This patch includes some bug fixes, support for PGP keys and for user space parsers of digest lists.
The first part refines the functionality of digest lists. It fixes a possible buffer overflow, relaxes the meta_immutable requirement so that digest lists without metadata can be loaded and introduces the possibility to appraise files without setting xattrs. The latest change is necessary to appraise temporary files created by the firewalld daemon which don't have xattrs.
The second part introduces support for PGP keys, to appraise digest lists when they cannot be directly signed by the build service. The public part of PGP keys from the build service are included in the kernel and used by IMA appraisal to verify RPM headers.
The third part introduces support for user space parsers of digest lists. The RPM parser extracts from the header the digest of the digest list, included in the RPM, and uploads it to the kernel so that when IMA appraisal finds that the digest is known will grant access to that digest list and let the user space parser upload remaining digests of the files in the RPM.
Lastly, the patch set introduces some minor changes. It enhances the evm= kernel option to initialize EVM and to permit metadata modifications, and enables the digest lists feature by default.
David Howells (4): PGPLIB: PGP definitions (RFC 4880) PGPLIB: Basic packet parser KEYS: PGP data parser KEYS: Provide PGP key description autogeneration
Roberto Sassu (19): ima: Use buffer large enough to store fake IMA xattr for appraisal ima: Require meta_immutable only for BPRM_CHECK hook ima: Check meta_immutable requirement for every EVM status ima: Change fake IMA xattr type to IMA_XATTR_DIGEST_NG evm: Reset status even when security.evm is modified ima: Display more information in ima_check_measured_appraised() ima: Allow appraisal of digest lists without metadata evm: Set fake EVM xattr if IMA passed a fake xattr mpi: introduce mpi_key_length() rsa: add parser of raw format KEYS: Provide a function to load keys from a PGP keyring blob KEYS: Introduce load_pgp_public_keyring() certs: Introduce search_trusted_key() ima: Search key in the built-in keyrings ima: Allow direct upload of digest lists to securityfs ima: Add parser keyword to the policy ima: Execute parser to upload digest lists not recognizable by the kernel evm: Extend evm= with x509 and allow_metadata_writes values config: Add digest lists options
.../admin-guide/kernel-parameters.txt | 8 +- arch/x86/configs/openeuler_defconfig | 23 +- certs/Kconfig | 7 + certs/Makefile | 6 + certs/system_certificates.S | 18 + certs/system_keyring.c | 44 ++ crypto/asymmetric_keys/Kconfig | 25 ++ crypto/asymmetric_keys/Makefile | 10 + crypto/asymmetric_keys/pgp_library.c | 281 +++++++++++++ crypto/asymmetric_keys/pgp_parser.h | 23 ++ crypto/asymmetric_keys/pgp_preload.c | 119 ++++++ crypto/asymmetric_keys/pgp_public_key.c | 383 ++++++++++++++++++ crypto/rsa.c | 14 +- crypto/rsa_helper.c | 69 ++++ include/crypto/internal/rsa.h | 6 + include/linux/mpi.h | 2 + include/linux/pgp.h | 220 ++++++++++ include/linux/pgplib.h | 48 +++ include/linux/verification.h | 5 + lib/mpi/mpicoder.c | 33 +- security/integrity/digsig_asymmetric.c | 10 + security/integrity/evm/evm_main.c | 58 ++- security/integrity/ima/Kconfig | 7 + security/integrity/ima/ima_appraise.c | 65 ++- security/integrity/ima/ima_digest_list.c | 106 ++++- security/integrity/ima/ima_digest_list.h | 18 + security/integrity/ima/ima_fs.c | 19 + security/integrity/ima/ima_main.c | 10 +- security/integrity/ima/ima_policy.c | 38 +- 29 files changed, 1599 insertions(+), 76 deletions(-) create mode 100644 crypto/asymmetric_keys/pgp_library.c create mode 100644 crypto/asymmetric_keys/pgp_parser.h create mode 100644 crypto/asymmetric_keys/pgp_preload.c create mode 100644 crypto/asymmetric_keys/pgp_public_key.c create mode 100644 include/linux/pgp.h create mode 100644 include/linux/pgplib.h