Re: Mount options may be silently discarded

On Mon, Sep 28, 2020 at 5:36 PM David Laight wrote: > > From: Dmitry Kasatkin > > Sent: 28 September 2020 15:03 > > > > "copy_mount_options" function came to my eyes. > > It splits copy into 2 pieces - over page boundaries. > > I wonder what is the re

Mount options may be silently discarded

Hi, "copy_mount_options" function came to my eyes. It splits copy into 2 pieces - over page boundaries. I wonder what is the real reason for doing this? Original comment was that we need exact bytes and some user memcpy functions do not return correct number on page fault. But how would all

Re: [PATCH -next] exec: Fix mem leak in kernel_read_file

On 13/03/2019 16:38, gre...@linuxfoundation.org wrote: On Wed, Mar 13, 2019 at 02:12:30PM +, Dmitry Kasatkin wrote: From: Sasha Levin Sent: Tuesday, March 12, 2019 1:16 AM To: Dmitry Kasatkin Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org

Re: [PATCH -next] exec: Fix mem leak in kernel_read_file

From: Sasha Levin Sent: Tuesday, March 12, 2019 1:16 AM To: Dmitry Kasatkin Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; keesc...@chromium.org; sta...@vger.kernel.org; gre...@google.com Subject: Re: [PATCH -next] exec: Fix mem leak

Re: [PATCH -next] exec: Fix mem leak in kernel_read_file

From: Al Viro on behalf of Al Viro Sent: Tuesday, February 19, 2019 4:25 AM To: yuehaibing Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry Kasatkin; keesc...@chromium.org Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file   On Tue, Feb 19, 2019 at 10

Re: [PATCH 1/7] evmtest: Regression testing Integrity Subsystem

Hi, I will have a look to patches. Thanks, Dmitry On Tue, Aug 14, 2018 at 9:34 PM James Morris wrote: > > On Tue, 14 Aug 2018, David Jacobson wrote: > > > This patchset introduces evmtest — a stand alone tool for regression > > testing IMA. > > Nice! > > I usually run the SELinux testsuite as

Re: [PATCH 1/7] evmtest: Regression testing Integrity Subsystem

Hi, I will have a look to patches. Thanks, Dmitry On Tue, Aug 14, 2018 at 9:34 PM James Morris wrote: > > On Tue, 14 Aug 2018, David Jacobson wrote: > > > This patchset introduces evmtest — a stand alone tool for regression > > testing IMA. > > Nice! > > I usually run the SELinux testsuite as

RE: [PATCH] lib/mpi: headers cleanup

Looks goo, you also updated comments of location of some functions. Acked-by: Dmitry Kasatkin Thanks From: Vasily Averin [v...@virtuozzo.com] Sent: Friday, June 01, 2018 7:29 PM To: Andrew Morton; linux-kernel@vger.kernel.org Cc: Dmitry Kasatkin Subject

RE: [PATCH] lib/mpi: headers cleanup

Looks goo, you also updated comments of location of some functions. Acked-by: Dmitry Kasatkin Thanks From: Vasily Averin [v...@virtuozzo.com] Sent: Friday, June 01, 2018 7:29 PM To: Andrew Morton; linux-kernel@vger.kernel.org Cc: Dmitry Kasatkin Subject

Re: [PATCHv6 1/1] ima: re-introduce own integrity cache lock

Hi, Could I ask FS maintainers to test IMA with this patch additionally and provide ack/tested. We tested but may be you have and some special testing. Thanks in advance, Dmitry On Tue, Dec 5, 2017 at 9:06 PM, Dmitry Kasatkin <dmitry.kasat...@gmail.com> wrote: > The origin

Re: [PATCHv6 1/1] ima: re-introduce own integrity cache lock

Hi, Could I ask FS maintainers to test IMA with this patch additionally and provide ack/tested. We tested but may be you have and some special testing. Thanks in advance, Dmitry On Tue, Dec 5, 2017 at 9:06 PM, Dmitry Kasatkin wrote: > The original design was discussed 3+ years

