)]}' { "log": [ { "commit": "8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8", "tree": "a118eaef15d4ba22247f45ee01537ecc906cd161", "parents": [ "805a6af8dba5dfdd35ec35dc52ec0122400b2610", "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n\nConflicts:\n\tsecurity/integrity/evm/evm_crypto.c\n\nResolved upstream fix vs. next conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97426f985729573cea06e82e271cc3929f1f5f8e", "tree": "4aafe725018a95dc5c76ede5199d24aea524b060", "parents": [ "d21b59451886cb82448302f8d6f9ac87c3bd56cf" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:50:08 2011 +0200" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d21b59451886cb82448302f8d6f9ac87c3bd56cf", "tree": "f2842dca9ee3c2c3febbe2f6984bb2c5e2a34c28", "parents": [ "511585a28e5b5fd1cac61e601e42efc4c5dd64b5" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:45:45 2011 +0200" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "143b01d33221e4937d3930e6bb2b63d70b7c7a65", "tree": "5cae452fecfd8b1fb6b0ae1f159929ada81d8b1f", "parents": [ "88d7ed35085184f15a2af3d9e88d775059b2f307" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:12 2011 +1100" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88d7ed35085184f15a2af3d9e88d775059b2f307", "tree": "f02d2530e0f665fea4c5b240404f7767d39f47bf", "parents": [ "fe0e94c5a7e5335ba0d200e7d3e26e9f80cda4b1" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:09 2011 +1100" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15647eb3985ef30dfd657038924dc85c03026733", "tree": "5d4629ef3b687ff56a446f42a8ee5aa35ec9322b", "parents": [ "8607c501478432b23654739c7321bc7456053cb6" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Thu Sep 01 14:41:40 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:14 2011 +0200" }, "message": "evm: digital signature verification support\n\nThis patch adds support for digital signature verification to EVM.\nWith this feature file metadata can be protected using digital\nsignature instead of an HMAC. When building an image,\nwhich has to be flashed to different devices, an HMAC cannot\nbe used to sign file metadata, because the HMAC key should be\ndifferent on every device.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "566be59ab86c0e030b980645a580d683a015a483", "tree": "c5d29c7db2f8ef93e970cb405621f59c57d01b94", "parents": [ "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Aug 22 09:14:18 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:52 2011 -0400" }, "message": "evm: permit mode bits to be updated\n\nBefore permitting \u0027security.evm\u0027 to be updated, \u0027security.evm\u0027 must\nexist and be valid. In the case that there are no existing EVM protected\nxattrs, it is safe for posix acls to update the mode bits.\n\nTo differentiate between no \u0027security.evm\u0027 xattr and no xattrs used to\ncalculate \u0027security.evm\u0027, this patch defines INTEGRITY_NOXATTR.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa", "tree": "c6c5f39d43fe0d27bc1d3aedbd2f9b3ba2f8f537", "parents": [ "a924ce0b35875ef9512135b46a32f4150fd700b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 18 18:07:44 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: posix acls modify i_mode\n\nThe posix xattr acls are \u0027system\u0027 prefixed, which normally would not\naffect security.evm. An interesting side affect of writing posix xattr\nacls is their modifying of the i_mode, which is included in security.evm.\n\nThis patch updates security.evm when posix xattr acls are written.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "a924ce0b35875ef9512135b46a32f4150fd700b2", "tree": "0e01ac679790fe96c03b341b2670a2ed9c56a122", "parents": [ "fb88c2b6cbb1265a8bef60694699b37f5cd4ba76" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 01:22:30 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: limit verifying current security.evm integrity\n\nevm_protect_xattr unnecessarily validates the current security.evm\nintegrity, before updating non-evm protected extended attributes\nand other file metadata. This patch limits validating the current\nsecurity.evm integrity to evm protected metadata.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "1d714057ef8f6348eba7b28ace6d307513e57cef", "tree": "a848b86df6257b347b6929f9ad09666105996003", "parents": [ "982e617a313b57abee3bcfa53381c356d00fd64a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Aug 28 08:57:11 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:49 2011 -0400" }, "message": "evm: remove TCG_TPM dependency\n\nAll tristates selected by EVM(boolean) are forced to be builtin, except\nin the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the\nKconfig bug as, \"So it would seem direct dependency state influence the\nstate of reverse dependencies..\" For a detailed explanation, refer to\nArnaud Lacombe\u0027s posting http://lkml.org/lkml/2011/8/23/498.\n\nWith the \"encrypted-keys: remove trusted-keys dependency\" patch, EVM\ncan now be built without a dependency on TCG_TPM. The trusted-keys\ndependency requires trusted-keys to either be builtin or not selected.\nThis dependency will prevent the boolean/tristate mismatch from\noccuring.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "dbe5ad17ec62fbd3be7789f9a5ab71d23da8acf0", "tree": "60e4ae2f8b5d66faac484f5774d22290a51c21e4", "parents": [ "09f464bf0961aba3cd917d4939597bafb269fb95" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Aug 17 18:51:36 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 18 12:58:12 2011 +1000" }, "message": "evm: add Kconfig TCG_TPM dependency\n\nAlthough the EVM encrypted-key should be encrypted/decrypted using a\ntrusted-key, a user-defined key could be used instead. When using a user-\ndefined key, a TCG_TPM dependency should not be required. Unfortunately,\nthe encrypted-key code needs to be refactored a bit in order to remove\nthis dependency.