Pull IMA updates from Mimi Zohar:
- Introduce IMA and EVM post-quantum ML-DSA signature support
ML-DSA signature support for IMA and EVM is limited to sigv3
signatures, which calculates and verifies a hash of a compact
structure containing the file data/metadata hash, hash type, and hash
algorithm. IMA and EVM still calculate the file data/metadata hashes
respectively.
- Introduce support for removing IMA measurement list records stored in
kernel memory
The IMA measurement list can grow large depending on policy, but
removing records breaks remote attestation, unless they are safely
preserved and made available for attestation requests. Until
environments are prepared to preserve the measurement records, a new
CONFIG_IMA_STAGING Kconfig option is introduced to guard against
deletion.
Several approaches for removing measurement list records were
evaluated but rejected due to filesystem constraints, the
introduction of a new critical data record, and locking concerns. Two
methods are being upstreamed: staged deletion with confirmation, and
staged deletion of N records without confirmation. Both methods
minimize the period during which new measurements are blocked from
being appended to the measurement list by staging the measurement
list.
A comparison of the two methods is included in the documentation.
- Some code cleanup, and a couple of bug fixes
* tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
doc: security: Add documentation of exporting and deleting IMA measurements
ima: Support staging and deleting N measurements records
ima: Add support for flushing the hash table when staging measurements
ima: Add support for staging measurements with prompt
ima: Introduce ima_dump_measurement()
ima: Use snprintf() in create_securityfs_measurement_lists
ima: Mediate open/release method of the measurements list
ima: Introduce _ima_measurements_start() and _ima_measurements_next()
ima: Introduce per binary measurements list type binary_runtime_size value
ima: Introduce per binary measurements list type ima_num_records counter
ima: Replace static htable queue with dynamically allocated array
ima: Remove ima_h_table structure
evm: terminate and bound the evm_xattrs read buffer
integrity: Add support for sigv3 verification using ML-DSA keys
integrity: Refactor asymmetric_verify for reusability
integrity: Check that algo parameter is within valid range
integrity: Check for NULL returned by asymmetric_key_public_key
ima: return error early if file xattr cannot be changed
ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
projects / thirdparty / linux.git / commitdiff
