github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 08:08:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux/security/integrity
History
Linus Torvalds 9cdca33667 integrity-v7.1 
-----BEGIN PGP SIGNATURE-----
 
 iIoEABYKADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCad/SPRQcem9oYXJAbGlu
 dXguaWJtLmNvbQAKCRDLwZzRsCrn5TDuAQCT+OttUlEqKfGLUrmXjsqw+BdgSm59
 vOwTUfY0uIjAsgEAzFY8bOt5WWud9bpfEE3iarKIZQI0RidSHylyaB4FRg8=
 =6soG
 -----END PGP SIGNATURE-----

Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:
 "There are two main changes, one feature removal, some code cleanup,
  and a number of bug fixes.

  Main changes:
   - Detecting secure boot mode was limited to IMA. Make detecting
     secure boot mode accessible to EVM and other LSMs
   - IMA sigv3 support was limited to fsverity. Add IMA sigv3 support
     for IMA regular file hashes and EVM portable signatures

  Remove:
   - Remove IMA support for asychronous hash calculation originally
     added for hardware acceleration

  Cleanup:
   - Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG
     tests
   - Add descriptions of the IMA atomic flags

  Bug fixes:
   - Like IMA, properly limit EVM "fix" mode
   - Define and call evm_fix_hmac() to update security.evm
   - Fallback to using i_version to detect file change for filesystems
     that do not support STATX_CHANGE_COOKIE
   - Address missing kernel support for configured (new) TPM hash
     algorithms
   - Add missing crypto_shash_final() return value"

* tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  evm: Enforce signatures version 3 with new EVM policy 'bit 3'
  integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
  ima: add support to require IMA sigv3 signatures
  ima: add regular file data hash signature version 3 support
  ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures
  ima: remove buggy support for asynchronous hashes
  integrity: Eliminate weak definition of arch_get_secureboot()
  ima: Add code comments to explain IMA iint cache atomic_flags
  ima_fs: Correctly create securityfs files for unsupported hash algos
  ima: check return value of crypto_shash_final() in boot aggregate
  ima: Define and use a digest_size field in the ima_algo_desc structure
  powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
  ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
  ima: fallback to using i_version to detect file change
  evm: fix security.evm for a file with IMA signature
  s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
  evm: Don't enable fix mode when secure boot is enabled
  integrity: Make arch_ima_get_secureboot integrity-wide
2026-04-17 15:42:01 -07:00
..
evm integrity-v7.1 2026-04-17 15:42:01 -07:00
ima integrity-v7.1 2026-04-17 15:42:01 -07:00
platform_certs integrity: Make arch_ima_get_secureboot integrity-wide 2026-03-05 11:10:08 -05:00
digsig_asymmetric.c integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG 2026-04-01 10:16:53 -04:00
digsig.c ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures 2026-04-01 10:14:30 -04:00
efi_secureboot.c integrity: Make arch_ima_get_secureboot integrity-wide 2026-03-05 11:10:08 -05:00
iint.c ima,evm: move initcalls to the LSM framework 2025-10-22 19:24:27 -04:00
integrity_audit.c treewide: change inode->i_ino from unsigned long to u64 2026-03-06 14:31:28 +01:00
integrity.h ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures 2026-04-01 10:14:30 -04:00
Kconfig integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS 2025-10-03 07:50:56 -04:00
Makefile integrity: Eliminate weak definition of arch_get_secureboot() 2026-03-13 11:37:13 -04:00