)]}' { "log": [ { "commit": "e0751257a64ea10cca96ccb06522bfb10e36cb5b", "tree": "7ff1ec8b4d359f383fc3408876dd6ff6532f9ab6", "parents": [ "50af554466804bf51a52fa3d1d0a76f96bd33929" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Thu Feb 07 00:12:08 2013 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 06 21:22:18 2013 -0500" }, "message": "ima: digital signature verification using asymmetric keys\n\nAsymmetric keys were introduced in linux-3.7 to verify the signature on\nsigned kernel modules. The asymmetric keys infrastructure abstracts the\nsignature verification from the crypto details. This patch adds IMA/EVM\nsignature verification using asymmetric keys. Support for additional\nsignature verification methods can now be delegated to the asymmetric\nkey infrastructure.\n\nAlthough the module signature header and the IMA/EVM signature header\ncould use the same format, to minimize the signature length and save\nspace in the extended attribute, this patch defines a new IMA/EVM\nheader format. The main difference is that the key identifier is a\nsha1[12 - 19] hash of the key modulus and exponent, similar to the\ncurrent implementation. The only purpose of the key identifier is to\nidentify the corresponding key in the kernel keyring. ima-evm-utils\nwas updated to support the new signature format.\n\nWhile asymmetric signature verification functionality supports many\ndifferent hash algorithms, the hash used in this patch is calculated\nduring the IMA collection phase, based on the configured algorithm.\nThe default algorithm is sha1, but for backwards compatibility md5\nis supported. Due to this current limitation, signatures should be\ngenerated using a sha1 hash algorithm.\n\nChanges in this patch:\n- Functionality has been moved to separate source file in order to get rid of\n in source #ifdefs.\n- keyid is derived according to the RFC 3280. It does not require to assign\n IMA/EVM specific \"description\" when loading X509 certificate. Kernel\n asymmetric key subsystem automatically generate the description. Also\n loading a certificate does not require using of ima-evm-utils and can be\n done using keyctl only.\n- keyid size is reduced to 32 bits to save xattr space. Key search is done\n using partial match functionality of asymmetric_key_match().\n- Kconfig option title was changed\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "d79d72e02485c00b886179538dc8deaffa3be507", "tree": "92690d5cbd6e4a0a3bee369033fe18d9b2d065f7", "parents": [ "f578c08ec959cb0cdadf02bdc9689a4df3e9b9d4" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 03 17:08:11 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 22 16:10:36 2013 -0500" }, "message": "ima: per hook cache integrity appraisal status\n\nWith the new IMA policy \u0027appraise_type\u003d\u0027 option, different hooks\ncan require different methods for appraising a file\u0027s integrity.\n\nFor example, the existing \u0027ima_appraise_tcb\u0027 policy defines a\ngeneric rule, requiring all root files to be appraised, without\nspecfying the appraisal method. A more specific rule could require\nall kernel modules, for example, to be signed.\n\nappraise fowner\u003d0 func\u003dMODULE_CHECK appraise_type\u003dimasig\nappraise fowner\u003d0\n\nAs a result, the integrity appraisal results for the same inode, but\nfor different hooks, could differ. This patch caches the integrity\nappraisal results on a per hook basis.\n\nChangelog v2:\n- Rename ima_cache_status() to ima_set_cache_status()\n- Rename and move get_appraise_status() to ima_get_cache_status()\nChangelog v0:\n- include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)\n- Support independent MODULE_CHECK appraise status.\n- fixed IMA_XXXX_APPRAISE/APPRAISED flags\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "f578c08ec959cb0cdadf02bdc9689a4df3e9b9d4", "tree": "914edd29a01e55aa993f810246ff01e8c1c19ae0", "parents": [ "0e5a247cb37a97d843ef76d09d5f80deb7893ba3" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Dec 05 09:29:09 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 22 16:10:34 2013 -0500" }, "message": "ima: increase iint flag size\n\nIn preparation for hook specific appraise status results, increase\nthe iint flags size.\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "0e5a247cb37a97d843ef76d09d5f80deb7893ba3", "tree": "7206abaf6d20e69a89584046ed7dc9970ba2da12", "parents": [ "a175b8bb29ebbad380ab4788f307fbfc47997b19" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Fri Jun 08 13:58:49 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 22 16:10:31 2013 -0500" }, "message": "ima: added policy support for \u0027security.ima\u0027 type\n\nThe \u0027security.ima\u0027 extended attribute may contain either the file data\u0027s\nhash or a digital signature. This patch adds support for requiring a\nspecific extended attribute type. It extends the IMA policy with a new\nkeyword \u0027appraise_type\u003dimasig\u0027. (Default is hash.)\n\nChangelog v2:\n- Fixed Documentation/ABI/testing/ima_policy option syntax\nChangelog v1:\n- Differentiate between \u0027required\u0027 vs. \u0027actual\u0027 extended attribute\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "ee866331749b07373743ce18ceaffb1dd841d855", "tree": "c99c1f5218e5a1f9fcf756142922a2a996870c57", "parents": [ "16cac49f727621c6b0467ffe15ed72c2febb1296" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Fri Sep 21 17:00:43 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jan 16 17:50:01 2013 -0500" }, "message": "integrity: reduce storage size for ima_status and evm_status\n\nThis patch reduces size of the iint structure by 8 bytes.\nIt saves about 15% of iint cache memory.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "0a72ba7aff26fb6e918cee6d2bbfd289069f10ae", "tree": "4263886ae20b6875153c20513b607e6208e8a3f6", "parents": [ "46a2f3b9e99353cc63e15563e8abee71162330f7" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Sep 19 15:32:49 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 19 08:55:20 2012 -0400" }, "message": "ima: change flags container data type\n\nIMA audit hashes patches introduced new IMA flags and required\nspace went beyond 8 bits. Currently the only flag is IMA_DIGSIG.\nThis patch use 16 bit short instead of 8 bit char.\nWithout this fix IMA signature will be replaced with hash, which\nshould not happen.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "e7c568e0fd0cf6d9c8ab8ea537ba8f3a3ae7c3d8", "tree": "f920b77b98c38e28dd2974564db102160e59f3e9", "parents": [ "45e2472e67bf66f794d507b52e82af92e0614e49" ], "author": { "name": "Peter Moody", "email": "pmoody@google.com", "time": "Thu Jun 14 10:04:36 2012 -0700" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 13 14:48:44 2012 -0400" }, "message": "ima: audit log hashes\n\nThis adds an \u0027audit\u0027 policy action which audit logs file measurements.\n\nChangelog v6:\n - use new action flag handling (Dmitry Kasatkin).\n - removed whitespace (Mimi)\n\nChangelog v5:\n - use audit_log_untrustedstring.\n\nChangelog v4:\n - cleanup digest -\u003e hash conversion.\n - use filename rather than d_path in ima_audit_measurement.\n\nChangelog v3:\n - Use newly exported audit_log_task_info for logging pid/ppid/uid/etc.\n - Update the ima_policy ABI documentation.\n\nChangelog v2:\n - Use \u0027audit\u0027 action rather than \u0027measure_and_audit\u0027 to permit\n auditing in the absence of measuring..\n\nChangelog v1:\n - Initial posting.\n\nSigned-off-by: Peter Moody \u003cpmoody@google.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "45e2472e67bf66f794d507b52e82af92e0614e49", "tree": "4b3ba557d4f9da9bca14ce85bee965e4a9fcd6ac", "parents": [ "d9d300cdb6f233c4c591348919c758062198a4f4" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Sep 12 20:51:32 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 13 14:23:57 2012 -0400" }, "message": "ima: generic IMA action flag handling\n\nMake the IMA action flag handling generic in order to support\nadditional new actions, without requiring changes to the base\nimplementation. New actions, like audit logging, will only\nneed to modify the define statements.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "8606404fa555c2ee691376fcc640ab89fe752035", "tree": "4b2d2e43b7ad196b46757faff10d04803381a543", "parents": [ "5a44b41207174e1882ce0c24a752f4cfb65dab07" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Aug 31 14:07:06 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:48 2012 -0400" }, "message": "ima: digital signature verification support\n\nThis patch adds support for digital signature based integrity appraisal.\nWith this patch, \u0027security.ima\u0027 contains either the file data hash or\na digital signature of the file data hash. The file data hash provides\nthe security attribute of file integrity. In addition to file integrity,\na digital signature provides the security attribute of authenticity.\n\nUnlike EVM, when the file metadata changes, the digital signature is\nreplaced with an HMAC, modification of the file data does not cause the\n\u0027security.ima\u0027 digital signature to be replaced with a hash. As a\nresult, after any modification, subsequent file integrity appraisals\nwould fail.\n\nAlthough digitally signed files can be modified, but by not updating\n\u0027security.ima\u0027 to reflect these modifications, in essence digitally\nsigned files could be considered \u0027immutable\u0027.\n\nIMA uses a different keyring than EVM. While the EVM keyring should not\nbe updated after initialization and locked, the IMA keyring should allow\nupdating or adding new keys when upgrading or installing packages.\n\nChangelog v4:\n- Change IMA_DIGSIG to hex equivalent\nChangelog v3:\n- Permit files without any \u0027security.ima\u0027 xattr to be labeled properly.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "5a44b41207174e1882ce0c24a752f4cfb65dab07", "tree": "a5426be63a4f165f3ce15d1e61d8fd10f37fd8c3", "parents": [ "42c63330f2b05aa6077c1bfc2798c04afe54f6b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jan 09 22:59:36 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:47 2012 -0400" }, "message": "ima: add support for different security.ima data types\n\nIMA-appraisal currently verifies the integrity of a file based on a\nknown \u0027good\u0027 measurement value. This patch reserves the first byte\nof \u0027security.ima\u0027 as a place holder for the type of method used for\nverifying file data integrity.\n\nChangelog v1:\n- Use the newly defined \u0027struct evm_ima_xattr_data\u0027\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "2fe5d6def1672ae6635dd71867bf36dcfaa7434b", "tree": "f83878d309605440b5bc2d2d43a16ccece64c645", "parents": [ "4199d35cbc90c15db447d115bd96ffa5f1d60d3a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Feb 13 10:15:05 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:44 2012 -0400" }, "message": "ima: integrity appraisal extension\n\nIMA currently maintains an integrity measurement list used to assert the\nintegrity of the running system to a third party. The IMA-appraisal\nextension adds local integrity validation and enforcement of the\nmeasurement against a \"good\" value stored as an extended attribute\n\u0027security.ima\u0027. The initial methods for validating \u0027security.ima\u0027 are\nhashed based, which provides file data integrity, and digital signature\nbased, which in addition to providing file data integrity, provides\nauthenticity.\n\nThis patch creates and maintains the \u0027security.ima\u0027 xattr, containing\nthe file data hash measurement. Protection of the xattr is provided by\nEVM, if enabled and configured.\n\nBased on policy, IMA calls evm_verifyxattr() to verify a file\u0027s metadata\nintegrity and, assuming success, compares the file\u0027s current hash value\nwith the one stored as an extended attribute in \u0027security.ima\u0027.\n\nChangelov v4:\n- changed iint cache flags to hex values\n\nChangelog v3:\n- change appraisal default for filesystems without xattr support to fail\n\nChangelog v2:\n- fix audit msg \u0027res\u0027 value\n- removed unused \u0027ima_appraise\u003d\u0027 values\n\nChangelog v1:\n- removed unused iint mutex (Dmitry Kasatkin)\n- setattr hook must not reset appraised (Dmitry Kasatkin)\n- evm_verifyxattr() now differentiates between no \u0027security.evm\u0027 xattr\n (INTEGRITY_NOLABEL) and no EVM \u0027protected\u0027 xattrs included in the\n \u0027security.evm\u0027 (INTEGRITY_NOXATTRS).