iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d7cecb676d
linux/security/integrity
History
Nayna Jain d7cecb676d ima: Support platform keyring for kernel appraisal 
On secure boot enabled systems, the bootloader verifies the kernel
image and possibly the initramfs signatures based on a set of keys. A
soft reboot(kexec) of the system, with the same kernel image and
initramfs, requires access to the original keys to verify the
signatures.

This patch allows IMA-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.

[zohar@linux.ibm.com: only use platform keyring if it's enabled (Thiago)]
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2018-12-12 22:09:33 -05:00
..
evm security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
ima ima: Support platform keyring for kernel appraisal 2018-12-12 22:09:33 -05:00
platform_certs efi: Allow the "db" UEFI variable to be suppressed 2018-12-12 22:09:10 -05:00
digsig_asymmetric.c integrity: support new struct public_key_signature encoding field 2018-11-13 07:37:42 -05:00
digsig.c integrity: Load certs to the platform keyring 2018-12-12 22:02:54 -05:00
iint.c LSM: Record LSM name in struct lsm_info 2018-10-10 20:40:22 -07:00
integrity_audit.c ima: Use audit_log_format() rather than audit_log_string() 2018-07-18 07:27:22 -04:00
integrity.h integrity: Load certs to the platform keyring 2018-12-12 22:02:54 -05:00
Kconfig integrity: Define a trusted platform keyring 2018-12-12 22:02:28 -05:00
Makefile efi: Import certificates from UEFI Secure Boot 2018-12-12 22:04:33 -05:00