kernel/linux.git/security/integrity/ima/ima_init.c, branch v4.14.192

ima: on soft reboot, restore the measurement list

2016-12-20T17:48:43+00:00

The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and restored on boot. This patch restores the measurement list. Link: http://lkml.kernel.org/r/1480554346-29071-3-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar Acked-by: Dmitry Kasatkin Cc: Thiago Jung Bauermann Cc: "Eric W. Biederman" Cc: Andreas Steffen Cc: Josh Sklar Cc: Dave Young Cc: Vivek Goyal Cc: Baoquan He Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Stewart Smith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

ima: include the reason for TPM-bypass mode

2016-11-14T03:50:09+00:00

This patch includes the reason for going into TPM-bypass mode and not using the TPM. Signed-off-by: Mimi Zohar (zohar@linux.vnet.ibm>

ima: include pcr for each measurement log entry

2016-06-30T05:14:21+00:00

The IMA measurement list entries include the Kconfig defined PCR value. This patch defines a new ima_template_entry field for including the PCR as specified in the policy rule. Signed-off-by: Eric Richter Signed-off-by: Mimi Zohar

ima: separate 'security.ima' reading functionality from collect

2016-02-18T22:13:32+00:00

Instead of passing pointers to pointers to ima_collect_measurent() to read and return the 'security.ima' xattr value, this patch moves the functionality to the calling process_measurement() to directly read the xattr and pass only the hash algo to the ima_collect_measurement(). Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

integrity: define '.evm' as a builtin 'trusted' keyring

2015-11-23T19:30:02+00:00

Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: pass iint to ima_add_violation()

2015-05-21T17:59:29+00:00

This patch adds the iint associated to the current inode as a new parameter of ima_add_violation(). The passed iint is always not NULL if a violation is detected. This modification will be used to determine the inode for which there is a violation. Since the 'd' and 'd-ng' template field init() functions were detecting a violation from the value of the iint pointer, they now check the new field 'violation', added to the 'ima_event_data' structure. Changelog: - v1: - modified an old comment (Roberto Sassu) Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

ima: wrap event related data to the new ima_event_data structure

2015-05-21T17:59:28+00:00

All event related data has been wrapped into the new 'ima_event_data' structure. The main benefit of this patch is that a new information can be made available to template fields initialization functions by simply adding a new field to the new structure instead of modifying the definition of those functions. Changelog: - v2: - f_dentry replaced with f_path.dentry (Roberto Sassu) - removed declaration of temporary variables in template field functions when possible (suggested by Dmitry Kasatkin) Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

ima: remove definition of IMA_X509_PATH

2015-05-21T17:28:47+00:00

CONFIG_IMA_X509_PATH is always defined. This patch removes the IMA_X509_PATH definition and uses CONFIG_IMA_X509_PATH. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: load x509 certificate from the kernel

2014-11-18T04:12:00+00:00

Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: return an error code from ima_add_boot_aggregate()

2014-09-17T20:15:42+00:00

This patch modifies ima_add_boot_aggregate() to return an error code. This way we can determine if all the initialization procedures have been executed successfully. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar