OSDN Git Service

(root) / uclinux-h8 / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 8bd8ea1 eed9de3)
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...
authorJames Morris <james.morris@microsoft.com>
Mon, 17 Dec 2018 19:26:46 +0000 (11:26 -0800)
committerJames Morris <james.morris@microsoft.com>
Mon, 17 Dec 2018 19:26:46 +0000 (11:26 -0800)
From Mimi:

In Linux 4.19, a new LSM hook named security_kernel_load_data was
upstreamed, allowing LSMs and IMA to prevent the kexec_load
syscall.  Different signature verification methods exist for verifying
the kexec'ed kernel image.  This pull request adds additional support
in IMA to prevent loading unsigned kernel images via the kexec_load
syscall, independently of the IMA policy rules, based on the runtime
"secure boot" flag.  An initial IMA kselftest is included.

In addition, this pull request defines a new, separate keyring named
".platform" for storing the preboot/firmware keys needed for verifying
the kexec'ed kernel image's signature and includes the associated IMA
kexec usage of the ".platform" keyring.

(David Howell's and Josh Boyer's patches for reading the
preboot/firmware keys, which were previously posted for a different
use case scenario, are included here.)

1  2 
include/linux/efi.h patch | diff1 | diff2 | blob | history
security/integrity/ima/ima_appraise.c patch | diff1 | diff2 | blob | history
security/integrity/ima/ima_main.c patch | diff1 | diff2 | blob | history
security/integrity/ima/ima_policy.c patch | diff1 | diff2 | blob | history
tools/testing/selftests/Makefile patch | diff1 | diff2 | blob | history

diff --cc include/linux/efi.h
Simple merge
diff --cc security/integrity/ima/ima_appraise.c
Simple merge
diff --cc security/integrity/ima/ima_main.c
Simple merge
diff --cc security/integrity/ima/ima_policy.c
Simple merge
diff --cc tools/testing/selftests/Makefile
Simple merge
About OSDN
Find Software
Develop Software
Help