulebasis.Inspired-by: Roberto Sassu &lt;roberto.sassu@huawei.com&gt;Signed-off-by: Matthew Garrett &lt;mjg59@google.com&gt;Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;

            List of files:
            /linux-6.15/Documentation/ABI/testing/ima_policy</description>
        <pubDate>Wed, 19 Jun 2019 22:46:11 +0000</pubDate>
        <dc:creator>Matthew Garrett &lt;matthewgarrett@google.com&gt;</dc:creator>
    </item>
</channel>
</rss>
