Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.
This patch also switches IMA to use integrity_init_keyring().
Changes in v3:
* Added 'init_keyring' config based variable to skip initializing
keyring instead of using
In order to enable EVM before starting 'init' process,
evm_initialized needs to be non-zero. Before it was
indicating that HMAC key is loaded. When EVM loads
X509 before calling 'init', it is possible to enable
EVM to start signature based verification.
This patch defines bits to enable EVM if
Crypto HW kernel module can possibly initialize EVM key from the
kernel __init code to enable EVM before calling 'init' process.
This patch provide a function evm_set_key() which can be used to
set custom key directly to EVM without using KEY subsystem.
Changes in v3:
* error reporting moved to
This patch imposes minimum key size limit.
It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file.
Signed-off-by: Dmitry Kasatkin
---
include/linux/evm.h | 3 +++
security/integrity/evm/evm_crypto.c | 7 +++
2 files changed, 6
Hi Petko,
I have a question
On Fri, Oct 16, 2015 at 10:31 PM, Petko Manolov wrote:
> IMA policy can now be updated multiple times. The new rules get appended
> to the original policy. Have in mind that the rules are scanned in FIFO
> order so be careful when you add
The Tags security module allows to attach tags to processes.
Tags are accessed through the new files /proc/PID/attr/tags
and /proc/PID/tasks/TID/attr/tags below named "tag file".
Reading a tag file returns all the tags attached to the process
(or thread). The tags are listed one per line, each
On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman
wrote:
>
> Thank you for a creative solution to a problem that you perceive. I
> appreciate it when people aim to solve problems they see.
>
> Tobias Markus writes:
>
>> On 17.10.2015 23:55, Serge E.
Andy Lutomirski writes:
> At the risk of pointing out a can of worms, the attack surface also
> includes things like the iptables configuration APIs, parsers, and
> filter/conntrack/action modules.
It is worth noting that module auto-load does not happen if the
triggering
On Thu, 22 Oct 2015, David Howells wrote:
> Hi James,
>
> Could you pull these changes into your next branch please?
>
> There are three groups:
>
> (1) Miscellaneous cleanups.
>
> (2) Add scripts for extracting system cert list and module sigs.
>
> (3) Condense the type-specific data in
INTRODUCTION
Adding a feature in the kernel is not something free, it must
have some interest. I will try here to explain the reasons
why I am posting here a new bag of code.
I studied the security of Tizen 3 [1] and modestly participated
to it. Tizen 3 uses Smack as its security
10 matches
Mail list logo