This patch converts the module verification and digital signature
code to the new akcipher API.
RSA implementation has been removed from crypto/asymmetric_keys and the
new API is used for cryptographic primitives.
There is no need for MPI above the akcipher API anymore.
Modules can be verified
On 12/23/2015 06:51 AM, Herbert Xu wrote:
>> > Changes in v4:
>> > - Flatten both patches into one to avoid bisect compilation problems.
> Why is this necessary?
Because the first patch modifies the struct public_key and removes the MPIs
from it,
which the code modified in the second patch still
On Tue, Dec 22, 2015 at 12:28 PM, Casey Schaufler
wrote:
> On 12/22/2015 3:46 AM, Huw Davies wrote:
>> This patch series implements RFC 5570 - Common Architecture Label IPv6
>> Security Option (CALIPSO). Its goal is to set MLS sensitivity labels
>> on IPv6 packets using a
On 12/23/2015 12:21 PM, Herbert Xu wrote:
> Why not just leave the MPIs in the structure and only remove them
> by adding a third patch?
Right, I think that's a better way of resolving this. v5 on it's way.
Thanks,
--
TS
--
To unsubscribe from this list: send the line "unsubscribe
From: Dmitry Kasatkin
We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:
cat policy-file > /ima/policy
If we provide the kernel the path to
Require the IMA policy to be signed when additional rules can be added.
Changelog v1:
- initialize the policy flag
- include IMA_APPRAISE_POLICY in the policy flag
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_policy.c | 7 +++
1 file changed, 7
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/Kconfig |1 +
security/integrity/digsig_asymmetric.c | 10 +++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git
This patch set converts the module verification and digital signature
code to the new akcipher API.
RSA implementation has been removed from crypto/asymmetric_keys and the
new API is used for cryptographic primitives.
There is no need for MPI above the akcipher API anymore.
Modules can be verified
After digsig_asymmetric.c is converted the MPIs can be now
safely removed from the public_key_signature structure.
Signed-off-by: Tadeusz Struk
---
include/crypto/public_key.h | 14 +-
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git
Instead of reading the firmware twice, once for measuring/appraising
the firmware and again reading the file contents into memory, this
patch reads the firmware once.
Signed-off-by: Mimi Zohar
---
drivers/base/firmware_class.c | 5 +
include/linux/ima.h
This patch set closes a number of measurement/appraisal gaps by defining
a generic function named ima_hash_and_process_file() for measuring and
appraising files read by the kernel (eg. kexec image and initramfs,
firmware, IMA policy).
To differentiate between callers of
Call ima_hash_and_process_file() to measure and appraise the IMA policy.
This patch defines a new policy hook named POLICY_CHECK.
Changelog v2:
- remove S_ISREG() test
Signed-off-by: Mimi Zohar
---
include/linux/ima.h | 1 +
From: Dmitry Kasatkin
Instead of passing pointers to pointers to ima_collect_measurent() to
read and return the 'security.ima' xattr value, this patch moves the
functionality to the calling process_measurement() to directly read
the xattr and pass only the hash algo to
This patch defines a new IMA hook ima_hash_and_process_file() for
measuring and appraising files read by the kernel. The caller loads
the file into memory before calling this function, which calculates
the hash followed by the normal IMA policy based processing.
Two new IMA policy functions
From: Dmitry Kasatkin
This patch provides convenient buffer hash calculation function.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h| 2 ++
get
to this yet. I'll be back January 13th. These patches are based on top of
linux-next tag next-20151223.
[0]
http://lkml.kernel.org/r/1443721449-22882-1-git-send-email-mcg...@do-not-panic.com
[1] http://kernelnewbies.org/KernelProjects/firmware-class-enhancements
David Howells (2):
firmware:
From: "Luis R. Rodriguez"
This will be re-used later through a new extensible interface.
Signed-off-by: Luis R. Rodriguez
---
drivers/base/firmware_class.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git
From: David Howells
We'll want to reuse this same code later in order to read
two separate types of file contents. This generalizes
fw_read_file_contents() for reading a file and rebrands it
as fw_read_file(). This new caller is now generic: the path
used can be arbitrary
From: "Luis R. Rodriguez"
The firmware API has evolved over the years slowly, as it
grows we extend it by adding new routines or at times we extend
existing routines with more or less arguments. This doesn't scale
well, when new arguments are added to existing routines it means
On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote:
> From: Marcelo Ricardo Leitner
>
> Accepted or peeled off sockets were missing a security label (e.g.
> SELinux) which means that socket was in "unlabeled" state.
>
> This patch clones the
From: David Howells
We'll be folding in some more checks on fw_read_file_contents(),
this will make the success case easier to follow.
Signed-off-by: David Howells
Signed-off-by: Luis R. Rodriguez
---
drivers/base/firmware_class.c |
From: "Luis R. Rodriguez"
Historically firmware_class code was added to help
get device driver firmware binaries but these days
request_firmware*() helpers are being repurposed for
general system data needed by the kernel.
Annotate this before we extend firmare_class more,
as
On Wed, Dec 23, 2015 at 06:58:55AM -0800, Tadeusz Struk wrote:
>
> Because the first patch modifies the struct public_key and removes the MPIs
> from it,
> which the code modified in the second patch still uses. If bisect only takes
> the first
> then the build will fail on the
On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote:
> On 15-12-22 16:50:01, Sasha Levin wrote:
> > On 12/22/2015 04:40 PM, Petko Manolov wrote:
> > >> Thanks, Sasha. By the time ima_update_policy() is called
> > >> >ima_release_policy() has already output the policy update status
> > >>
On Wed, 2015-12-23 at 07:24 -0500, Mimi Zohar wrote:
> On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote:
>
> > On 15-12-22 16:50:01, Sasha Levin wrote:
> > > On 12/22/2015 04:40 PM, Petko Manolov wrote:
> > > >> Thanks, Sasha. By the time ima_update_policy() is called
> > > >>
Hi Tadeusz,
[auto build test ERROR on cryptodev/master]
[also build test ERROR on v4.4-rc6 next-20151223]
url:
https://github.com/0day-ci/linux/commits/Tadeusz-Struk/crypto-KEYS-convert-public-key-to-akcipher-api/20151223-132001
base:
https://git.kernel.org/pub/scm/linux/kernel/git
27 matches
Mail list logo