Changes in Makefile

4de2f084 - ima: Make it independent from 'integrity' LSM

Thu, 15 Feb 2024 10:31:12 +0000

ima: Make it independent from 'integrity' LSMMake the 'ima' LSM independent from the 'integrity' LSM by introducing IMAown integrity metadata (ima_iint_cache structure, with IMA-specific fieldsfrom the integrity_iint_cache structure), and by managing it directly fromthe 'ima' LSM.Create ima_iint.c and introduce the same integrity metadata managementfunctions found in iint.c (renamed with ima_). However, instead of puttingmetadata in an rbtree, reserve space from IMA in the inode security blobfor a pointer, and introduce the ima_inode_set_iint()/ima_inode_get_iint()primitives to store/retrieve that pointer. This improves search time fromlogarithmic to constant.Consequently, don't include the inode pointer as field in theima_iint_cache structure, since the association with the inode is clear.Since the inode field is missing in ima_iint_cache, pass the extra inodeparameter to ima_get_verity_digest().Prefer storing the pointer instead of the entire ima_iint_cache structure,to avoid too much memory pressure. Use the same mechanism as before, acache named ima_iint_cache (renamed from iint_cache), to quickly allocatea new ima_iint_cache structure when requested by the IMA policy.Create the new ima_iint_cache in ima_iintcache_init(),called by init_ima_lsm(), during the initialization of the 'ima' LSM. And,register ima_inode_free_security() to free the ima_iint_cache structure, ifexists.Replace integrity_iint_cache with ima_iint_cache in various places of theIMA code. Also, replace integrity_inode_get() and integrity_iint_find(),respectively with ima_inode_get() and ima_iint_find().Finally, move the remaining IMA-specific flagsto security/integrity/ima/ima.h, since they are now unnecessary in thecommon integrity layer.Signed-off-by: Roberto Sassu Reviewed-by: Casey Schaufler Reviewed-by: Stefan Berger Reviewed-by: Mimi Zohar Acked-by: Mimi Zohar Signed-off-by: Paul Moore List of files: /linux-6.15/security/integrity/ima/Makefile

25519d68 - ima: generalize x86/EFI arch glue for other EFI architectures

Fri, 30 Oct 2020 06:08:39 +0000

ima: generalize x86/EFI arch glue for other EFI architecturesMove the x86 IMA arch code into security/integrity/ima/ima_efi.c,so that we will be able to wire it up for arm64 in a future patch.Co-developed-by: Chester Lin Signed-off-by: Chester Lin Acked-by: Mimi Zohar Signed-off-by: Ard Biesheuvel List of files: /linux-6.15/security/integrity/ima/Makefile

e2bf6814 - IMA: Update KBUILD_MODNAME for IMA files to ima

Wed, 19 Feb 2020 00:06:09 +0000

IMA: Update KBUILD_MODNAME for IMA files to imaThe kbuild Makefile specifies object files for vmlinux in the $(obj-y)lists. These lists depend on the kernel configuration[1].The kbuild Makefile for IMA combines the object files for IMA into asingle object file namely ima.o. All the object files for IMA should becombined into ima.o. But certain object files are being added to theirown $(obj-y). This results in the log messages from those modules gettingprefixed with their respective base file name, instead of "ima". This isinconsistent with the log messages from the IMA modules that are combinedinto ima.o.This change fixes the above issue.[1] Documentation\kbuild\makefiles.rstSigned-off-by: Tushar Sugandhi Reviewed-by: Mimi Zohar Reviewed-by: Lakshmi Ramasubramanian Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

