Basic trusted keys support: auth value and SHA256.
v2:
* Removed all the changes that modify the existing functions to use
the new struct tpm_buf. These changes should be done separately from
this patch set as they require separate QA + review.
* 'keyhandle=' is now required for TPM2. Makes
On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote:
> Basic trusted keys support: auth value and SHA256.
>
> v2:
>
> * Removed all the changes that modify the existing functions to use
> the new struct tpm_buf. These changes should be done separately from
> this patch set as
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.
This patch implements basic sealing and unsealing functionality for
TPM 2.0:
* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: Jarkko Sakkinen
From: Andy Lutomirski
If a process gets access to a mount from a different user
namespace, that process should not be able to take advantage of
setuid files or selinux entrypoints from that filesystem. Prevent
this by treating mounts from other mount namespaces and those
Unprivileged users should not be able to mount mtd block devices
when they lack sufficient privileges towards the block device
inode. Update mount_mtd() to validate that the user has the
required access to the inode at the specified path. The check
will be skipped for CAP_SYS_ADMIN, so privileged
Security labels from unprivileged mounts in user namespaces must
be ignored. Force superblocks from user namespaces whose labeling
behavior is to use xattrs to use mountpoint labeling instead.
For the mountpoint label, default to converting the current task
context into a form suitable for file
On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote:
> * I updated tpm_buf to a be heap based structure. Now there's one full
> page of memory for variable sized messages. Also the stack is greatly
> reduced.
You may as well just use a skb then.
Jason
--
To unsubscribe from this
All current callers of in_userns pass current_user_ns as the
first argument. Simplify by replacing in_userns with
current_in_userns which checks whether current_user_ns is in the
namespace supplied as an argument.
Signed-off-by: Seth Forshee
---
fs/namespace.c
On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote:
> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote:
>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>> From: Tony Jones
>> Date: Sat, 10 Oct 2015 19:30:49 -0700
>>
On 10/13/2015 09:11 AM, Paul Moore wrote:
> On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote:
>> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote:
>>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>>> From: Tony Jones
On Tue, Oct 13, 2015 at 11:41:20AM -0600, Jason Gunthorpe wrote:
> On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote:
>
> > * I updated tpm_buf to a be heap based structure. Now there's one full
> > page of memory for variable sized messages. Also the stack is greatly
> >
On 10/13/2015 12:19 PM, Paul Moore wrote:
>> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on. auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least
On Tue, Oct 13, 2015 at 11:34:42AM -0600, Jason Gunthorpe wrote:
> On Fri, Oct 02, 2015 at 11:38:17AM +0300, Jarkko Sakkinen wrote:
> > Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
> > trusted keys.
> >
> > This patch implements basic sealing and unsealing functionality for
>
13 matches
Mail list logo