- 08 Nov, 2017 10 commits
-
-
Bruno E. O. Meneguele authored
A static variable sig_enforce is used as status var to indicate the real value of CONFIG_MODULE_SIG_FORCE, once this one is set the var will hold true, but if the CONFIG is not set the status var will hold whatever value is present in the module.sig_enforce kernel cmdline param: true when =1 and false when =0 or not present. Considering this cmdline param take place over the CONFIG value when it's not set, other places in the kernel could misbehave since they would have only the CONFIG_MODULE_SIG_FORCE value to rely on. Exporting this status var allows the kernel to rely in the effective value of module signature enforcement, being it from CONFIG value or cmdline param. Signed-off-by:
Bruno E. O. Meneguele <brdeoliv@redhat.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Boshi Wang authored
The hash_setup function always sets the hash_setup_done flag, even when the hash algorithm is invalid. This prevents the default hash algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. This patch sets hash_setup_done flag only for valid hash algorithms. Fixes: e7a2ad7e "ima: enable support for larger default filedata hash algorithms" Signed-off-by:
Boshi Wang <wangboshi@huawei.com> Signed-off-by:
-
Matthew Garrett authored
A system can validate EVM digital signatures without requiring an HMAC key, but every EVM validation will generate a kernel error. Change this so we only generate an error once. Signed-off-by:
Matthew Garrett <mjg59@google.com> Signed-off-by:
-
Matthew Garrett authored
EVM will only perform validation once a key has been loaded. This key may either be a symmetric trusted key (for HMAC validation and creation) or the public half of an asymmetric key (for digital signature validation). The /sys/kernel/security/evm interface allows userland to signal that a symmetric key has been loaded, but does not allow userland to signal that an asymmetric public key has been loaded. This patch extends the interface to permit userspace to pass a bitmask of loaded key types. It also allows userspace to block loading of a symmetric key in order to avoid a compromised system from being able to load an additional key type later. Signed-off-by:
-
Matthew Garrett authored
Apparmor will be gaining support for security.apparmor labels, and it would be helpful to include these in EVM validation now so appropriate signatures can be generated even before full support is merged. Signed-off-by:
John Johansen <John.johansen@canonical.com> Signed-off-by:
-
Mimi Zohar authored
The file hash is calculated and written out as an xattr after calling fasync(). In order for the file data and metadata to be written out to disk at the same time, this patch calculates the file hash and stores it as an xattr before calling fasync. Signed-off-by: -
Christoph Hellwig authored
The CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 options permit loading x509 signed certificates onto the trusted keyrings without verifying the x509 certificate file's signature. This patch replaces the call to the integrity_read_file() specific function with the common kernel_read_file_from_path() function. To avoid verifying the file signature, this patch defines READING_X509_CERTFICATE. Signed-off-by:
Christoph Hellwig <hch@lst.de> Signed-off-by:
-
Mimi Zohar authored
All files matching a "measure" rule must be included in the IMA measurement list, even when the file hash cannot be calculated. Similarly, all files matching an "audit" rule must be audited, even when the file hash can not be calculated. The file data hash field contained in the IMA measurement list template data will contain 0's instead of the actual file hash digest. Note: In general, adding, deleting or in anyway changing which files are included in the IMA measurement list is not a good idea, as it might result in not being able to unseal trusted keys sealed to a specific TPM PCR value. This patch not only adds file measurements that were not previously measured, but specifies that the file hash value for these files will be 0's. As the IMA measurement list ordering is not consistent from one boot to the next, it is unlikely that anyone is sealing keys based on the IMA measurement list. Remote attestation servers should be able to process these new measurement records, but might complain about these unknown records. Signed-off-by:
Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
-
Mimi Zohar authored
The securityfs policy file is removed unless additional rules can be appended to the IMA policy (CONFIG_IMA_WRITE_POLICY), regardless as to whether the policy is configured so that it can be displayed. This patch changes this behavior, removing the securityfs policy file, only if CONFIG_IMA_READ_POLICY is also not enabled. Signed-off-by: -
Mimi Zohar authored
The mount i_version flag is not enabled in the new sb_flags. This patch adds the missing SB_I_VERSION flag. Fixes: e462ec50 "VFS: Differentiate mount flags (MS_*) from internal superblock flags" Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by:
-
- 05 Nov, 2017 1 commit
-
-
Mimi Zohar authored
Update the mailing list information. Signed-off-by:
James Morris <james.l.morris@oracle.com>
-
- 02 Nov, 2017 1 commit
-
-
Casey Schaufler authored
Supply the Smack module hooks in support of overlayfs. Ensure that the Smack label of new files gets the correct value when a directory is transmuting. Original implementation by Romanini Daniele, with a few tweaks added. Signed-off-by:
Romanini Daniele <daniele.romanini@aalto.fi> Signed-off-by:
Casey Schaufler <casey@schaufler-ca.com> Signed-off-by:
-
- 27 Oct, 2017 1 commit
-
-
Eric Biggers authored
Emails to David's listed email address bounce, and in the commit log there's no activity from him within the last 5 years. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: David Safford <safford@us.ibm.com> Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
- 21 Oct, 2017 1 commit
-
-
Arnd Bergmann authored
Tomoyo uses an open-coded version of time_to_tm() to create a timestamp from the current time as read by get_seconds(). This will overflow and give wrong results on 32-bit systems in 2038. To correct this, this changes the code to use ktime_get_real_seconds() and the generic time64_to_tm() function that are both y2038-safe. Using the library function avoids adding an expensive 64-bit division in this code and can benefit from any optimizations we do in common code. Acked-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
- 20 Oct, 2017 10 commits
-
-
Richard Guy Briggs authored
The existing condition tested for process effective capabilities set by file attributes but intended to ignore the change if the result was unsurprisingly an effective full set in the case root is special with a setuid root executable file and we are root. Stated again: - When you execute a setuid root application, it is no surprise and expected that it got all capabilities, so we do not want capabilities recorded. if (pE_grew && !(pE_fullset && (eff_root || real_root) && root_priveleged) ) Now make sure we cover other cases: - If something prevented a setuid root app getting all capabilities and it wound up with one capability only, then it is a surprise and should be logged. When it is a setuid root file, we only want capabilities when the process does not get full capabilities.. root_priveleged && setuid_root && !pE_fullset - Similarly if a non-setuid program does pick up capabilities due to file system based capabilities, then we want to know what capabilities were picked up. When it has file system based capabilities we want the capabilities. !is_setuid && (has_fcap && pP_gained) - If it is a non-setuid file and it gets ambient capabilities, we want the capabilities. !is_setuid && pA_gained - These last two are combined into one due to the common first parameter. Related: https://github.com/linux-audit/audit-kernel/issues/16Signed-off-by:Richard Guy Briggs <rgb@redhat.com> Reviewed-by:
Serge Hallyn <serge@hallyn.com> Acked-by:
Kees Cook <keescook@chromium.org> Acked-by:
Paul Moore <paul@paul-moore.com> Signed-off-by:
-
Richard Guy Briggs authored
Now that the logic is inverted, it is much easier to see that both real root and effective root conditions had to be met to avoid printing the BPRM_FCAPS record with audit syscalls. This meant that any setuid root applications would print a full BPRM_FCAPS record when it wasn't necessary, cluttering the event output, since the SYSCALL and PATH records indicated the presence of the setuid bit and effective root user id. Require only one of effective root or real root to avoid printing the unnecessary record. Ref: commit 3fc689e9 ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS") See: https://github.com/linux-audit/audit-kernel/issues/16Signed-off-by:
