Eric Snowberg f20765fdfd integrity: Always reference the blacklist keyring with appraisal ... Commit 273df864cf ("ima: Check against blacklisted hashes for files with modsig") introduced an appraise_flag option for referencing the blacklist keyring. Any matching binary found on this keyring fails signature validation. This flag only works with module appended signatures. An important part of a PKI infrastructure is to have the ability to do revocation at a later time should a vulnerability be found. Expand the revocation flag usage to all appraisal functions. The flag is now enabled by default. Setting the flag with an IMA policy has been deprecated. Without a revocation capability like this in place, only authenticity can be maintained. With this change, integrity can now be achieved with digital signature based IMA appraisal. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>		2023-08-01 08:17:25 -04:00
..
evm	evm: Fix build warnings	2023-06-06 08:51:11 -04:00
ima	integrity: Always reference the blacklist keyring with appraisal	2023-08-01 08:17:25 -04:00
platform_certs	security/integrity: fix pointer to ESL data and its size on pseries	2023-06-21 14:08:53 +10:00
digsig_asymmetric.c	ima: fix reference leak in asymmetric_verify()	2022-01-24 18:37:36 -05:00
digsig.c	integrity: machine keyring CA configuration	2023-04-24 16:15:53 +03:00
iint.c	integrity: Fix possible multiple allocation in integrity_inode_get()	2023-06-01 07:25:04 -04:00
integrity_audit.c	integrity: check the return value of audit_log_start()	2022-02-02 11:44:23 -05:00
integrity.h	ima: support fs-verity file digest based version 3 signatures	2022-05-05 17:41:51 -04:00
Kconfig	integrity: machine keyring CA configuration	2023-04-24 16:15:53 +03:00
Makefile	integrity: Introduce a Linux keyring called machine	2022-03-08 13:55:52 +02:00