[PATCHv6 1/1] ima: re-introduce own integrity cache lock

process_measurement() Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- security/integrity/iint.c | 2 + security/integrity/ima/ima_appraise.c | 27 +++--- security/integrity/ima/ima_main.c | 70 --- security/integrity/int

[PATCHv6 1/1] ima: re-introduce own integrity cache lock

process_measurement() Signed-off-by: Dmitry Kasatkin --- security/integrity/iint.c | 2 + security/integrity/ima/ima_appraise.c | 27 +++--- security/integrity/ima/ima_main.c | 70 --- security/integrity/integrity.h| 18 ++--

Re: [PATCHv5 1/1] ima: re-introduce own integrity cache lock

On 04/12/17 17:40, Dmitry Kasatkin wrote: On 04/12/17 15:42, Roberto Sassu wrote: On 12/4/2017 1:06 PM, Mimi Zohar wrote: Hi Dmitry, On Fri, 2017-12-01 at 20:40 +0200, Dmitry Kasatkin wrote: The original design was discussed 3+ years ago, but was never completed/upstreamed. Based

Re: [PATCHv5 1/1] ima: re-introduce own integrity cache lock

On 04/12/17 17:40, Dmitry Kasatkin wrote: On 04/12/17 15:42, Roberto Sassu wrote: On 12/4/2017 1:06 PM, Mimi Zohar wrote: Hi Dmitry, On Fri, 2017-12-01 at 20:40 +0200, Dmitry Kasatkin wrote: The original design was discussed 3+ years ago, but was never completed/upstreamed. Based

Re: [PATCHv5 1/1] ima: re-introduce own integrity cache lock

On 04/12/17 15:42, Roberto Sassu wrote: On 12/4/2017 1:06 PM, Mimi Zohar wrote: Hi Dmitry, On Fri, 2017-12-01 at 20:40 +0200, Dmitry Kasatkin wrote: The original design was discussed 3+ years ago, but was never completed/upstreamed. Based on the recent discussions with Linus https

Re: [PATCHv5 1/1] ima: re-introduce own integrity cache lock

On 04/12/17 15:42, Roberto Sassu wrote: On 12/4/2017 1:06 PM, Mimi Zohar wrote: Hi Dmitry, On Fri, 2017-12-01 at 20:40 +0200, Dmitry Kasatkin wrote: The original design was discussed 3+ years ago, but was never completed/upstreamed. Based on the recent discussions with Linus https

[PATCHv5 1/1] ima: re-introduce own integrity cache lock

attr_flags to atomic_flags Changes in v2: * revert taking the i_mutex in integrity_inode_get() so that iint allocation could be done with i_mutex taken * move taking the i_mutex from appraisal code to the process_measurement() Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com&g

[PATCHv5 1/1] ima: re-introduce own integrity cache lock

attr_flags to atomic_flags Changes in v2: * revert taking the i_mutex in integrity_inode_get() so that iint allocation could be done with i_mutex taken * move taking the i_mutex from appraisal code to the process_measurement() Signed-off-by: Dmitry Kasatkin --- security/integrity/iint.c

Re: [PATCHC v7 00/10] ima: carry the measurement list across kexec

On Thu, Nov 10, 2016 at 4:56 PM, Mimi Zohar wrote: > [Posting with abbreviated Cc list.] > > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be

Re: [PATCHC v7 00/10] ima: carry the measurement list across kexec

On Thu, Nov 10, 2016 at 4:56 PM, Mimi Zohar wrote: > [Posting with abbreviated Cc list.] > > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be saved and then restored on

Re: [PATCHC v7 02/10] ima: on soft reboot, restore the measurement list

On Thu, Nov 10, 2016 at 4:56 PM, Mimi Zohar wrote: > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be saved and restored on boot. This patch >

Re: [PATCHC v7 02/10] ima: on soft reboot, restore the measurement list

On Thu, Nov 10, 2016 at 4:56 PM, Mimi Zohar wrote: > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be saved and restored on boot. This patch > restores the measurement

Re: [Linux-ima-devel] [PATCH v6 07/10] ima: store the builtin/custom template definitions in a list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > The builtin and single custom templates are currently stored in an > array. In preparation for being able to restore a measurement list > containing

