This patchset supports IMA digest lists for the kernel.
v2: -remove unused variable in ima_main.c
v3: -modify patch header information
David Howells (4): PGPLIB: PGP definitions (RFC 4880) PGPLIB: Basic packet parser KEYS: Provide PGP key description autogeneration KEYS: Provide a function to load keys from a PGP keyring blob
Mimi Zohar (1): initramfs: add file metadata
Roberto Sassu (34): initramfs: read metadata from special file METADATA!!! gen_init_cpio: add support for file metadata init: Add kernel option to force usage of tmpfs for rootfs ima: Add enforce-evm and log-evm modes to strictly check EVM status ima: Allow choice of file hash algorithm for measurement and audit ima: Generalize ima_read_policy() ima: Generalize ima_write_policy() and raise uploaded data size limit ima: Generalize policy file operations ima: Use ima_show_htable_value to show violations and hash table data ima: Add parser of compact digest list ima: Prevent usage of digest lists not measured or appraised ima: Introduce new securityfs files ima: Introduce new hook DIGEST_LIST_CHECK ima: Load all digest lists from a directory at boot time ima: Add support for measurement with digest lists ima: Add support for appraisal with digest lists evm: Add support for digest lists of metadata ima: Add meta_immutable appraisal type ima: Introduce exec_tcb policy ima: Introduce appraise_exec_tcb policy ima: Introduce appraise_exec_immutable policy ima: Add Documentation/security/IMA-digest-lists.txt mpi: introduce mpi_key_length() rsa: add parser of raw format KEYS: PGP data parser KEYS: Introduce load_pgp_public_keyring() certs: Introduce search_trusted_key() ima: Search key in the built-in keyrings ima: Allow direct upload of digest lists to securityfs ima: Add parser keyword to the policy evm: Extend evm= with x509. allow_metadata_writes and complete values ima: Execute parser to upload digest lists not recognizable by the kernel evm: Propagate choice of HMAC algorithm in evm_crypto.c config: add digest list options for arm64 and x86
Zhang Tianxing (5): ima: fix a memory leak in ima_del_digest_data_entry ima: Add max size for IMA digest database ima: don't allow control characters in policy path ima: fix CONFIG_IMA_DIGEST_DB_MEGABYTES in openeuler_defconfig ima: fix db size overflow and Kconfig issues
Zheng Zengkai (1): Revert "evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded"
shenxiangwei (1): ima: bugfix for digest lists importing
Documentation/ABI/testing/evm | 4 +- .../admin-guide/kernel-parameters.txt | 49 +- Documentation/security/IMA-digest-lists.txt | 259 ++++++++++ arch/arm64/configs/openeuler_defconfig | 11 + arch/x86/configs/openeuler_defconfig | 31 +- certs/Kconfig | 7 + certs/Makefile | 7 + certs/system_certificates.S | 18 + certs/system_keyring.c | 44 ++ crypto/asymmetric_keys/Kconfig | 25 + crypto/asymmetric_keys/Makefile | 10 + crypto/asymmetric_keys/pgp_library.c | 281 +++++++++++ crypto/asymmetric_keys/pgp_parser.h | 23 + crypto/asymmetric_keys/pgp_preload.c | 119 +++++ crypto/asymmetric_keys/pgp_public_key.c | 383 +++++++++++++++ crypto/rsa.c | 14 +- crypto/rsa_helper.c | 69 +++ include/crypto/internal/rsa.h | 6 + include/linux/initramfs.h | 21 + include/linux/kernel_read_file.h | 1 + include/linux/mpi.h | 2 + include/linux/pgp.h | 220 +++++++++ include/linux/pgplib.h | 48 ++ include/linux/verification.h | 4 + init/do_mounts.c | 11 +- init/initramfs.c | 138 +++++- lib/mpi/mpicoder.c | 33 +- security/integrity/digsig_asymmetric.c | 10 + security/integrity/evm/Kconfig | 32 ++ security/integrity/evm/evm.h | 1 + security/integrity/evm/evm_crypto.c | 24 +- security/integrity/evm/evm_main.c | 103 +++- security/integrity/evm/evm_secfs.c | 2 +- security/integrity/iint.c | 2 + security/integrity/ima/Kconfig | 49 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 39 +- security/integrity/ima/ima_api.c | 42 +- security/integrity/ima/ima_appraise.c | 117 ++++- security/integrity/ima/ima_digest_list.c | 465 ++++++++++++++++++ security/integrity/ima/ima_digest_list.h | 54 ++ security/integrity/ima/ima_fs.c | 294 ++++++++--- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 124 ++++- security/integrity/ima/ima_policy.c | 116 ++++- security/integrity/integrity.h | 47 +- usr/Kconfig | 8 + usr/Makefile | 4 +- usr/gen_init_cpio.c | 136 ++++- usr/gen_initramfs.sh | 7 +- 50 files changed, 3299 insertions(+), 218 deletions(-) create mode 100644 Documentation/security/IMA-digest-lists.txt create mode 100644 crypto/asymmetric_keys/pgp_library.c create mode 100644 crypto/asymmetric_keys/pgp_parser.h create mode 100644 crypto/asymmetric_keys/pgp_preload.c create mode 100644 crypto/asymmetric_keys/pgp_public_key.c create mode 100644 include/linux/initramfs.h create mode 100644 include/linux/pgp.h create mode 100644 include/linux/pgplib.h create mode 100644 security/integrity/ima/ima_digest_list.c create mode 100644 security/integrity/ima/ima_digest_list.h