9f81a2ed - IMA: Define workqueue for early boot key measurements

Thu, 23 Jan 2020 01:32:04 +0000

IMA: Define workqueue for early boot key measurementsMeasuring keys requires a custom IMA policy to be loaded. Keys createdor updated before a custom IMA policy is loaded should be queued andwill be processed after a custom policy is loaded.This patch defines a workqueue for queuing keys when a custom IMA policyhas not yet been loaded. An intermediate Kconfig boolean option namelyIMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions.A flag namely ima_process_keys is used to check if the key should bequeued or should be processed immediately.Signed-off-by: Lakshmi Ramasubramanian Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

ea78979d - IMA: fix measuring asymmetric keys Kconfig

Wed, 08 Jan 2020 16:05:08 +0000

IMA: fix measuring asymmetric keys KconfigAs a result of the asymmetric public keys subtype Kconfig option beingdefined as tristate, with the existing IMA Makefile, ima_asymmetric_keys.ccould be built as a kernel module. To prevent this from happening, thispatch defines and uses an intermediate Kconfig boolean option namedIMA_MEASURE_ASYMMETRIC_KEYS.Signed-off-by: Lakshmi Ramasubramanian Suggested-by: James.Bottomley Cc: David Howells Cc: Jarkko Sakkinen Reported-by: kbuild test robot # ima_asymmetric_keys.cis built as a kernel module.Fixes: 88e70da170e8 ("IMA: Define an IMA hook to measure keys")Fixes: cb1aa3823c92 ("KEYS: Call the IMA hook to measure keys")[zohar@linux.ibm.com: updated patch description]Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

88e70da1 - IMA: Define an IMA hook to measure keys

Wed, 11 Dec 2019 16:47:04 +0000

IMA: Define an IMA hook to measure keysMeasure asymmetric keys used for verifying file signatures,certificates, etc.This patch defines a new IMA hook namely ima_post_key_create_or_update()to measure the payload used to create a new asymmetric key orupdate an existing asymmetric key.Asymmetric key structure is defined only whenCONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hookmeasures asymmetric keys, the IMA hook is defined in a new file namelyima_asymmetric_keys.c which is built only ifCONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined.Signed-off-by: Lakshmi Ramasubramanian Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

9044d627 - ima: Add modsig appraise_type option for module-style appended signatures

Fri, 28 Jun 2019 02:19:28 +0000

ima: Add modsig appraise_type option for module-style appended signaturesIntroduce the modsig keyword to the IMA policy syntax to specify thata given hook should expect the file to have the IMA signature appendedto it. Here is how it can be used in a rule:appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsigWith this rule, IMA will accept either a signature stored in the extendedattribute or an appended signature.For now, the rule above will behave exactly the same as ifappraise_type=imasig was specified. The actual modsig implementationwill be introduced separately.Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

b2441318 - License cleanup: add SPDX GPL-2.0 license identifier to files with no license

