From: Linus Torvalds Date: Fri, 19 Jun 2026 18:32:05 +0000 (-0700) Subject: Merge tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0798268aa4c26ece25020b3ddeeef9a5941209c0;p=thirdparty%2Flinux.git Merge tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull IMA updates from Mimi Zohar: - Introduce IMA and EVM post-quantum ML-DSA signature support ML-DSA signature support for IMA and EVM is limited to sigv3 signatures, which calculates and verifies a hash of a compact structure containing the file data/metadata hash, hash type, and hash algorithm. IMA and EVM still calculate the file data/metadata hashes respectively. - Introduce support for removing IMA measurement list records stored in kernel memory The IMA measurement list can grow large depending on policy, but removing records breaks remote attestation, unless they are safely preserved and made available for attestation requests. Until environments are prepared to preserve the measurement records, a new CONFIG_IMA_STAGING Kconfig option is introduced to guard against deletion. Several approaches for removing measurement list records were evaluated but rejected due to filesystem constraints, the introduction of a new critical data record, and locking concerns. Two methods are being upstreamed: staged deletion with confirmation, and staged deletion of N records without confirmation. Both methods minimize the period during which new measurements are blocked from being appended to the measurement list by staging the measurement list. A comparison of the two methods is included in the documentation. - Some code cleanup, and a couple of bug fixes * tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: doc: security: Add documentation of exporting and deleting IMA measurements ima: Support staging and deleting N measurements records ima: Add support for flushing the hash table when staging measurements ima: Add support for staging measurements with prompt ima: Introduce ima_dump_measurement() ima: Use snprintf() in create_securityfs_measurement_lists ima: Mediate open/release method of the measurements list ima: Introduce _ima_measurements_start() and _ima_measurements_next() ima: Introduce per binary measurements list type binary_runtime_size value ima: Introduce per binary measurements list type ima_num_records counter ima: Replace static htable queue with dynamically allocated array ima: Remove ima_h_table structure evm: terminate and bound the evm_xattrs read buffer integrity: Add support for sigv3 verification using ML-DSA keys integrity: Refactor asymmetric_verify for reusability integrity: Check that algo parameter is within valid range integrity: Check for NULL returned by asymmetric_key_public_key ima: return error early if file xattr cannot be changed ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG --- 0798268aa4c26ece25020b3ddeeef9a5941209c0