-
Richard Guy Briggs authored
The way the logic was presented, it was awkward to read and verify. Invert the logic using DeMorgan's Law to be more easily able to read and understand. Signed-off-by:
-
Richard Guy Briggs authored
Remove a layer of conditional logic to make the use of conditions easier to read and analyse. Signed-off-by:
-
Richard Guy Briggs authored
Move the audit log decision logic to its own function to isolate the complexity in one place. Suggested-by:
-
Richard Guy Briggs authored
Introduce a number of inlines to make the use of the negation of uid_eq() easier to read and analyse. Signed-off-by:
-
Richard Guy Briggs authored
Introduce inline root_privileged() to make use of SECURE_NONROOT easier to read. Suggested-by:
-
Richard Guy Briggs authored
Rename has_cap to has_fcap to clarify it applies to file capabilities since the entire source file is about capabilities. Signed-off-by:
-
Richard Guy Briggs authored
Introduce macros cap_gained, cap_grew, cap_full to make the use of the negation of is_subset() easier to read and analyse. Signed-off-by:
-
Richard Guy Briggs authored
Factor out the case of privileged root from the function cap_bprm_set_creds() to make the latter easier to read and analyse. Suggested-by:
-
- 18 Oct, 2017 13 commits
-
-
Jérémy Lefaure authored
Signed-off-by:
Jérémy Lefaure <jeremy.lefaure@lse.epita.fr> Reviewed-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by:
-
Ruben Roy authored
This commit fixes the duplicate inline declaration specifier in tpm2_rc_value which caused a warning Signed-off-by:
Ruben Roy <rubenroy2005@gmail.com> Reviewed-by:
-
Jarkko Sakkinen authored
Use __le32 type for data in that format. Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy") Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
-
Jarkko Sakkinen authored
The local variable 'handle' should have the type __be32 instead of u32. Fixes: 745b361e ("tpm: infrastructure for TPM spaces") Signed-off-by:
-
Jarkko Sakkinen authored
The local variable 'attrs' should have the type __be32 instead of u32. Fixes: 58472f5c ("tpm: validate TPM 2.0 commands") Signed-off-by:
-
Alexander Steffen authored
tpm_transmit() does not offer an explicit interface to indicate the number of valid bytes in the communication buffer. Instead, it relies on the commandSize field in the TPM header that is encoded within the buffer. Therefore, ensure that a) enough data has been written to the buffer, so that the commandSize field is present and b) the commandSize field does not announce more data than has been written to the buffer. This should have been fixed with CVE-2011-1161 long ago, but apparently a correct version of that patch never made it into the kernel. Cc: stable@vger.kernel.org Signed-off-by:
Alexander Steffen <Alexander.Steffen@infineon.com> Reviewed-by:
-
Alexander Steffen authored
The TPM can choose one of two ways to react to the TPM2_SelfTest command. It can either run all self tests synchronously and then return RC_SUCCESS once all tests were successful. Or it can choose to run the tests asynchronously and return RC_TESTING immediately while the self tests still execute in the background. The previous implementation apparently was not aware of those possibilities and attributed RC_TESTING to some prototype chips instead. With this change the return code of TPM2_SelfTest is interpreted correctly, i.e. the self test result is polled if and only if RC_TESTING is received. Unfortunately, the polling cannot be done in the most straightforward way. If RC_TESTING is received, ideally the code should now poll the selfTestDone bit in the STS register, as this avoids sending more commands, that might interrupt self tests executing in the background and thus prevent them from ever completing. But it cannot be guaranteed that this bit is correctly implemented for all devices, so the next best thing would be to use TPM2_GetTestResult to query the test result. But the response to that command can be very long, and the code currently lacks the capabilities for efficient unmarshalling, so it is difficult to execute this command. Therefore, we simply run the TPM2_SelfTest command in a loop, which should complete eventually, since we only request the execution of self tests that have not yet been done. Signed-off-by:
