• Linus Torvalds's avatar
    Merge tag 'integrity-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity · 1a35914f
    Linus Torvalds authored
    Pull integrity subsystem updates from Mimi Zohar:
    
     - With commit 099f26f2 ("integrity: machine keyring CA
       configuration") certificates may be loaded onto the IMA keyring,
       directly or indirectly signed by keys on either the "builtin" or the
       "machine" keyrings.
    
       With the ability for the system/machine owner to sign the IMA policy
       itself without needing to recompile the kernel, update the IMA
       architecture specific policy rules to require the IMA policy itself
       be signed.
    
       [ As commit 099f26f2 was upstreamed in linux-6.4, updating the
         IMA architecture specific policy now to require signed IMA policies
         may break userspace expectations. ]
    
     - IMA only checked the file data hash was not on the system blacklist
       keyring for files with an appended signature (e.g. kernel modules,
       Power kernel image).
    
       Check all file data hashes regardless of how it was signed
    
     - Code cleanup, and a kernel-doc update
    
    * tag 'integrity-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
      kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments
      ima: require signed IMA policy when UEFI secure boot is enabled
      integrity: Always reference the blacklist keyring with appraisal
      ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
    1a35914f
ima_policy.c 62 KB