\n\nThis patch adds the TCG_TPM dependency.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n\t Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a4730ba9517cf2793175991243436a24b1db18f", "tree": "2c9c26d4662a31c851aed525d4d032d08e54e297", "parents": [ "e1c9b23adbe86c725738402857397d7a29f9d6ef" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 00:22:52 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 11 17:42:41 2011 +1000" }, "message": "evm: fix evm_inode_init_security return code\n\nevm_inode_init_security() should return 0, when EVM is not enabled.\n(Returning an error is a remnant of evm_inode_post_init_security.)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b024d2446474c6a7c47573af5a35db83f557ce3", "tree": "56d1d380cd4f87581a0e276ee80cc52e438738b8", "parents": [ "5a2f3a02aea164f4f59c0c3497772090a411b462" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "message": "EVM: ensure trusted and encypted key symbols are available to EVM\n\nSelect trusted and encrypted keys if EVM is selected, to ensure\nthe requisite symbols are available. Otherwise, these can be\nselected as modules while EVM is static, leading to a kernel\nbuild failure.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "817b54aa45db03437c6d09a7693fc6926eb8e822", "tree": "03d43f3abfbd8670e3a30a33ef868ec7705ef2c4", "parents": [ "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri May 13 12:53:38 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:50 2011 -0400" }, "message": "evm: add evm_inode_setattr to prevent updating an invalid security.evm\n\nPermit changing of security.evm only when valid, unless in fixmode.\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac", "tree": "1de4ac95b25e6bebab103e4377047c8f76038dac", "parents": [ "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu May 12 18:33:20 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:49 2011 -0400" }, "message": "evm: permit only valid security.evm xattrs to be updated\n\nIn addition to requiring CAP_SYS_ADMIN permission to modify/delete\nsecurity.evm, prohibit invalid security.evm xattrs from changing,\nunless in fixmode. This patch prevents inadvertent \u0027fixing\u0027 of\nsecurity.evm to reflect offline modifications.\n\nChangelog v7:\n- rename boot paramater \u0027evm_mode\u0027 to \u0027evm\u0027\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a", "tree": "64f7d23cd7b07dabe826c2a6ed37f7c1842816b2", "parents": [ "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:17 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: replace hmac_status with evm_status\n\nWe will use digital signatures in addtion to hmac.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26", "tree": "6084a84cd87d18c261d62dc816d48335ce602447", "parents": [ "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:14 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN\n\nIf EVM is not supported or enabled, evm_verify_hmac() returns\nINTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets\nthe appraisal status based solely on the security.ima verification.\n\nevm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such\nas temporary failures like -ENOMEM, resulting in possible attack vectors.\nThis patch changes the default return code for temporary/unexpected\nfailures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making\nevm_verify_hmac() fail safe.\n\nAs a result, failures need to be re-evaluated in order to catch both\ntemporary errors, such as the -ENOMEM, as well as errors that have been\nresolved in fix mode.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672", "tree": "84e8c3378312243087089a669e4209f43d531b37", "parents": [ "d46eb3699502ba221e81e88e6c6594e2a7818532" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:13 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:47 2011 -0400" }, "message": "evm: additional parameter to pass integrity cache entry \u0027iint\u0027\n\nAdditional iint parameter allows to skip lookup in the cache.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "d46eb3699502ba221e81e88e6c6594e2a7818532", "tree": "4761b63f12ded9ad53e3019c33d62d173b4b07da", "parents": [ "823eb1ccd0b310449e99c822412ea8208334d14c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 15:07:36 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:46 2011 -0400" }, "message": "evm: crypto hash replaced by shash\n\nUsing shash is more efficient, because the algorithm is allocated only\nonce. Only the descriptor to store the hash state needs to be allocated\nfor every operation.\n\nChangelog v6:\n- check for crypto_shash_setkey failure\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "cb72318069d5e92eb74840118732c66eb38c812f", "tree": "eb4e9a6c923567e01ddd1340f9430eb3c43f4aeb", "parents": [ "975d294373d8c1c913ad2bf4eb93966d4c7ca38f" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:40:44 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:45 2011 -0400" }, "message": "evm: add evm_inode_init_security to initialize new files\n\nInitialize \u0027security.evm\u0027 for new files.