Re: [Linux-ima-devel] [PATCH v6 07/10] ima: store the builtin/custom template definitions in a list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > The builtin and single custom templates are currently stored in an > array. In preparation for being able to restore a measurement list > containing multiple builtin/custom templates, this patch stores the >

Re: [Linux-ima-devel] [PATCH v6 04/10] ima: maintain memory size needed for serializing the measurement list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > In preparation for serializing the binary_runtime_measurements, this patch > maintains the amount of memory required. > > Changelog v5: > - replace

Re: [Linux-ima-devel] [PATCH v6 04/10] ima: maintain memory size needed for serializing the measurement list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > In preparation for serializing the binary_runtime_measurements, this patch > maintains the amount of memory required. > > Changelog v5: > - replace CONFIG_KEXEC_FILE with architecture CONFIG_HAVE_IMA_KEXEC

Re: [Linux-ima-devel] [PATCH v6 03/10] ima: permit duplicate measurement list entries

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > Measurements carried across kexec need to be added to the IMA > measurement list, but should not prevent measurements of the newly > booted kernel from

Re: [Linux-ima-devel] [PATCH v6 03/10] ima: permit duplicate measurement list entries

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > Measurements carried across kexec need to be added to the IMA > measurement list, but should not prevent measurements of the newly > booted kernel from being added to the measurement list. This patch > adds

Re: [Linux-ima-devel] [PATCH v6 02/10] ima: on soft reboot, restore the measurement list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the

Re: [Linux-ima-devel] [PATCH v6 02/10] ima: on soft reboot, restore the measurement list

On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann wrote: > From: Mimi Zohar > > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be saved and restored on boot. This

RE: 'select' on deleted KEYS_DEBUG_PROC_KEYS option

Hi, Yes, please make a patch. Thanks for noticing, Dmitry From: Andreas Ziegler [andreas.zieg...@fau.de] Sent: Tuesday, January 26, 2016 5:39 PM To: Dmitry Kasatkin Cc: David Howells; James Morris; Serge E. Hallyn; linux-kernel@vger.kernel.org Subject

RE: 'select' on deleted KEYS_DEBUG_PROC_KEYS option

Hi, Yes, please make a patch. Thanks for noticing, Dmitry From: Andreas Ziegler [andreas.zieg...@fau.de] Sent: Tuesday, January 26, 2016 5:39 PM To: Dmitry Kasatkin Cc: David Howells; James Morris; Serge E. Hallyn; linux-kernel@vger.kernel.org Subject

Re: [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

Hi, Updated in the patch. http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:30 PM, Mimi Zohar wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> Crypto HW kernel module can possibly initialize EVM

Re: [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

Hi, I added error printing to the patch http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:31 PM, Mimi Zohar wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> In order to enable EVM before start

Re: [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

Hi, I added error printing to the patch http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:31 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> In

Re: [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

Hi, Updated in the patch. http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:30 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> Crypto HW ke

RE: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring

From: Petko Manolov [pet...@mip-labs.com] Sent: Friday, October 23, 2015 4:05 PM To: Dmitry Kasatkin Cc: zo...@linux.vnet.ibm.com; linux-ima-de...@lists.sourceforge.net; linux-security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Dmitry Kasatkin

RE: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring

From: Petko Manolov [pet...@mip-labs.com] Sent: Friday, October 23, 2015 4:05 PM To: Dmitry Kasatkin Cc: zo...@linux.vnet.ibm.com; linux-ima-de...@lists.sourceforge.net; linux-security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Dmitry Kasatkin

[PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

if key of any type is loaded. Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by: Dmitry Kasatkin --- security/integrity/evm/evm.h| 3 +++ security/integrity/evm/evm_crypto.c | 2 ++ security/integrity/evm/evm_main.c | 6

[PATCHv3 6/6] evm: reset EVM status when file attributes changes

we may need to re-verify the signature and update iint->flags that there is EVM signature. This patch enables that by resetting evm_status to INTEGRITY_UKNOWN state. Changes in v2: * Flag setting moved to EVM layer Signed-off-by: Dmitry Kasatkin --- security/integrity/evm/evm_main.