Wed, 01 Nov 2017 14:07:57 +0000

License cleanup: add SPDX GPL-2.0 license identifier to files with no licenseMany source files in the tree are missing licensing information, whichmakes it harder for compliance tools to determine the correct license.By default all files without license information are under the defaultlicense of the kernel, which is GPL version 2.Update the files which contain no license information with the 'GPL-2.0'SPDX license identifier. The SPDX identifier is a legally bindingshorthand, which can be used instead of the full boiler plate text.This patch is based on work done by Thomas Gleixner and Kate Stewart andPhilippe Ombredanne.How this work was done:Patches were generated and checked against linux-4.14-rc6 for a subset ofthe use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information,Further patches will be generated in subsequent months to fix up caseswhere non-standard license headers were used, and references to licensehad to be inferred by heuristics based on keywords.The analysis to determine which SPDX License Identifier to be applied toa file was done in a spreadsheet of side by side results from of theoutput of two independent scanners (ScanCode & Windriver) producing SPDXtag:value files created by Philippe Ombredanne. Philippe prepared thebase worksheet, and did an initial spot review of a few 1000 files.The 4.13 kernel was the starting point of the analysis with 60,537 filesassessed. Kate Stewart did a file by file comparison of the scannerresults in the spreadsheet to determine which SPDX license identifier(s)to be applied to the file. She confirmed any determination that was notimmediately clear with lawyers working with the Linux Foundation.Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines).All documentation files were explicitly excluded.The following heuristics were used to determine which SPDX licenseidentifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time.In total, over 70 hours of logged manual review was done on thespreadsheet to determine the SPDX license identifiers to apply to thesource files by Kate, Philippe, Thomas and, in some cases, confirmationby lawyers working with the Linux Foundation.Kate also obtained a third independent scan of the 4.13 code base fromFOSSology, and compared selected files where the other two scannersdisagreed against that SPDX file, to see if there was new insights. TheWindriver scanner is based on an older version of FOSSology in part, sothey are related.Thomas did random spot checks in about 500 files from the spreadsheetsfor the uapi headers and agreed with SPDX license identifier in thefiles he inspected. For the non-uapi files Thomas did random spot checksin about 15000 files.In initial set of patches against 4.14-rc6, 3 files were found to havecopy/paste license identifier errors, and have been fixed to reflect thecorrect identifier.Additionally Philippe spent 10 hours this week doing a detailed manualinspection and review of the 12,461 patched files from the initial patchversion early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correctThis produced a worksheet with 20 files needing minor correction. Thisworksheet was then exported into 3 different .csv files for thedifferent types of files to be modified.These .csv files were then reviewed by Greg. Thomas wrote a script toparse the csv files and add the proper SPDX tag to the file, in theformat that the file expected. This script was further refined by Gregbased on the output to detect more types of files automatically and todistinguish between header and source .c files (which need differentcomment types.) Finally Greg ran the script using the .csv files togenerate the patches.Reviewed-by: Kate Stewart Reviewed-by: Philippe Ombredanne Reviewed-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/security/integrity/ima/Makefile

94c3aac5 - ima: on soft reboot, restore the measurement list

Tue, 20 Dec 2016 00:22:35 +0000

ima: on soft reboot, restore the measurement listThe TPM PCRs are only reset on a hard reboot. In order to validate aTPM's quote after a soft reboot (eg. kexec -e), the IMA measurementlist of the running kernel must be saved and restored on boot. Thispatch restores the measurement list.Link: http://lkml.kernel.org/r/1480554346-29071-3-git-send-email-zohar@linux.vnet.ibm.comSigned-off-by: Mimi Zohar Acked-by: Dmitry Kasatkin Cc: Thiago Jung Bauermann Cc: "Eric W. Biederman" Cc: Andreas Steffen Cc: Josh Sklar Cc: Dave Young Cc: Vivek Goyal Cc: Baoquan He Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Stewart Smith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds List of files: /linux-6.15/security/integrity/ima/Makefile

56104cf2 - IMA: Use the the system trusted keyrings instead of .ima_mok

Thu, 07 Apr 2016 08:45:23 +0000

IMA: Use the the system trusted keyrings instead of .ima_mokAdd a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)that, when enabled, allows keys to be added to the IMA keyrings byuserspace - with the restriction that each must be signed by a key in thesystem trusted keyrings.EPERM will be returned if this option is disabled, ENOKEY will be returned ifno authoritative key can be found and EKEYREJECTED will be returned if thesignature doesn't match. Other errors such as ENOPKG may also be returned.If this new option is enabled, the builtin system keyring is searched, as isthe secondary system keyring if that is also enabled. Intermediate keysbetween the builtin system keyring and the key being added can be added tothe secondary keyring (which replaces .ima_mok) to form a trust chain -provided they are also validly signed by a key in one of the trusted keyrings.The .ima_mok keyring is then removed and the IMA blacklist keyring gets itsown config option (IMA_BLACKLIST_KEYRING).Signed-off-by: David Howells Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

41c89b64 - IMA: create machine owner and blacklist keyrings

Wed, 02 Dec 2015 15:47:55 +0000

IMA: create machine owner and blacklist keyringsThis option creates IMA MOK and blacklist keyrings. IMA MOK is anintermediate keyring that sits between .system and .ima keyrings,effectively forming a simple CA hierarchy. To successfully import a keyinto .ima_mok it must be signed by a key which CA is in .system keyring.On turn any key that needs to go in .ima keyring must be signed by CA ineither .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.IMA blacklist keyring contains all revoked IMA keys. It is consultedbefore any other keyring. If the search is successful the requestedoperation is rejected and error is returned to the caller.Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

