Changes in Makefile

cd3cec0a - ima: Move to LSM infrastructure

Thu, 15 Feb 2024 10:31:08 +0000

ima: Move to LSM infrastructureMove hardcoded IMA function calls (not appraisal-specific functions) fromvarious places in the kernel to the LSM infrastructure, by introducing anew LSM named 'ima' (at the end of the LSM list and always enabled like'integrity').Having IMA before EVM in the Makefile is sufficient to preserve therelative order of the new 'ima' LSM in respect to the upcoming 'evm' LSM,and thus the order of IMA and EVM function calls as when they werehardcoded.Make moved functions as static (except ima_post_key_create_or_update(),which is not in ima_main.c), and register them as implementation of therespective hooks in the new function init_ima_lsm().Select CONFIG_SECURITY_PATH, to ensure that the path-based LSM hookpath_post_mknod is always available and ima_post_path_mknod() is alwaysexecuted to mark files as new, as before the move.A slight difference is that IMA and EVM functions registered for theinode_post_setattr, inode_post_removexattr, path_post_mknod,inode_post_create_tmpfile, inode_post_set_acl and inode_post_remove_aclwon't be executed for private inodes. Since those inodes are supposed to befs-internal, they should not be of interest to IMA or EVM. The S_PRIVATEflag is used for anonymous inodes, hugetlbfs, reiserfs xattrs, XFS scruband kernel-internal tmpfs files.Conditionally register ima_post_key_create_or_update() ifCONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Also, conditionally registerima_kernel_module_request() if CONFIG_INTEGRITY_ASYMMETRIC_KEYS is enabled.Finally, add the LSM_ID_IMA case in lsm_list_modules_test.c.Signed-off-by: Roberto Sassu Acked-by: Chuck Lever Acked-by: Casey Schaufler Acked-by: Christian Brauner Reviewed-by: Stefan Berger Reviewed-by: Mimi Zohar Acked-by: Mimi Zohar Signed-off-by: Paul Moore List of files: /linux-6.15/security/integrity/Makefile

d1996776 - integrity: Introduce a Linux keyring called machine

Wed, 26 Jan 2022 02:58:28 +0000

integrity: Introduce a Linux keyring called machineMany UEFI Linux distributions boot using shim. The UEFI shim provideswhat is called Machine Owner Keys (MOK). Shim uses both the UEFI SecureBoot DB and MOK keys to validate the next step in the boot chain. TheMOK facility can be used to import user generated keys. These keys canbe used to sign an end-users development kernel build. When Linuxboots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux.platform keyring.Define a new Linux keyring called machine. This keyring shall contain justMOK keys and not the remaining keys in the platform keyring. This newmachine keyring will be used in follow on patches. Unlike keys in theplatform keyring, keys contained in the machine keyring will be trustedwithin the kernel if the end-user has chosen to do so.Signed-off-by: Eric Snowberg Tested-by: Jarkko Sakkinen Tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen List of files: /linux-6.15/security/integrity/Makefile

8220e22d - powerpc: Load firmware trusted keys/hashes into kernel keyring

Mon, 11 Nov 2019 03:10:36 +0000

powerpc: Load firmware trusted keys/hashes into kernel keyringThe keys used to verify the Host OS kernel are managed by firmware assecure variables. This patch loads the verification keys into the.platform keyring and revocation hashes into .blacklist keyring. Thisenables verification and loading of the kernels signed by the boottime keys which are trusted by firmware.Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Signed-off-by: Eric Richter [mpe: Search by compatible in load_powerpc_certs(), not using format]Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com List of files: /linux-6.15/security/integrity/Makefile

ad723674 - x86/efi: move common keyring handler functions to new file

Mon, 11 Nov 2019 03:10:35 +0000

x86/efi: move common keyring handler functions to new fileThe handlers to add the keys to the .platform keyring and blacklistedhashes to the .blacklist keyring is common for both the uefi and powerpcmechanisms of loading the keys/hashes from the firmware.This patch moves the common code from load_uefi.c to keyring_handler.cSigned-off-by: Nayna Jain Acked-by: Mimi Zohar Signed-off-by: Eric Richter Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com List of files: /linux-6.15/security/integrity/Makefile

7a8beb7a - integrity: remove pointless subdir-$(CONFIG_...)