[PATCHv3 5/6] evm: define EVM key max and min sizes

This patch imposes minimum key size limit. It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file. Signed-off-by: Dmitry Kasatkin --- include/linux/evm.h | 3 +++ security/integrity/evm/evm_crypto.c | 7 +++ 2 files changed, 6 insertions(+), 4 deletions

[PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring

Zohar) Signed-off-by: Dmitry Kasatkin --- security/integrity/Kconfig| 11 +++ security/integrity/digsig.c | 14 -- security/integrity/evm/evm_main.c | 8 +--- security/integrity/ima/Kconfig| 5 - security/integrity/ima/ima.h | 12

[PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

to evm_set_key * EVM_INIT_HMAC moved to evm_set_key * added bitop to prevent key setting race Changes in v2: * use size_t for key size instead of signed int * provide EVM_MAX_KEY_SIZE macro in * provide EVM_MIN_KEY_SIZE macro in Signed-off-by: Dmitry Kasatkin --- include/linux/evm.h

[PATCHv3 0/6] integrity: few EVM patches

sent for review few months ago. Please refer to the patch descriptions for details. BR, Dmitry Dmitry Kasatkin (6): integrity: define '.evm' as a builtin 'trusted' keyring evm: load x509 certificate from the kernel evm: enable EVM when X509 certificate is loaded evm: provide a function

[PATCHv3 2/6] evm: load x509 certificate from the kernel

patch changed to /etc/keys Signed-off-by: Dmitry Kasatkin --- security/integrity/evm/Kconfig| 17 + security/integrity/evm/evm_main.c | 7 +++ security/integrity/iint.c | 1 + security/integrity/integrity.h| 8 4 files changed, 33 insertions

[PATCHv3 0/6] integrity: few EVM patches

sent for review few months ago. Please refer to the patch descriptions for details. BR, Dmitry Dmitry Kasatkin (6): integrity: define '.evm' as a builtin 'trusted' keyring evm: load x509 certificate from the kernel evm: enable EVM when X509 certificate is loaded evm: provide a function

[PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

to evm_set_key * EVM_INIT_HMAC moved to evm_set_key * added bitop to prevent key setting race Changes in v2: * use size_t for key size instead of signed int * provide EVM_MAX_KEY_SIZE macro in * provide EVM_MIN_KEY_SIZE macro in Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.

[PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring

Zohar) Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- security/integrity/Kconfig| 11 +++ security/integrity/digsig.c | 14 -- security/integrity/evm/evm_main.c | 8 +--- security/integrity/ima/Kconfig| 5 - security/integri

[PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

if key of any type is loaded. Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- security/integrity/evm/evm.h| 3 +++ security/integrity/evm/evm_crypto.c | 2 ++ se

[PATCHv3 6/6] evm: reset EVM status when file attributes changes

we may need to re-verify the signature and update iint->flags that there is EVM signature. This patch enables that by resetting evm_status to INTEGRITY_UKNOWN state. Changes in v2: * Flag setting moved to EVM layer Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- securi

[PATCHv3 5/6] evm: define EVM key max and min sizes

This patch imposes minimum key size limit. It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file. Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- include/linux/evm.h | 3 +++ security/integrity/evm/evm_crypto.c | 7 +++ 2 files chan

[PATCHv3 2/6] evm: load x509 certificate from the kernel

patch changed to /etc/keys Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> --- security/integrity/evm/Kconfig| 17 + security/integrity/evm/evm_main.c | 7 +++ security/integrity/iint.c | 1 + security/integrity/integrity.h| 8 4

Re: [PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

Hi, Apply this patch, please... Dmitry On Thu, Sep 10, 2015 at 10:06 PM, Dmitry Kasatkin wrote: > If IMA_LOAD_X509 is enabled either directly or indirectly via > IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted > keyring from the kernel. Due to the

Re: [PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

Hi, Apply this patch, please... Dmitry On Thu, Sep 10, 2015 at 10:06 PM, Dmitry Kasatkin <dmitry.kasat...@gmail.com> wrote: > If IMA_LOAD_X509 is enabled either directly or indirectly via > IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted > keyring

[PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

certificate verification result and allowed to load self-signed or wrongly signed certificates. This patch just removes this option. Signed-off-by: Dmitry Kasatkin Cc: # 3.19+ --- security/integrity/digsig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security

[PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

certificate verification result and allowed to load self-signed or wrongly signed certificates. This patch just removes this option. Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com> Cc: <sta...@vger.kernel.org> # 3.19+ --- security/integrity/digsig.c | 2 +- 1 fil

Re: linux-next: contact change for the integrity tree

Hi, Yes, please. (in plain text) - Dmitry On 26 January 2015 at 22:49, Stephen Rothwell wrote: > Hi all, > > I noticed commit bfd33c4b4b1a ("MAINTAINERS: email update") in the > integrity tree today. I assume that I should also update the email > address in my contacts list? > > -- > Cheers,

Re: linux-next: contact change for the integrity tree

Hi, Yes, please. (in plain text) - Dmitry On 26 January 2015 at 22:49, Stephen Rothwell s...@canb.auug.org.au wrote: Hi all, I noticed commit bfd33c4b4b1a (MAINTAINERS: email update) in the integrity tree today. I assume that I should also update the email address in my contacts list?

[PATCH v2 0/1] Email update

Hello, Sorry for the ugly typo in MAINTAINERS. - Dmitry Dmitry Kasatkin (1): MAINTAINERS: email update MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message

[PATCH v2 1/1] MAINTAINERS: email update

Changed to my private email address as I left Samsung. Signed-off-by: Dmitry Kasatkin --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb0fef..0ee6758 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4655,7 +4655,7 @@ F

[PATCH 1/1] MAINTEINERS: email update

Changed to my private email address as I left Samsung. Signed-off-by: Dmitry Kasatkin --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb0fef..0ee6758 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4655,7 +4655,7 @@ F

[PATCH 1/1] MAINTEINERS: email update

Changed to my private email address as I left Samsung. Signed-off-by: Dmitry Kasatkin dmitry.kasat...@gmail.com --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb0fef..0ee6758 100644 --- a/MAINTAINERS +++ b/MAINTAINERS

[PATCH v2 1/1] MAINTAINERS: email update

Changed to my private email address as I left Samsung. Signed-off-by: Dmitry Kasatkin dmitry.kasat...@gmail.com --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index ccb0fef..0ee6758 100644 --- a/MAINTAINERS +++ b/MAINTAINERS

[PATCH v2 0/1] Email update

Hello, Sorry for the ugly typo in MAINTAINERS. - Dmitry Dmitry Kasatkin (1): MAINTAINERS: email update MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord

Re: [Keyrings] [PATCH 2/2] MPILIB: Deobfuscate mpi_cmp

correct. Acked-by: Dmitry Kasatkin Dmitry On 12 January 2015 at 13:43, David Howells wrote: > Dmitry Kasatkin wrote: > >> Ack. > > To what email address do I translate that now? > > Acked-by: Dmitry Kasatkin > > perchance? > > David -- T

Re: [Keyrings] [PATCH 2/2] MPILIB: Deobfuscate mpi_cmp

correct. Acked-by: Dmitry Kasatkin dmitry.kasat...@gmail.com Dmitry On 12 January 2015 at 13:43, David Howells dhowe...@redhat.com wrote: Dmitry Kasatkin dmitry.kasat...@gmail.com wrote: Ack. To what email address do I translate that now? Acked-by: Dmitry Kasatkin dmitry.kasat

Re: [Keyrings] [PATCH 2/2] MPILIB: Deobfuscate mpi_cmp

Hi, Thank you. Indeed '-cmp' is much more clear. Ack. - Dmitry On 9 January 2015 at 13:00, David Howells wrote: > This looks very reasonable. cc'ing Dmitry for his check. > > David > --- > Rasmus Villemoes wrote: > >> The condition preceding 'return 1;' makes my head hurt. At this point, >>