3ce1217d - ima: define template fields library and new helpers

Fri, 07 Jun 2013 10:16:30 +0000

ima: define template fields library and new helpersThis patch defines a library containing two initial template fields,inode digest (d) and file name (n), the 'ima' template descriptor,whose format is 'd|n', and two helper functions,ima_write_template_field_data() and ima_show_template_field_data().Changelog:- replace ima_eventname_init() parameter NULL checking with BUG_ON. (suggested by Mimi)- include "new template fields for inode digest (d) and file name (n)" definitions to fix a compiler warning. - Mimi- unnecessary to prefix static function names with 'ima_'. remove prefix to resolve Lindent formatting changes. - Mimi- abbreviated/removed inline comments - Mimi- always send the template field length - MimiSigned-off-by: Roberto Sassu Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

adf53a77 - ima: new templates management mechanism

Fri, 07 Jun 2013 10:16:29 +0000

ima: new templates management mechanismThe original 'ima' template is fixed length, containing the filedata hashand pathname. The filedata hash is limited to 20 bytes (md5/sha1). Thepathname is a null terminated string, limited to 255 characters. Toovercome these limitations and to add additional file metadata, it isnecessary to extend the current version of IMA by defining additionaltemplates.The main reason to introduce this feature is that, each time a newtemplate is defined, the functions that generate and display themeasurement list would include the code for handling a new format and,thus, would significantly grow over time.This patch set solves this problem by separating the template managementfrom the remaining IMA code. The core of this solution is the definitionof two new data structures: a template descriptor, to determine whichinformation should be included in the measurement list, and a templatefield, to generate and display data of a given type.To define a new template field, developers define the field identifierand implement two functions, init() and show(), respectively to generateand display measurement entries. Initially, this patch set defines thefollowing template fields (support for additional data types will beadded later): - 'd': the digest of the event (i.e. the digest of a measured file), calculated with the SHA1 or MD5 hash algorithm; - 'n': the name of the event (i.e. the file name), with size up to 255 bytes; - 'd-ng': the digest of the event, calculated with an arbitrary hash algorithm (field format: [:]digest, where the digest prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'n-ng': the name of the event, without size limitations.Defining a new template descriptor requires specifying the template format,a string of field identifiers separated by the '|' character. This patchset defines the following template descriptors: - "ima": its format is 'd|n'; - "ima-ng" (default): its format is 'd-ng|n-ng'Further details about the new template architecture can be found inDocumentation/security/IMA-templates.txt.Changelog:- don't defer calling ima_init_template() - Mimi- don't define ima_lookup_template_desc() until used - Mimi- squashed with documentation patch - MimiSigned-off-by: Roberto Sassu Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

d726d8d7 - integrity: move integrity_audit_msg()

Mon, 18 Mar 2013 18:48:02 +0000

integrity: move integrity_audit_msg()This patch moves the integrity_audit_msg() function and defintion tosecurity/integrity/, the parent directory, renames the 'ima_audit'boot command line option to 'integrity_audit', and fixes the Kconfighelp text to reflect the actual code.Changelog:- Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