Fri, 26 Jul 2019 02:10:55 +0000

integrity: remove pointless subdir-$(CONFIG_...)The ima/ and evm/ sub-directories contain built-in objects, soobj-$(CONFIG_...) is the correct way to descend into them.subdir-$(CONFIG_...) is redundant.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/security/integrity/Makefile

6b190d3c - integrity: remove unneeded, broken attempt to add -fshort-wchar

Fri, 26 Jul 2019 02:10:54 +0000

integrity: remove unneeded, broken attempt to add -fshort-wcharI guess commit 15ea0e1e3e18 ("efi: Import certificates from UEFI SecureBoot") attempted to add -fshort-wchar for building load_uefi.o, but ithas never worked as intended.load_uefi.o is created in the platform_certs/ sub-directory. If youreally want to add -fshort-wchar, the correct code is: $(obj)/platform_certs/load_uefi.o: KBUILD_CFLAGS += -fshort-wcharBut, you do not need to fix it.Commit 8c97023cf051 ("Kbuild: use -fshort-wchar globally") had alreadyadded -fshort-wchar globally. This code was unneeded in the first place.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/security/integrity/Makefile

9641b8cc - s390/ipl: read IPL report at early boot

Thu, 21 Feb 2019 13:23:04 +0000

s390/ipl: read IPL report at early bootRead the IPL Report block provided by secure-boot, add the entriesof the certificate list to the system key ring and print the listof components.PR: Adjust to Vasilys bootdata_preserved patch set. Preserve ipl_cert_listfor later use in kexec_file.Signed-off-by: Martin Schwidefsky Signed-off-by: Philipp Rudo Signed-off-by: Martin Schwidefsky List of files: /linux-6.15/security/integrity/Makefile

15ea0e1e - efi: Import certificates from UEFI Secure Boot

Wed, 12 Dec 2018 20:07:56 +0000

efi: Import certificates from UEFI Secure BootSecure Boot stores a list of allowed certificates in the 'db' variable.This patch imports those certificates into the platform keyring. The shimUEFI bootloader has a similar certificate list stored in the 'MokListRT'variable. We import those as well.Secure Boot also maintains a list of disallowed certificates in the 'dbx'variable. We load those certificates into the system blacklist keyringand forbid any kernel signed with those from loading.[zohar@linux.ibm.com: dropped Josh's original patch description]Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Nayna Jain Acked-by: Serge Hallyn Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

0bc9ae39 - efi: Add an EFI signature blob parser

Sat, 08 Dec 2018 20:27:02 +0000

efi: Add an EFI signature blob parserAdd a function to parse an EFI signature blob looking for elements ofinterest. A list is made up of a series of sublists, where all theelements in a sublist are of the same type, but sublists can be ofdifferent types.For each sublist encountered, the function pointed to by theget_handler_for_guid argument is called with the type specifier GUID andreturns either a pointer to a function to handle elements of that type orNULL if the type is not of interest.If the sublist is of interest, each element is passed to the handlerfunction in turn.Signed-off-by: David Howells Signed-off-by: Nayna Jain Acked-by: Serge Hallyn Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

9dc92c45 - integrity: Define a trusted platform keyring

Sat, 08 Dec 2018 20:26:59 +0000

integrity: Define a trusted platform keyringOn secure boot enabled systems, a verified kernel may need to kexecadditional kernels. For example, it may be used as a bootloader needingto kexec a target kernel or it may need to kexec a crashdump kernel. Insuch cases, it may want to verify the signature of the next kernelimage.It is further possible that the kernel image is signed with third partykeys which are stored as platform or firmware keys in the 'db' variable.The kernel, however, can not directly verify these platform keys, and anadministrator may therefore not want to trust them for arbitrary usage.In order to differentiate platform keys from other keys and provide thenecessary separation of trust, the kernel needs an additional keyring tostore platform keys.This patch creates the new keyring called ".platform" to isolate keysprovided by platform from keys by kernel. These keys are used tofacilitate signature verification during kexec. Since the scope of thiskeyring is only the platform/firmware keys, it cannot be updated fromuserspace.This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Acked-by: Serge Hallyn Reviewed-by: James Morris Reviewed-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

b2441318 - License cleanup: add SPDX GPL-2.0 license identifier to files with no license