Re: [Keyrings] [PATCH 1/2] MPILIB: Fix comparison of negative MPIs

Hi, Thank you. It looks correct. Ack. - Dmitry On 9 January 2015 at 12:58, David Howells wrote: > I think you're right - *adding* the two sizes makes no sense. cc'ing Dmitry > also for his check. > > David > > > Rasmus Villemoes wrote: > >> If u and v both represent negative integers and

Re: [Keyrings] [PATCH 2/2] MPILIB: Deobfuscate mpi_cmp

Hi, Thank you. Indeed '-cmp' is much more clear. Ack. - Dmitry On 9 January 2015 at 13:00, David Howells dhowe...@redhat.com wrote: This looks very reasonable. cc'ing Dmitry for his check. David --- Rasmus Villemoes li...@rasmusvillemoes.dk wrote: The condition preceding 'return 1;'

Re: [Keyrings] [PATCH 1/2] MPILIB: Fix comparison of negative MPIs

Hi, Thank you. It looks correct. Ack. - Dmitry On 9 January 2015 at 12:58, David Howells dhowe...@redhat.com wrote: I think you're right - *adding* the two sizes makes no sense. cc'ing Dmitry also for his check. David Rasmus Villemoes li...@rasmusvillemoes.dk wrote: If u and v both

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

On 05/12/14 16:04, David Howells wrote: > Dmitry Kasatkin wrote: > >> With just "make all" on Ubuntu. > What gcc? I don't see any warnings. > > David > $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lt

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

On 05/12/14 12:23, David Howells wrote: > Dmitry Kasatkin wrote: > >> sign-file.c produce lots of annoying noise. > How did you get it to produce that? > > David > With just "make all" on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line &quo

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

Hi David, sign-file.c produce lots of annoying noise. scripts/sign-file.c:153:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!bd, dest_name); ^ scripts/sign-file.c:179:3: warning: format not a string literal and no format arguments [-Wformat-security]

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

Hi David, sign-file.c produce lots of annoying noise. scripts/sign-file.c:153:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!bd, dest_name); ^ scripts/sign-file.c:179:3: warning: format not a string literal and no format arguments [-Wformat-security]

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

On 05/12/14 12:23, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. How did you get it to produce that? David With just make all on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line unsubscribe linux-kernel

Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]

On 05/12/14 16:04, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: With just make all on Ubuntu. What gcc? I don't see any warnings. David $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64

Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier

On 21/11/14 16:42, Vivek Goyal wrote: > On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: > > [..] >> diff --git a/crypto/asymmetric_keys/x509_parser.h >> b/crypto/asymmetric_keys/x509_parser.h >> index 3dfe6b5d6f0b..223b72344060 100644 >> --- a/crypto/asymmetric_keys/x509_parser.h

Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]

On 26/11/14 16:17, David Howells wrote: > Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, > as the second part can be used to match X.509 certificates by issuer and > serialNumber. > > Signed-off-by: David Howells > --- > > crypto/asymmetric_keys/Makefile

Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]

On 26/11/14 16:17, David Howells wrote: Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells dhowe...@redhat.com --- crypto/asymmetric_keys/Makefile

Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier

On 21/11/14 16:42, Vivek Goyal wrote: On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: [..] diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 3dfe6b5d6f0b..223b72344060 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++

Re: [RESEND PATCH] ima: Fix build failure on powerpc when TCG_IBMVTPM dependencies are not met

Hello, Yes, we will pick it up. Thanks, Dmitry On 03/12/14 08:04, Michael Ellerman wrote: > On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to: > > warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies > (TCG_TPM && PPC_PSERIES) >

Re: [RESEND PATCH] ima: Fix build failure on powerpc when TCG_IBMVTPM dependencies are not met

Hello, Yes, we will pick it up. Thanks, Dmitry On 03/12/14 08:04, Michael Ellerman wrote: On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to: warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies (TCG_TPM PPC_PSERIES) tpm_ibmvtpm.c:(.text+0x14f3e8):

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

On 20/11/14 18:53, David Howells wrote: > Here's a set of patches that does the following: > > (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. > We already extract the bit that can match the subjectKeyIdentifier (SKID) > of the parent X.509 cert, but we