2fe5d6de - ima: integrity appraisal extension

Mon, 13 Feb 2012 15:15:05 +0000

ima: integrity appraisal extensionIMA currently maintains an integrity measurement list used to assert theintegrity of the running system to a third party. The IMA-appraisalextension adds local integrity validation and enforcement of themeasurement against a "good" value stored as an extended attribute'security.ima'. The initial methods for validating 'security.ima' arehashed based, which provides file data integrity, and digital signaturebased, which in addition to providing file data integrity, providesauthenticity.This patch creates and maintains the 'security.ima' xattr, containingthe file data hash measurement. Protection of the xattr is provided byEVM, if enabled and configured.Based on policy, IMA calls evm_verifyxattr() to verify a file's metadataintegrity and, assuming success, compares the file's current hash valuewith the one stored as an extended attribute in 'security.ima'.Changelov v4:- changed iint cache flags to hex valuesChangelog v3:- change appraisal default for filesystems without xattr support to failChangelog v2:- fix audit msg 'res' value- removed unused 'ima_appraise=' valuesChangelog v1:- removed unused iint mutex (Dmitry Kasatkin)- setattr hook must not reset appraised (Dmitry Kasatkin)- evm_verifyxattr() now differentiates between no 'security.evm' xattr (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the 'security.evm' (INTEGRITY_NOXATTRS).- replace hash_status with ima_status (Dmitry Kasatkin)- re-initialize slab element ima_status on free (Dmitry Kasatkin)- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured (moved ima_inode_post_setattr() to ima_appraise.c)- make sure ima_collect_measurement() can read fileChangelog:- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)- fix the race condition between chmod, which takes the i_mutex and then iint->mutex, and ima_file_free() and process_measurement(), which take the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)- changes as a result of the iint not allocated for all regular files, but only for those measured/appraised.- don't try to appraise new/empty files- expanded ima_appraisal description in ima/Kconfig- IMA appraise definitions required even if IMA_APPRAISE not enabled- add return value to ima_must_appraise() stub- unconditionally set status = INTEGRITY_PASS *after* testing status, not before. (Found by Joe Perches)Signed-off-by: Mimi Zohar Signed-off-by: Dmitry Kasatkin List of files: /linux-6.15/security/integrity/ima/Makefile

417c6c8e - ima: audit is compiled only when enabled

Mon, 25 Jun 2012 09:18:21 +0000

ima: audit is compiled only when enabledIMA auditing code was compiled even when CONFIG_AUDIT was not enabled.This patch compiles auditing code only when possible and enabled.Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar List of files: /linux-6.15/security/integrity/ima/Makefile

f381c272 - integrity: move ima inode integrity data management

Wed, 09 Mar 2011 19:13:22 +0000

integrity: move ima inode integrity data managementMove the inode integrity data(iint) management up to the integrity directoryin order to share the iint among the different integrity models.Changelog:- don't define MAX_DIGEST_SIZE- rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_'- replace '20' with SHA1_DIGEST_SIZE- reflect location change in appropriate Kconfig and Makefiles- remove unnecessary initialization of iint_initialized to 0- rebased on current ima_iint.c- define integrity_iint_store/lock as staticThere should be no other functional changes.Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn List of files: /linux-6.15/security/integrity/ima/Makefile

bab73937 - integrity: IMA display

Wed, 04 Feb 2009 14:06:59 +0000

integrity: IMA displayMake the measurement lists available through securityfs.- removed test for NULL return code from securityfs_create_file/dirSigned-off-by: Mimi Zohar Acked-by: Serge Hallyn Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/ima/Makefile

3323eec9 - integrity: IMA as an integrity service provider

Wed, 04 Feb 2009 14:06:58 +0000

integrity: IMA as an integrity service providerIMA provides hardware (TPM) based measurement and attestation forfile measurements. As the Trusted Computing (TPM) model requires,IMA measures all files before they are accessed in any way (on theintegrity_bprm_check, integrity_path_check and integrity_file_mmaphooks), and commits the measurements to the TPM. Once added to theTPM, measurements can not be removed.In addition, IMA maintains a list of these file measurements, whichcan be used to validate the aggregate value stored in the TPM. TheTPM can sign these measurements, and thus the system can prove, toitself and to a third party, the system's integrity in a way thatcannot be circumvented by malicious or compromised software.- alloc ima_template_entry before calling ima_store_template()- log ima_add_boot_aggregate() failure- removed unused IMA_TEMPLATE_NAME_LEN- replaced hard coded string length with #define nameSigned-off-by: Mimi Zohar Signed-off-by: James Morris List of files: /linux-6.15/security/integrity/ima/Makefile