[PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

This patch converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

On 12/23/2015 06:51 AM, Herbert Xu wrote: >> > Changes in v4: >> > - Flatten both patches into one to avoid bisect compilation problems. > Why is this necessary? Because the first patch modifies the struct public_key and removes the MPIs from it, which the code modified in the second patch still

Re: [RFC PATCH 00/17] CALIPSO implementation

On Tue, Dec 22, 2015 at 12:28 PM, Casey Schaufler wrote: > On 12/22/2015 3:46 AM, Huw Davies wrote: >> This patch series implements RFC 5570 - Common Architecture Label IPv6 >> Security Option (CALIPSO). Its goal is to set MLS sensitivity labels >> on IPv6 packets using a

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

On 12/23/2015 12:21 PM, Herbert Xu wrote: > Why not just leave the MPIs in the structure and only remove them > by adding a third patch? Right, I think that's a better way of resolving this. v5 on it's way. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe

[PATCH v2 2/7] ima: load policy using path

From: Dmitry Kasatkin We currently cannot do appraisal or signature vetting of IMA policies since we currently can only load IMA policies by writing the contents of the policy directly in, as follows: cat policy-file > /ima/policy If we provide the kernel the path to

[PATCH v2 7/7] ima: require signed IMA policy

Require the IMA policy to be signed when additional rules can be added. Changelog v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 7 +++ 1 file changed, 7

[PATCH v5 1/3] crypto: KEYS: convert public key and digsig asym to the akcipher api

This patch converts the module verification code to the new akcipher API. Signed-off-by: Tadeusz Struk --- crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +-

[PATCH v5 2/3] integrity: convert digsig to akcipher api

Convert asymmetric_verify to akcipher api. Signed-off-by: Tadeusz Struk --- security/integrity/Kconfig |1 + security/integrity/digsig_asymmetric.c | 10 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git

[PATCH v5 0/3] crypto: KEYS: convert public key to akcipher api

This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified

[PATCH v5 3/3] crypto: public_key: remove MPIs from public_key_signature struct

After digsig_asymmetric.c is converted the MPIs can be now safely removed from the public_key_signature structure. Signed-off-by: Tadeusz Struk --- include/crypto/public_key.h | 14 +- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git

[PATCH v2 5/7] ima: measure and appraise firmware (improvement)

Instead of reading the firmware twice, once for measuring/appraising the firmware and again reading the file contents into memory, this patch reads the firmware once. Signed-off-by: Mimi Zohar --- drivers/base/firmware_class.c | 5 + include/linux/ima.h

[PATCH v2 0/7] ima: measuring/appraising files read by the kernel

This patch set closes a number of measurement/appraisal gaps by defining a generic function named ima_hash_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy). To differentiate between callers of

[PATCH v2 6/7] ima: measure and appraise the IMA policy itself

Call ima_hash_and_process_file() to measure and appraise the IMA policy. This patch defines a new policy hook named POLICY_CHECK. Changelog v2: - remove S_ISREG() test Signed-off-by: Mimi Zohar --- include/linux/ima.h | 1 +

[PATCH v2 1/7] ima: separate 'security.ima' reading functionality from collect

From: Dmitry Kasatkin Instead of passing pointers to pointers to ima_collect_measurent() to read and return the 'security.ima' xattr value, this patch moves the functionality to the calling process_measurement() to directly read the xattr and pass only the hash algo to

[PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

This patch defines a new IMA hook ima_hash_and_process_file() for measuring and appraising files read by the kernel. The caller loads the file into memory before calling this function, which calculates the hash followed by the normal IMA policy based processing. Two new IMA policy functions

[PATCH v2 3/7] ima: provide buffer hash calculation function

From: Dmitry Kasatkin This patch provides convenient buffer hash calculation function. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h| 2 ++

[PATCH v3 0/5] firmware_class: extensible firmware API

get to this yet. I'll be back January 13th. These patches are based on top of linux-next tag next-20151223. [0] http://lkml.kernel.org/r/1443721449-22882-1-git-send-email-mcg...@do-not-panic.com [1] http://kernelnewbies.org/KernelProjects/firmware-class-enhancements David Howells (2): firmware:

[PATCH v3 2/5] firmware: move completing fw into a helper

From: "Luis R. Rodriguez" This will be re-used later through a new extensible interface. Signed-off-by: Luis R. Rodriguez --- drivers/base/firmware_class.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git

[PATCH v3 4/5] firmware: generalize reading file contents as a helper

From: David Howells We'll want to reuse this same code later in order to read two separate types of file contents. This generalizes fw_read_file_contents() for reading a file and rebrands it as fw_read_file(). This new caller is now generic: the path used can be arbitrary

[PATCH v3 5/5] firmware: add an extensible system data helpers

From: "Luis R. Rodriguez" The firmware API has evolved over the years slowly, as it grows we extend it by adding new routines or at times we extend existing routines with more or less arguments. This doesn't scale well, when new arguments are added to existing routines it means

Re: [PATCH net] sctp: label accepted/peeled off sockets

On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote: > From: Marcelo Ricardo Leitner > > Accepted or peeled off sockets were missing a security label (e.g. > SELinux) which means that socket was in "unlabeled" state. > > This patch clones the

[PATCH v3 3/5] firmware: fold successful fw read early

From: David Howells We'll be folding in some more checks on fw_read_file_contents(), this will make the success case easier to follow. Signed-off-by: David Howells Signed-off-by: Luis R. Rodriguez --- drivers/base/firmware_class.c |

[PATCH v3 1/5] firmware: generalize "firmware" as "system data" helpers

From: "Luis R. Rodriguez" Historically firmware_class code was added to help get device driver firmware binaries but these days request_firmware*() helpers are being repurposed for general system data needed by the kernel. Annotate this before we extend firmare_class more, as

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

On Wed, Dec 23, 2015 at 06:58:55AM -0800, Tadeusz Struk wrote: > > Because the first patch modifies the struct public_key and removes the MPIs > from it, > which the code modified in the second patch still uses. If bisect only takes > the first > then the build will fail on the

Re: [PATCH] IMA: policy can be updated zero times

On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote: > On 15-12-22 16:50:01, Sasha Levin wrote: > > On 12/22/2015 04:40 PM, Petko Manolov wrote: > > >> Thanks, Sasha. By the time ima_update_policy() is called > > >> >ima_release_policy() has already output the policy update status > > >>

Re: [Linux-ima-devel] [PATCH] IMA: policy can be updated zero times

On Wed, 2015-12-23 at 07:24 -0500, Mimi Zohar wrote: > On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote: > > > On 15-12-22 16:50:01, Sasha Levin wrote: > > > On 12/22/2015 04:40 PM, Petko Manolov wrote: > > > >> Thanks, Sasha. By the time ima_update_policy() is called > > > >>

Re: [PATCH v3 1/2] crypto: KEYS: convert public key to the akcipher api

Hi Tadeusz, [auto build test ERROR on cryptodev/master] [also build test ERROR on v4.4-rc6 next-20151223] url: https://github.com/0day-ci/linux/commits/Tadeusz-Struk/crypto-KEYS-convert-public-key-to-akcipher-api/20151223-132001 base: https://git.kernel.org/pub/scm/linux/kernel/git