\n\nChangelog v7:\n- renamed evm_inode_post_init_security to evm_inode_init_security\n- moved struct xattr definition to earlier patch\n- allocate xattr name\nChangelog v6:\n- Use \u0027struct evm_ima_xattr_data\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3e1be52d6c6b21d9080dd886c0e609e009831562", "tree": "2947250698b89eed0149af2d69a33b303c4d6be4", "parents": [ "6be5cc5246f807fd8ede9f5f1bb2826f2c598658" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:38:26 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:42 2011 -0400" }, "message": "security: imbed evm calls in security hooks\n\nImbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),\nevm_inode_removexattr() in the security hooks. evm_inode_setxattr()\nprotects security.evm xattr. evm_inode_post_setxattr() and\nevm_inode_removexattr() updates the hmac associated with an inode.\n\n(Assumes an LSM module protects the setting/removing of xattr.)\n\nChangelog:\n - Don\u0027t define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.\n - xattr_name is a \u0027const\u0027, value is \u0027void *\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "6be5cc5246f807fd8ede9f5f1bb2826f2c598658", "tree": "00fc342eb91fb50df4e8eddfe2a7294b27df8117", "parents": [ "66dbc325afcef909043c30e90930a36823fc734c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 14:28:20 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:41 2011 -0400" }, "message": "evm: add support for different security.evm data types\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. The current patchset maintains an HMAC-sha1 value across the security\nxattrs, storing the value as the extended attribute \u0027security.evm\u0027. We\nanticipate other methods for protecting the security extended attributes.\nThis patch reserves the first byte of \u0027security.evm\u0027 as a place holder for\nthe type of method.\n\nChangelog v6:\n- move evm_ima_xattr_type definition to security/integrity/integrity.h\n- defined a structure for the EVM xattr called evm_ima_xattr_data\n (based on Serge Hallyn\u0027s suggestion)\n- removed unnecessary memset\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "66dbc325afcef909043c30e90930a36823fc734c", "tree": "5c8a7fe063a058f4266c6db5e48229e8c04dd00e", "parents": [ "1601fbad2b14e0b8d4dbb55e749bfe31e972818a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Mar 15 16:12:09 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:40 2011 -0400" }, "message": "evm: re-release\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. This patchset provides the framework and an initial method. The\ninitial method maintains an HMAC-sha1 value across the security extended\nattributes, storing the HMAC value as the extended attribute \u0027security.evm\u0027.\nOther methods of validating the integrity of a file\u0027s metadata will be posted\nseparately (eg. EVM-digital-signatures).\n\nWhile this patchset does authenticate the security xattrs, and\ncryptographically binds them to the inode, coming extensions will bind other\ndirectory and inode metadata for more complete protection. To help simplify\nthe review and upstreaming process, each extension will be posted separately\n(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the\nproposed Linux integrity subsystem, refer to Dave Safford\u0027s whitepaper:\nhttp://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.\n\nEVM depends on the Kernel Key Retention System to provide it with a\ntrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the\nroot\u0027s keyring using keyctl. Until EVM receives notification that the key has\nbeen successfully loaded onto the keyring (echo 1 \u003e \u003csecurityfs\u003e/evm), EVM can\nnot create or validate the \u0027security.evm\u0027 xattr, but returns INTEGRITY_UNKNOWN.\nLoading the key and signaling EVM should be done as early as possible. Normally\nthis is done in the initramfs, which has already been measured as part of the\ntrusted boot. For more information on creating and loading existing\ntrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A\nsample dracut patch, which loads the trusted/encrypted key and enables EVM, is\navailable from http://linux-ima.sourceforge.net/#EVM.\n\nBased on the LSMs enabled, the set of EVM protected security xattrs is defined\nat compile. EVM adds the following three calls to the existing security hooks:\nevm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To\ninitialize and update the \u0027security.evm\u0027 extended attribute, EVM defines three\ncalls: evm_inode_post_init(), evm_inode_post_setattr() and\nevm_inode_post_removexattr() hooks. To verify the integrity of a security\nxattr, EVM exports evm_verifyxattr().\n\nChangelog v7:\n- Fixed URL in EVM ABI documentation\n\nChangelog v6: (based on Serge Hallyn\u0027s review)\n- fix URL in patch description\n- remove evm_hmac_size definition\n- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)\n- moved linux include before other includes\n- test for crypto_hash_setkey failure\n- fail earlier for invalid key\n- clear entire encrypted key, even on failure\n- check xattr name length before comparing xattr names\n\nChangelog:\n- locking based on i_mutex, remove evm_mutex\n- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1\n operation.\n- replaced crypto hash with shash (Dmitry Kasatkin)\n- support for additional methods of verifying the security xattrs\n (Dmitry Kasatkin)\n- iint not allocated for all regular files, but only for those appraised\n- Use cap_sys_admin in lieu of cap_mac_admin\n- Use __vfs_setxattr_noperm(), without permission checks, from EVM\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" } ] }