[PATCH 5/5] ima: read firmware only once

Instead of reading the firmware twice, once for measuring/appraising the firmware and again loading it, this patch reads the firmware once. This patch removes ima_fw_from_file() and replaces it with a new hook named ima_read_file_contents(). As ima_read_file_contents() re-appraises the file each

[PATCH 3/5] ima: ignore the kexec cache status

Each time kexec loads an image, ignore the kexec cached status and re-measure/re-appraise the image. This patch replaces the iint kexec status with a generic read status in preparation for measuring/verifying other files. Signed-off-by: Mimi Zohar ---

[PATCH 2/5] ima: measure and appraise kexec image

ima_process_measurements() determines whether or not a file is in policy before calculating the file hash. Instead of reading the file once for calculating the file hash and possibly again for loading the file into memory, this patch defines a new IMA hook named ima_read_file_from_fd() to read,

[PATCH 1/5] ima: separate 'security.ima' reading functionality from collect

From: Dmitry Kasatkin Instead of playing with setting and passing pointers to pointers to the ima_collect_measurent() to read and return 'security.ima' xattr value, this patch moves functionality to the calling process_measurement() to directly read xattr and pass only

[PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling

Place a system_extra_cert buffer of configurable size, right after the system_certificate_list, so that inserted keys can be readily processed by the existing mechanism. Added script takes a key file and a kernel image and inserts its contents to the reserved area. The system_certificate_list_size

[PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. The following may

Re: [PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

Hi James, Can this be passed straight to Linus please? Thanks, David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH 2/2] KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert

When a certificate is inserted to the image using scripts/writekey, the value of __cert_list_end does not change. The updated size can be found out by reading the value pointed by the system_certificate_list_size symbol. Signed-off-by: Mehmet Kayaalp ---

Re: [PATCH] KEYS: Fix handling of stored error in a negatively instantiated user key

On Tue, 24 Nov 2015, David Howells wrote: > Hi James, > > Can this be passed straight to Linus please? Is this triggerable by normal users? -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to

Re: RFC rdma cgroup

Hello, chiming in late. On Wed, Oct 28, 2015 at 01:59:15PM +0530, Parav Pandit wrote: > Design guidelines: > --- > 1. There will be new rdma cgroup for accounting rdma resources > (instead of extending device cgroup). > Rationale: RDMA tracks different type of resources and it