Wed, 01 Nov 2017 14:07:57 +0000

License cleanup: add SPDX GPL-2.0 license identifier to files with no licenseMany source files in the tree are missing licensing information, whichmakes it harder for compliance tools to determine the correct license.By default all files without license information are under the defaultlicense of the kernel, which is GPL version 2.Update the files which contain no license information with the 'GPL-2.0'SPDX license identifier. The SPDX identifier is a legally bindingshorthand, which can be used instead of the full boiler plate text.This patch is based on work done by Thomas Gleixner and Kate Stewart andPhilippe Ombredanne.How this work was done:Patches were generated and checked against linux-4.14-rc6 for a subset ofthe use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information,Further patches will be generated in subsequent months to fix up caseswhere non-standard license headers were used, and references to licensehad to be inferred by heuristics based on keywords.The analysis to determine which SPDX License Identifier to be applied toa file was done in a spreadsheet of side by side results from of theoutput of two independent scanners (ScanCode & Windriver) producing SPDXtag:value files created by Philippe Ombredanne. Philippe prepared thebase worksheet, and did an initial spot review of a few 1000 files.The 4.13 kernel was the starting point of the analysis with 60,537 filesassessed. Kate Stewart did a file by file comparison of the scannerresults in the spreadsheet to determine which SPDX license identifier(s)to be applied to the file. She confirmed any determination that was notimmediately clear with lawyers working with the Linux Foundation.Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines).All documentation files were explicitly excluded.The following heuristics were used to determine which SPDX licenseidentifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time.In total, over 70 hours of logged manual review was done on thespreadsheet to determine the SPDX license identifiers to apply to thesource files by Kate, Philippe, Thomas and, in some cases, confirmationby lawyers working with the Linux Foundation.Kate also obtained a third independent scan of the 4.13 code base fromFOSSology, and compared selected files where the other two scannersdisagreed against that SPDX file, to see if there was new insights. TheWindriver scanner is based on an older version of FOSSology in part, sothey are related.Thomas did random spot checks in about 500 files from the spreadsheetsfor the uapi headers and agreed with SPDX license identifier in thefiles he inspected. For the non-uapi files Thomas did random spot checksin about 15000 files.In initial set of patches against 4.14-rc6, 3 files were found to havecopy/paste license identifier errors, and have been fixed to reflect thecorrect identifier.Additionally Philippe spent 10 hours this week doing a detailed manualinspection and review of the 12,461 patched files from the initial patchversion early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correctThis produced a worksheet with 20 files needing minor correction. Thisworksheet was then exported into 3 different .csv files for thedifferent types of files to be modified.These .csv files were then reviewed by Greg. Thomas wrote a script toparse the csv files and add the proper SPDX tag to the file, in theformat that the file expected. This script was further refined by Gregbased on the output to detect more types of files automatically and todistinguish between header and source .c files (which need differentcomment types.) Finally Greg ran the script using the .csv files togenerate the patches.Reviewed-by: Kate Stewart Reviewed-by: Philippe Ombredanne Reviewed-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/security/integrity/Makefile

a2d61ed5 - integrity: make integrity files as 'integrity' module

Wed, 02 Jul 2014 12:42:19 +0000

integrity: make integrity files as 'integrity' moduleThe kernel print macros use the KBUILD_MODNAME, which is initializedto the module name. The current integrity/Makefile makes every fileas its own module, so pr_xxx messages are prefixed with the file nameinstead of the module. Similar to the evm/Makefile and ima/Makefile,this patch fixes the integrity/Makefile to use the single name'integrity'.Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

e0c2de2b - security: cleanup Makefiles to use standard syntax for specifying sub-directories

Sat, 15 Feb 2014 21:49:30 +0000

security: cleanup Makefiles to use standard syntax for specifying sub-directoriesThe Makefiles in security/ uses a non-standard way tospecify sub-directories for building.Fix it up so the normal (and documented) approach is used.Signed-off-by: Sam Ravnborg Cc: Michal Marek Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/Makefile

d726d8d7 - integrity: move integrity_audit_msg()

Mon, 18 Mar 2013 18:48:02 +0000

integrity: move integrity_audit_msg()This patch moves the integrity_audit_msg() function and defintion tosecurity/integrity/, the parent directory, renames the 'ima_audit'boot command line option to 'integrity_audit', and fixes the Kconfighelp text to reflect the actual code.Changelog:- Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

e0751257 - ima: digital signature verification using asymmetric keys

Wed, 06 Feb 2013 22:12:08 +0000

ima: digital signature verification using asymmetric keysAsymmetric keys were introduced in linux-3.7 to verify the signature onsigned kernel modules. The asymmetric keys infrastructure abstracts thesignature verification from the crypto details. This patch adds IMA/EVMsignature verification using asymmetric keys. Support for additionalsignature verification methods can now be delegated to the asymmetrickey infrastructure.Although the module signature header and the IMA/EVM signature headercould use the same format, to minimize the signature length and savespace in the extended attribute, this patch defines a new IMA/EVMheader format. The main difference is that the key identifier is asha1[12 - 19] hash of the key modulus and exponent, similar to thecurrent implementation. The only purpose of the key identifier is toidentify the corresponding key in the kernel keyring. ima-evm-utilswas updated to support the new signature format.While asymmetric signature verification functionality supports manydifferent hash algorithms, the hash used in this patch is calculatedduring the IMA collection phase, based on the configured algorithm.The default algorithm is sha1, but for backwards compatibility md5is supported. Due to this current limitation, signatures should begenerated using a sha1 hash algorithm.Changes in this patch:- Functionality has been moved to separate source file in order to get rid of in source #ifdefs.- keyid is derived according to the RFC 3280. It does not require to assign IMA/EVM specific "description" when loading X509 certificate. Kernel asymmetric key subsystem automatically generate the description. Also loading a certificate does not require using of ima-evm-utils and can be done using keyctl only.- keyid size is reduced to 32 bits to save xattr space. Key search is done using partial match functionality of asymmetric_key_match().- Kconfig option title was changedSigned-off-by: Dmitry Kasatkin Acked-by: David Howells Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/Makefile