\n- replace hash_status with ima_status (Dmitry Kasatkin)\n- re-initialize slab element ima_status on free (Dmitry Kasatkin)\n- include \u0027security.ima\u0027 in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA\n- merged half \"ima: ima_must_appraise_or_measure API change\" (Dmitry Kasatkin)\n- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)\n- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured\n (moved ima_inode_post_setattr() to ima_appraise.c)\n- make sure ima_collect_measurement() can read file\n\nChangelog:\n- add \u0027iint\u0027 to evm_verifyxattr() call (Dimitry Kasatkin)\n- fix the race condition between chmod, which takes the i_mutex and then\n iint-\u003emutex, and ima_file_free() and process_measurement(), which take\n the locks in the reverse order, by eliminating iint-\u003emutex. (Dmitry Kasatkin)\n- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)\n- changes as a result of the iint not allocated for all regular files, but\n only for those measured/appraised.\n- don\u0027t try to appraise new/empty files\n- expanded ima_appraisal description in ima/Kconfig\n- IMA appraise definitions required even if IMA_APPRAISE not enabled\n- add return value to ima_must_appraise() stub\n- unconditionally set status \u003d INTEGRITY_PASS *after* testing status,\n not before. (Found by Joe Perches)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "f1be242c95257b199d8b679bc952ca33487c9af6", "tree": "fa3a1057bbd9caedca959c1fa3811413bf101d7d", "parents": [ "2e5f094b9dbf9463ab93f86351cd1a8dc88942cc" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Jan 17 17:12:07 2012 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:46:27 2012 +1100" }, "message": "integrity: digital signature config option name change\n\nSimilar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8607c501478432b23654739c7321bc7456053cb6", "tree": "598ef1649a261954cb1cafc05189ddedb3bd3ff8", "parents": [ "051dbb918c7fb7da8e64a2cd0d804ba73399709f" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Oct 05 11:54:46 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:09 2011 +0200" }, "message": "integrity: digital signature verification using multiple keyrings\n\nDefine separate keyrings for each of the different use cases - evm, ima,\nand modules. Using different keyrings improves search performance, and also\nallows \"locking\" specific keyring to prevent adding new keys.\nThis is useful for evm and module keyrings, when keys are usually only\nadded from initramfs.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "4892722e06694fda1928bac4aa5af5505bd26a4c", "tree": "eaeeb90d98ad1ad35bf32c75a579d28a70b722e2", "parents": [ "fc9ff9b7e3eaff3f49bc0fbbddfc1416212e888a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 10:34:33 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:24 2011 -0700" }, "message": "integrity: sparse fix: move iint_initialized to integrity.h\n\nSparse fix: move iint_initialized to integrity.h\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a", "tree": "64f7d23cd7b07dabe826c2a6ed37f7c1842816b2", "parents": [ "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:17 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: replace hmac_status with evm_status\n\nWe will use digital signatures in addtion to hmac.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "6be5cc5246f807fd8ede9f5f1bb2826f2c598658", "tree": "00fc342eb91fb50df4e8eddfe2a7294b27df8117", "parents": [ "66dbc325afcef909043c30e90930a36823fc734c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 14:28:20 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:41 2011 -0400" }, "message": "evm: add support for different security.evm data types\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. The current patchset maintains an HMAC-sha1 value across the security\nxattrs, storing the value as the extended attribute \u0027security.evm\u0027. We\nanticipate other methods for protecting the security extended attributes.\nThis patch reserves the first byte of \u0027security.evm\u0027 as a place holder for\nthe type of method.\n\nChangelog v6:\n- move evm_ima_xattr_type definition to security/integrity/integrity.h\n- defined a structure for the EVM xattr called evm_ima_xattr_data\n (based on Serge Hallyn\u0027s suggestion)\n- removed unnecessary memset\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "66dbc325afcef909043c30e90930a36823fc734c", "tree": "5c8a7fe063a058f4266c6db5e48229e8c04dd00e", "parents": [ "1601fbad2b14e0b8d4dbb55e749bfe31e972818a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Mar 15 16:12:09 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:40 2011 -0400" }, "message": "evm: re-release\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. This patchset provides the framework and an initial method. The\ninitial method maintains an HMAC-sha1 value across the security extended\nattributes, storing the HMAC value as the extended attribute \u0027security.evm\u0027.