From: zhoushuiqing zhoushuiqing2@huawei.com
v2: -remove unused variable in ima_main.c
v3: -modify patch header information
v4: -add the CONFIG_IMA_DIGEST_LIST macro to isolate the code
David Howells (4): PGPLIB: PGP definitions (RFC 4880) PGPLIB: Basic packet parser KEYS: Provide PGP key description autogeneration KEYS: Provide a function to load keys from a PGP keyring blob
Mimi Zohar (1): initramfs: add file metadata
Roberto Sassu (34): initramfs: read metadata from special file METADATA!!! gen_init_cpio: add support for file metadata init: Add kernel option to force usage of tmpfs for rootfs ima: Add enforce-evm and log-evm modes to strictly check EVM status ima: Allow choice of file hash algorithm for measurement and audit ima: Generalize ima_read_policy() ima: Generalize ima_write_policy() and raise uploaded data size limit ima: Generalize policy file operations ima: Use ima_show_htable_value to show violations and hash table data ima: Add parser of compact digest list ima: Prevent usage of digest lists not measured or appraised ima: Introduce new securityfs files ima: Introduce new hook DIGEST_LIST_CHECK ima: Load all digest lists from a directory at boot time ima: Add support for measurement with digest lists ima: Add support for appraisal with digest lists evm: Add support for digest lists of metadata ima: Add meta_immutable appraisal type ima: Introduce exec_tcb policy ima: Introduce appraise_exec_tcb policy ima: Introduce appraise_exec_immutable policy ima: Add Documentation/security/IMA-digest-lists.txt mpi: introduce mpi_key_length() rsa: add parser of raw format KEYS: PGP data parser KEYS: Introduce load_pgp_public_keyring() certs: Introduce search_trusted_key() ima: Search key in the built-in keyrings ima: Allow direct upload of digest lists to securityfs ima: Add parser keyword to the policy evm: Extend evm= with x509. allow_metadata_writes and complete values ima: Execute parser to upload digest lists not recognizable by the kernel evm: Propagate choice of HMAC algorithm in evm_crypto.c config: add digest list options for arm64 and x86
Zhang Tianxing (5): ima: fix a memory leak in ima_del_digest_data_entry ima: Add max size for IMA digest database ima: don't allow control characters in policy path ima: fix CONFIG_IMA_DIGEST_DB_MEGABYTES in openeuler_defconfig ima: fix db size overflow and Kconfig issues
Zheng Zengkai (1): Revert "evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded"
shenxiangwei (1): ima: bugfix for digest lists importing
Documentation/ABI/testing/evm | 4 +- .../admin-guide/kernel-parameters.txt | 49 +- Documentation/security/IMA-digest-lists.txt | 259 ++++++++++ arch/arm64/configs/openeuler_defconfig | 11 + arch/x86/configs/openeuler_defconfig | 31 +- certs/Kconfig | 7 + certs/Makefile | 7 + certs/system_certificates.S | 18 + certs/system_keyring.c | 48 ++ crypto/asymmetric_keys/Kconfig | 25 + crypto/asymmetric_keys/Makefile | 10 + crypto/asymmetric_keys/pgp_library.c | 281 +++++++++++ crypto/asymmetric_keys/pgp_parser.h | 23 + crypto/asymmetric_keys/pgp_preload.c | 119 +++++ crypto/asymmetric_keys/pgp_public_key.c | 383 +++++++++++++++ crypto/rsa.c | 16 + crypto/rsa_helper.c | 76 +++ include/crypto/internal/rsa.h | 10 + include/linux/initramfs.h | 21 + include/linux/kernel_read_file.h | 13 + include/linux/mpi.h | 4 + include/linux/pgp.h | 223 +++++++++ include/linux/pgplib.h | 48 ++ include/linux/verification.h | 8 +- init/do_mounts.c | 19 + init/initramfs.c | 161 ++++++ lib/mpi/mpicoder.c | 37 ++ security/integrity/digsig_asymmetric.c | 13 + security/integrity/evm/Kconfig | 32 ++ security/integrity/evm/evm.h | 3 + security/integrity/evm/evm_crypto.c | 46 +- security/integrity/evm/evm_main.c | 141 +++++- security/integrity/evm/evm_secfs.c | 4 + security/integrity/iint.c | 4 + security/integrity/ima/Kconfig | 49 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 56 +++ security/integrity/ima/ima_api.c | 57 +++ security/integrity/ima/ima_appraise.c | 137 ++++++ security/integrity/ima/ima_digest_list.c | 465 ++++++++++++++++++ security/integrity/ima/ima_digest_list.h | 54 ++ security/integrity/ima/ima_efi.c | 3 + security/integrity/ima/ima_fs.c | 320 ++++++++++++ security/integrity/ima/ima_init.c | 4 + security/integrity/ima/ima_main.c | 142 +++++- security/integrity/ima/ima_policy.c | 177 ++++++- security/integrity/integrity.h | 42 ++ usr/Kconfig | 8 + usr/Makefile | 4 +- usr/gen_init_cpio.c | 158 ++++++ usr/gen_initramfs.sh | 7 +- 51 files changed, 3801 insertions(+), 37 deletions(-) create mode 100644 Documentation/security/IMA-digest-lists.txt create mode 100644 crypto/asymmetric_keys/pgp_library.c create mode 100644 crypto/asymmetric_keys/pgp_parser.h create mode 100644 crypto/asymmetric_keys/pgp_preload.c create mode 100644 crypto/asymmetric_keys/pgp_public_key.c create mode 100644 include/linux/initramfs.h create mode 100644 include/linux/pgp.h create mode 100644 include/linux/pgplib.h create mode 100644 security/integrity/ima/ima_digest_list.c create mode 100644 security/integrity/ima/ima_digest_list.h