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

On 21/11/14 14:59, Dmitry Kasatkin wrote: > Hi David, > > Before I go into reviewing the patches just want to let you know that > Integrity stuff seems to work fine with these changes. Actually after cleaning the tree and re-signing the modules, I get following Unrecognized ch

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

On 21/11/14 14:59, Dmitry Kasatkin wrote: Hi David, Before I go into reviewing the patches just want to let you know that Integrity stuff seems to work fine with these changes. Actually after cleaning the tree and re-signing the modules, I get following Unrecognized character \x7F; marked

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

On 20/11/14 18:53, David Howells wrote: Here's a set of patches that does the following: (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. We already extract the bit that can match the subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

Hi David, Before I go into reviewing the patches just want to let you know that Integrity stuff seems to work fine with these changes. Thanks, Dmitry On 20/11/14 18:53, David Howells wrote: > Here's a set of patches that does the following: > > (1) Extracts both parts of an X.509

Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures

Hi David, Before I go into reviewing the patches just want to let you know that Integrity stuff seems to work fine with these changes. Thanks, Dmitry On 20/11/14 18:53, David Howells wrote: Here's a set of patches that does the following: (1) Extracts both parts of an X.509

[PATCH v4 2/6] integrity: provide a function to load x509 certificate from the kernel

Provide the function to load x509 certificates from the kernel into the integrity kernel keyring. Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin --- security/integrity/digsig.c| 37 - security

[PATCH v4 1/6] integrity: define a new function integrity_read_file()

of kernel_read(), to integrity_kernel_read(). Changes in v3: * Patch descriptions improved (Mimi) Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin --- security/integrity/iint.c | 78 + security

[PATCH v4 5/6] ima: require signature based appraisal

Signed-off-by: Dmitry Kasatkin --- security/integrity/ima/Kconfig | 7 +++ security/integrity/ima/ima_policy.c | 5 + 2 files changed, 12 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 8288edc..31b44b8 100644 --- a/security

[PATCH v4 0/6] ima: provide signature based 'init' appraisal

(). * integrity_read_file() moved from digsig.c to iint.c because it is used by IMA crypto subsystem and should not depend on digsig support being enabled. -Dmitry *** BLURB HERE *** Dmitry Kasatkin (6): integrity: define a new function integrity_read_file() integrity: provide a function

[PATCH v4 6/6] VFS: refactor vfs_read()

integrity_kernel_read() duplicates the file read operations code in vfs_read(). This patch refactors vfs_read() code creating a helper function __vfs_read(). It is used by both vfs_read() and integrity_kernel_read(). Signed-off-by: Dmitry Kasatkin --- fs/read_write.c | 24

[PATCH v4 3/6] ima: load x509 certificate from the kernel

clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin --- security/integrity/ima/Kconfig

[PATCH v4 4/6] integrity: provide a hook to load keys when rootfs is ready

functions Signed-off-by: Dmitry Kasatkin --- include/linux/integrity.h | 6 ++ init/main.c | 6 +- security/integrity/iint.c | 11 +++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 83222ce

[PATCH v4 4/6] integrity: provide a hook to load keys when rootfs is ready

functions Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com --- include/linux/integrity.h | 6 ++ init/main.c | 6 +- security/integrity/iint.c | 11 +++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/include/linux/integrity.h b/include/linux

[PATCH v4 0/6] ima: provide signature based 'init' appraisal

(). * integrity_read_file() moved from digsig.c to iint.c because it is used by IMA crypto subsystem and should not depend on digsig support being enabled. -Dmitry *** BLURB HERE *** Dmitry Kasatkin (6): integrity: define a new function integrity_read_file() integrity: provide a function

[PATCH v4 3/6] ima: load x509 certificate from the kernel

clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com --- security

[PATCH v4 6/6] VFS: refactor vfs_read()

integrity_kernel_read() duplicates the file read operations code in vfs_read(). This patch refactors vfs_read() code creating a helper function __vfs_read(). It is used by both vfs_read() and integrity_kernel_read(). Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com --- fs/read_write.c

  1   2   3   4   5   6   7   8   >