kernel/linux.git/Documentation/ABI/testing/evm, branch v6.12.80

ABI: evm: place a second what at the next line

2021-09-28T10:45:42+00:00

Originally, get_abi.pl was using spaces to separate What: parameters, but there are several references that declare things like: /sys/class/powercap/...//enabled So, the logic was changes in order to properly address it. That broke the second What added by Changeset 18e49b304633 ("ABI: security: fix location for evm and ima_policy"). As the only file that defines multiple What: at the same line is this file, let's move the second What: to a separate line. Fixes: 18e49b304633 ("ABI: security: fix location for evm and ima_policy") Fixes: ab9c14805b37 ("scripts: get_abi.pl: Better handle multiple What parameters") Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/1f1e29ccdc0dd0ec089a67b8a4e9650517c6137a.1632823172.git.mchehab+huawei@kernel.org Signed-off-by: Greg Kroah-Hartman

ABI: security: fix location for evm and ima_policy

2021-09-21T16:31:15+00:00

The What: definitions there are wrong, pointing to different locations than what's expected. Reviewed-by: Mimi Zohar Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/b2563ac34c2e234cdd728f0c701b57ac9023c45a.1631782432.git.mchehab+huawei@kernel.org Signed-off-by: Greg Kroah-Hartman

evm: Deprecate EVM_ALLOW_METADATA_WRITES

2021-06-01T16:30:51+00:00

This patch deprecates the usage of EVM_ALLOW_METADATA_WRITES, as it is no longer necessary. All the issues that prevent the usage of EVM portable signatures just with a public key loaded have been solved. This flag will remain available for a short time to ensure that users are able to use EVM without it. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

2021-05-21T16:47:08+00:00

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to temporarily disable metadata verification until all xattrs/attrs necessary to verify an EVM portable signature are copied to the file. This flag is cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is calculated on unverified xattrs/attrs. Currently EVM unnecessarily denies setting this flag if EVM is initialized with a public key, which is not a concern as it cannot be used to trust xattrs/attrs updates. This patch removes this limitation. Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org # 4.16.x Signed-off-by: Mimi Zohar

docs: ABI: testing: make the files compatible with ReST output

2020-10-30T12:07:01+00:00

Some files over there won't parse well by Sphinx. Fix them. Acked-by: Jonathan Cameron # for IIO Acked-by: Fabrice Gasnier Acked-by: Jonathan Corbet Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/58cf3c2d611e0197fb215652719ebd82ca2658db.1604042072.git.mchehab+huawei@kernel.org Signed-off-by: Greg Kroah-Hartman

EVM: Allow runtime modification of the set of verified xattrs

2018-05-18T19:34:45+00:00

Sites may wish to provide additional metadata alongside files in order to make more fine-grained security decisions[1]. The security of this is enhanced if this metadata is protected, something that EVM makes possible. However, the kernel cannot know about the set of extended attributes that local admins may wish to protect, and hardcoding this policy in the kernel makes it difficult to change over time and less convenient for distributions to enable. This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node, which can be read to obtain the current set of EVM-protected extended attributes or written to in order to add new entries. Extending this list will not change the validity of any existing signatures provided that the file in question does not have any of the additional extended attributes - missing xattrs are skipped when calculating the EVM hash. [1] For instance, a package manager could install information about the package uploader in an additional extended attribute. Local LSM policy could then be associated with that extended attribute in order to restrict the privileges available to packages from less trusted uploaders. Signed-off-by: Matthew Garrett Reviewed-by: James Morris Signed-off-by: Mimi Zohar

EVM: Allow userland to permit modification of EVM-protected metadata

2017-12-11T19:27:31+00:00

When EVM is enabled it forbids modification of metadata protected by EVM unless there is already a valid EVM signature. If any modification is made, the kernel will then generate a new EVM HMAC. However, this does not map well on use cases which use only asymmetric EVM signatures, as in this scenario the kernel is unable to generate new signatures. This patch extends the /sys/kernel/security/evm interface to allow userland to request that modification of these xattrs be permitted. This is only permitted if no keys have already been loaded. In this configuration, modifying the metadata will invalidate the EVM appraisal on the file in question. This allows packaging systems to write out new files, set the relevant extended attributes and then move them into place. There's also some refactoring of the use of evm_initialized in order to avoid heading down codepaths that assume there's a key available. Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2017-11-13T18:41:25+00:00

Pull security subsystem integrity updates from James Morris: "There is a mixture of bug fixes, code cleanup, preparatory code for new functionality and new functionality. Commit 26ddabfe96bb ("evm: enable EVM when X509 certificate is loaded") enabled EVM without loading a symmetric key, but was limited to defining the x509 certificate pathname at build. Included in this set of patches is the ability of enabling EVM, without loading the EVM symmetric key, from userspace. New is the ability to prevent the loading of an EVM symmetric key." * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: ima: Remove redundant conditional operator ima: Fix bool initialization/comparison ima: check signature enforcement against cmdline param instead of CONFIG module: export module signature enforcement status ima: fix hash algorithm initialization EVM: Only complain about a missing HMAC key once EVM: Allow userspace to signal an RSA key has been loaded EVM: Include security.apparmor in EVM measurements ima: call ima_file_free() prior to calling fasync integrity: use kernel_read_file_from_path() to read x509 certs ima: always measure and audit files in policy ima: don't remove the securityfs policy file vfs: fix mounting a filesystem with i_version

EVM: Allow userspace to signal an RSA key has been loaded

2017-11-08T20:16:36+00:00

EVM will only perform validation once a key has been loaded. This key may either be a symmetric trusted key (for HMAC validation and creation) or the public half of an asymmetric key (for digital signature validation). The /sys/kernel/security/evm interface allows userland to signal that a symmetric key has been loaded, but does not allow userland to signal that an asymmetric public key has been loaded. This patch extends the interface to permit userspace to pass a bitmask of loaded key types. It also allows userspace to block loading of a symmetric key in order to avoid a compromised system from being able to load an additional key type later. Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar

Documentation: fix security related doc refs

2017-10-12T17:14:40+00:00

Make security document refs valid. Signed-off-by: Tom Saeger Signed-off-by: Jonathan Corbet