\nOther methods of validating the integrity of a file\u0027s metadata will be posted\nseparately (eg. EVM-digital-signatures).\n\nWhile this patchset does authenticate the security xattrs, and\ncryptographically binds them to the inode, coming extensions will bind other\ndirectory and inode metadata for more complete protection. To help simplify\nthe review and upstreaming process, each extension will be posted separately\n(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the\nproposed Linux integrity subsystem, refer to Dave Safford\u0027s whitepaper:\nhttp://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.\n\nEVM depends on the Kernel Key Retention System to provide it with a\ntrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the\nroot\u0027s keyring using keyctl. Until EVM receives notification that the key has\nbeen successfully loaded onto the keyring (echo 1 \u003e \u003csecurityfs\u003e/evm), EVM can\nnot create or validate the \u0027security.evm\u0027 xattr, but returns INTEGRITY_UNKNOWN.\nLoading the key and signaling EVM should be done as early as possible. Normally\nthis is done in the initramfs, which has already been measured as part of the\ntrusted boot. For more information on creating and loading existing\ntrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A\nsample dracut patch, which loads the trusted/encrypted key and enables EVM, is\navailable from http://linux-ima.sourceforge.net/#EVM.\n\nBased on the LSMs enabled, the set of EVM protected security xattrs is defined\nat compile. EVM adds the following three calls to the existing security hooks:\nevm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To\ninitialize and update the \u0027security.evm\u0027 extended attribute, EVM defines three\ncalls: evm_inode_post_init(), evm_inode_post_setattr() and\nevm_inode_post_removexattr() hooks. To verify the integrity of a security\nxattr, EVM exports evm_verifyxattr().\n\nChangelog v7:\n- Fixed URL in EVM ABI documentation\n\nChangelog v6: (based on Serge Hallyn\u0027s review)\n- fix URL in patch description\n- remove evm_hmac_size definition\n- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)\n- moved linux include before other includes\n- test for crypto_hash_setkey failure\n- fail earlier for invalid key\n- clear entire encrypted key, even on failure\n- check xattr name length before comparing xattr names\n\nChangelog:\n- locking based on i_mutex, remove evm_mutex\n- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1\n operation.\n- replaced crypto hash with shash (Dmitry Kasatkin)\n- support for additional methods of verifying the security xattrs\n (Dmitry Kasatkin)\n- iint not allocated for all regular files, but only for those appraised\n- Use cap_sys_admin in lieu of cap_mac_admin\n- Use __vfs_setxattr_noperm(), without permission checks, from EVM\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "f381c272224f5f158f5cff64f8f3481fa0eee8b3", "tree": "a003dc4c6635c9d2fa90f31577ba5e7ea7bc71b1", "parents": [ "9d8f13ba3f4833219e50767b022b82cd0da930eb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:13:22 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:38 2011 -0400" }, "message": "integrity: move ima inode integrity data management\n\nMove the inode integrity data(iint) management up to the integrity directory\nin order to share the iint among the different integrity models.\n\nChangelog:\n- don\u0027t define MAX_DIGEST_SIZE\n- rename several globally visible \u0027ima_\u0027 prefixed functions, structs,\n locks, etc to \u0027integrity_\u0027\n- replace \u002720\u0027 with SHA1_DIGEST_SIZE\n- reflect location change in appropriate Kconfig and Makefiles\n- remove unnecessary initialization of iint_initialized to 0\n- rebased on current ima_iint.c\n- define integrity_iint_store/lock as static\n\nThere should be no other functional changes.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" } ] }