linux-stable

1250775 commits 105 branches 5103 tags 5.5 GiB

Author SHA1 Message Date

Author	SHA1	Message	Date
Coiby Xu	56dc986a6b	ima: require signed IMA policy when UEFI secure boot is enabled With commit `099f26f22f` ("integrity: machine keyring CA configuration"), users are able to add custom IMA CA keys via MOK. This allows users to sign their own IMA polices without recompiling the kernel. For the sake of security, mandate signed IMA policy when UEFI secure boot is enabled. Note this change may affect existing users/tests i.e users won't be able to load an unsigned IMA policy when the IMA architecture specific policy is configured and UEFI secure boot is enabled. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2023-08-01 08:18:11 -04:00
Coiby Xu	af16df54b8	ima: force signature verification when CONFIG_KEXEC_SIG is configured Currently, an unsigned kernel could be kexec'ed when IMA arch specific policy is configured unless lockdown is enabled. Enforce kernel signature verification check in the kexec_file_load syscall when IMA arch specific policy is configured. Fixes: `99d5cadfde` ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2022-07-13 10:13:41 -04:00
Chester Lin	25519d6834	ima: generalize x86/EFI arch glue for other EFI architectures Move the x86 IMA arch code into security/integrity/ima/ima_efi.c, so that we will be able to wire it up for arm64 in a future patch. Co-developed-by: Chester Lin <clin@suse.com> Signed-off-by: Chester Lin <clin@suse.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>	2020-11-06 07:40:42 +01:00

Coiby Xu

56dc986a6b

ima: require signed IMA policy when UEFI secure boot is enabled

With commit 099f26f22f ("integrity: machine keyring CA
configuration"), users are able to add custom IMA CA keys via
MOK.  This allows users to sign their own IMA polices without
recompiling the kernel. For the sake of security, mandate signed IMA
policy when UEFI secure boot is enabled.

Note this change may affect existing users/tests i.e users won't be able
to load an unsigned IMA policy when the IMA architecture specific policy
is configured and UEFI secure boot is enabled.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

2023-08-01 08:18:11 -04:00

Coiby Xu

af16df54b8

ima: force signature verification when CONFIG_KEXEC_SIG is configured

Currently, an unsigned kernel could be kexec'ed when IMA arch specific
policy is configured unless lockdown is enabled. Enforce kernel
signature verification check in the kexec_file_load syscall when IMA
arch specific policy is configured.

Fixes: 99d5cadfde ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE")
Reported-and-suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

2022-07-13 10:13:41 -04:00

Chester Lin

25519d6834

ima: generalize x86/EFI arch glue for other EFI architectures

Move the x86 IMA arch code into security/integrity/ima/ima_efi.c,
so that we will be able to wire it up for arm64 in a future patch.

Co-developed-by: Chester Lin <clin@suse.com>
Signed-off-by: Chester Lin <clin@suse.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

2020-11-06 07:40:42 +01:00

Renamed from arch/x86/kernel/ima_arch.c (Browse further)

3 commits