| Message ID | 33e5687f1e4c7becdc41136704fa239f81b82fec.camel@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [GIT,PULL] integrity subsystem updates for v5.13 | expand |
On Wed, Apr 28, 2021 at 6:47 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > In addition to loading the kernel module signing key onto the builtin > keyring, load it onto the IMA keyring as well. This clashed pretty badly with the other cert changes. I think the end result looks nice and clean (the cert updates mesh well with the _intention_ of your code, just not with the implementation), but you should really double-check that I didn't mess anything up in the merge and whatever test-case you have for IMA still works. I only verified that the kernel module signing key still works for modules - no IMA test-case. Linus
The pull request you sent on Wed, 28 Apr 2021 09:46:57 -0400:
> git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.13
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/e6f0bf09f0669b3c2cd77fa906830123279a0a21
Thank you!
On Sat, 2021-05-01 at 15:49 -0700, Linus Torvalds wrote: > On Wed, Apr 28, 2021 at 6:47 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > In addition to loading the kernel module signing key onto the builtin > > keyring, load it onto the IMA keyring as well. > > This clashed pretty badly with the other cert changes. > > I think the end result looks nice and clean (the cert updates mesh > well with the _intention_ of your code, just not with the > implementation), but you should really double-check that I didn't mess > anything up in the merge and whatever test-case you have for IMA still > works. > > I only verified that the kernel module signing key still works for > modules - no IMA test-case. I'm really sorry I forgot to mention in the pull request that Stephen was carrying a merge conflict fix. Everything looks good. I tested it, making sure that the kernel module signing key is loaded onto the builtin and/or IMA keyrings properly. thanks, Mimi
Hi Linus, In addition to loading the kernel module signing key onto the builtin keyring, load it onto the IMA keyring as well. In addition are six trivial changes and bug fixes. thanks, Mimi The following changes since commit 92063f3ca73aab794bd5408d3361fd5b5ea33079: integrity: double check iint_cache was initialized (2021-03-22 14:54:11 -0400) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.13 for you to fetch changes up to 781a5739489949fd0f32432a9da17f7ddbccf1cc: ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies (2021-04-26 21:54:23 -0400) ---------------------------------------------------------------- integrity-v5.13 ---------------------------------------------------------------- Gustavo A. R. Silva (1): ima: Fix fall-through warnings for Clang Jiele Zhao (2): ima: Fix function name error in comment. integrity: Add declarations to init_once void arguments. Li Huafei (1): ima: Fix the error code for restoring the PCR value Mimi Zohar (2): ima: without an IMA policy loaded, return quickly Merge branch 'ima-module-signing-v4' into next-integrity Nayna Jain (4): keys: cleanup build time module signing keys ima: enable signing of modules with build time generated key ima: enable loading of build time generated key on .ima keyring ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies Makefile | 6 ++--- certs/Kconfig | 2 +- certs/Makefile | 10 +++++++ certs/system_certificates.S | 14 +++++++++- certs/system_keyring.c | 50 ++++++++++++++++++++++++++++------- include/keys/system_keyring.h | 7 +++++ init/Kconfig | 6 ++--- security/integrity/digsig.c | 2 ++ security/integrity/iint.c | 2 +- security/integrity/ima/ima_main.c | 9 ++++++- security/integrity/ima/ima_policy.c | 2 ++ security/integrity/ima/ima_template.c | 4 +-- 12 files changed, 92 insertions(+), 22 deletions(-)