f1be242c - integrity: digital signature config option name change

Tue, 17 Jan 2012 15:12:07 +0000

integrity: digital signature config option name changeSimilar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.Signed-off-by: Dmitry Kasatkin Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/Makefile

8607c501 - integrity: digital signature verification using multiple keyrings

Wed, 05 Oct 2011 08:54:46 +0000

integrity: digital signature verification using multiple keyringsDefine separate keyrings for each of the different use cases - evm, ima,and modules. Using different keyrings improves search performance, and alsoallows "locking" specific keyring to prevent adding new keys.This is useful for evm and module keyrings, when keys are usually onlyadded from initramfs.Signed-off-by: Dmitry Kasatkin List of files: /linux-6.15/security/integrity/Makefile

66dbc325 - evm: re-release

Tue, 15 Mar 2011 20:12:09 +0000

evm: re-releaseEVM protects a file's security extended attributes(xattrs) against integrityattacks. This patchset provides the framework and an initial method. Theinitial method maintains an HMAC-sha1 value across the security extendedattributes, storing the HMAC value as the extended attribute 'security.evm'.Other methods of validating the integrity of a file's metadata will be postedseparately (eg. EVM-digital-signatures).While this patchset does authenticate the security xattrs, andcryptographically binds them to the inode, coming extensions will bind otherdirectory and inode metadata for more complete protection. To help simplifythe review and upstreaming process, each extension will be posted separately(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of theproposed Linux integrity subsystem, refer to Dave Safford's whitepaper:http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.EVM depends on the Kernel Key Retention System to provide it with atrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto theroot's keyring using keyctl. Until EVM receives notification that the key hasbeen successfully loaded onto the keyring (echo 1 > /evm), EVM cannot create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.Loading the key and signaling EVM should be done as early as possible. Normallythis is done in the initramfs, which has already been measured as part of thetrusted boot. For more information on creating and loading existingtrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. Asample dracut patch, which loads the trusted/encrypted key and enables EVM, isavailable from http://linux-ima.sourceforge.net/#EVM.Based on the LSMs enabled, the set of EVM protected security xattrs is definedat compile. EVM adds the following three calls to the existing security hooks:evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. Toinitialize and update the 'security.evm' extended attribute, EVM defines threecalls: evm_inode_post_init(), evm_inode_post_setattr() andevm_inode_post_removexattr() hooks. To verify the integrity of a securityxattr, EVM exports evm_verifyxattr().Changelog v7:- Fixed URL in EVM ABI documentationChangelog v6: (based on Serge Hallyn's review)- fix URL in patch description- remove evm_hmac_size definition- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)- moved linux include before other includes- test for crypto_hash_setkey failure- fail earlier for invalid key- clear entire encrypted key, even on failure- check xattr name length before comparing xattr namesChangelog:- locking based on i_mutex, remove evm_mutex- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation.- replaced crypto hash with shash (Dmitry Kasatkin)- support for additional methods of verifying the security xattrs (Dmitry Kasatkin)- iint not allocated for all regular files, but only for those appraised- Use cap_sys_admin in lieu of cap_mac_admin- Use __vfs_setxattr_noperm(), without permission checks, from EVMSigned-off-by: Mimi Zohar Acked-by: Serge Hallyn List of files: /linux-6.15/security/integrity/Makefile

f381c272 - integrity: move ima inode integrity data management

Wed, 09 Mar 2011 19:13:22 +0000

integrity: move ima inode integrity data managementMove the inode integrity data(iint) management up to the integrity directoryin order to share the iint among the different integrity models.Changelog:- don't define MAX_DIGEST_SIZE- rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_'- replace '20' with SHA1_DIGEST_SIZE- reflect location change in appropriate Kconfig and Makefiles- remove unnecessary initialization of iint_initialized to 0- rebased on current ima_iint.c- define integrity_iint_store/lock as staticThere should be no other functional changes.Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn List of files: /linux-6.15/security/integrity/Makefile