-
Alexander Steffen authored
In order to avoid delaying the code longer than necessary while still giving the TPM enough time to execute the self tests asynchronously, start with a small delay between two polls and increase it each round. Signed-off-by:
-
Alexander Steffen authored
tpm2_do_selftest is only used during initialization of the TPM to ensure that the device functions correctly. Therefore, it is sufficient to request only missing self tests (parameter full_test=0), not a reexecution of all self tests, as was done before. This allows for a faster execution of this command. Signed-off-by:
-
Alexander Steffen authored
The buffers used as tx_buf/rx_buf in a SPI transfer need to be DMA-safe. This cannot be guaranteed for the buffers passed to tpm_tis_spi_read_bytes and tpm_tis_spi_write_bytes. Therefore, we need to use our own DMA-safe buffer and copy the data to/from it. The buffer needs to be allocated separately, to ensure that it is cacheline-aligned and not shared with other data, so that DMA can work correctly. Fixes: 0edbfea5 ("tpm/tpm_tis_spi: Add support for spi phy") Cc: stable@vger.kernel.org Reviewed-by:
-
Jiandi An authored
This patch gets rid of dealing with intermediate flag for start method and use start method value from ACPI table directly. For ARM64, the locality is handled by Trust Zone in FW. The layout does not have crb_regs_head. It is hitting the following line. dev_warn(dev, FW_BUG "Bad ACPI memory layout"); Current code excludes CRB_FL_ACPI_START for this check. Now since ARM64 support for TPM CRB is added, CRB_FL_CRB_SMC_START should also be excluded from this check. For goIdle and cmdReady where code was excluding CRB_FL_ACPI_START only (do nothing for ACPI start method), CRB_FL_CRB_SMC_START was also excluded as ARM64 SMC start method does not have TPM_CRB_CTRL_REQ. However with special PPT workaround requiring CRB_FL_CRB_START to be set in addition to CRB_FL_ACPI_START and the addition flag of SMC start method CRB_FL_CRB_SMC_START, the code has become difficult to maintain and undrestand. It is better to make code deal with start method value from ACPI table directly. Signed-off-by:
Jiandi An <anjiandi@codeaurora.org> Reviewed-by:
-
Arnd Bergmann authored
Making cmd_getticks 'const' introduced a couple of harmless warnings: drivers/char/tpm/tpm_tis_core.c: In function 'probe_itpm': drivers/char/tpm/tpm_tis_core.c:469:31: error: passing argument 2 of 'tpm_tis_send_data' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] rc = tpm_tis_send_data(chip, cmd_getticks, len); drivers/char/tpm/tpm_tis_core.c:477:31: error: passing argument 2 of 'tpm_tis_send_data' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] rc = tpm_tis_send_data(chip, cmd_getticks, len); drivers/char/tpm/tpm_tis_core.c:255:12: note: expected 'u8 * {aka unsigned char *}' but argument is of type 'const u8 * {aka const unsigned char *}' static int tpm_tis_send_data(struct tpm_chip *chip, u8 *buf, size_t len) This changes the related functions to all take 'const' pointers so that gcc can see this as being correct. I had to slightly modify the logic around tpm_tis_spi_transfer() for this to work without introducing ugly casts. Cc: stable@vger.kernel.org Fixes: 5e35bd8e06b9 ("tpm_tis: make array cmd_getticks static const to shink object code size") Signed-off-by: -
Colin Ian King authored
Don't populate array cmd_getticks on the stack, instead make it static const. Makes the object code smaller by over 160 bytes: Before: text data bss dec hex filename 18813 3152 128 22093 564d drivers/char/tpm/tpm_tis_core.o After: text data bss dec hex filename 18554 3248 128 21930 55aa drivers/char/tpm/tpm_tis_core.o Cc: stable@vger.kernel.org Signed-off-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
-
- 12 Oct, 2017 1 commit
-
-
Jarkko Sakkinen authored
Migrated pubek_show to struct tpm_buf and cleaned up its implementation. Previously the output parameter structure was declared but left completely unused. Now it is used to refer different fields of the output. We can move it to tpm-sysfs.c as it does not have any use outside of that file. Signed-off-by:
-
- 25 Sep, 2017 1 commit
-
-
James Morris authored
Linux 4.14-rc2 Sync to v4.14-rc2 for security subsystem developers to track.
-
- 24 Sep, 2017 1 commit
-
-
Linus Torvalds authored
-
