diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-08 15:41:25 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-08 15:41:25 -0400 |
| commit | b793c005ceabf6db0b17494b0ec67ade6796bb34 (patch) | |
| tree | 080c884f04254403ec9564742f591a9fd9b7e95a /init | |
| parent | 6f0a2fc1feb19bd142961a39dc118e7e55418b3f (diff) | |
| parent | 07f081fb5057b2ea98baeca3a47bf0eb33e94aa1 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- PKCS#7 support added to support signed kexec, also utilized for
module signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which
must be installed, e.g. the openssl-devel on Fedora **
- Smack
- add IPv6 host labeling; ignore labels on kernel threads
- support smack labeling mounts which use binary mount data
- SELinux:
- add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf)
- fix mprotect PROT_EXEC regression caused by mm change
- Seccomp:
- add ptrace options for suspend/resume"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
Documentation/Changes: Now need OpenSSL devel packages for module signing
scripts: add extract-cert and sign-file to .gitignore
modsign: Handle signing key in source tree
modsign: Use if_changed rule for extracting cert from module signing key
Move certificate handling to its own directory
sign-file: Fix warning about BIO_reset() return value
PKCS#7: Add MODULE_LICENSE() to test module
Smack - Fix build error with bringup unconfigured
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Appropriately restrict authenticated attributes and content type
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
extract-cert: Cope with multiple X.509 certificates in a single file
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Support CMS messages also [RFC5652]
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Check content type and versions
MAINTAINERS: The keyrings mailing list has moved
...
Diffstat (limited to 'init')
| -rw-r--r-- | init/Kconfig | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/init/Kconfig b/init/Kconfig index 9cabd866b34b..02da9f1fd9df 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -1765,17 +1765,23 @@ config MMAP_ALLOW_UNINITIALIZED | |||
| 1765 | 1765 | ||
| 1766 | See Documentation/nommu-mmap.txt for more information. | 1766 | See Documentation/nommu-mmap.txt for more information. |
| 1767 | 1767 | ||
| 1768 | config SYSTEM_TRUSTED_KEYRING | 1768 | config SYSTEM_DATA_VERIFICATION |
| 1769 | bool "Provide system-wide ring of trusted keys" | 1769 | def_bool n |
| 1770 | depends on KEYS | 1770 | select SYSTEM_TRUSTED_KEYRING |
| 1771 | select KEYS | ||
| 1772 | select CRYPTO | ||
| 1773 | select ASYMMETRIC_KEY_TYPE | ||
| 1774 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE | ||
| 1775 | select PUBLIC_KEY_ALGO_RSA | ||
| 1776 | select ASN1 | ||
| 1777 | select OID_REGISTRY | ||
| 1778 | select X509_CERTIFICATE_PARSER | ||
| 1779 | select PKCS7_MESSAGE_PARSER | ||
| 1771 | help | 1780 | help |
| 1772 | Provide a system keyring to which trusted keys can be added. Keys in | 1781 | Provide PKCS#7 message verification using the contents of the system |
| 1773 | the keyring are considered to be trusted. Keys may be added at will | 1782 | trusted keyring to provide public keys. This then can be used for |
| 1774 | by the kernel from compiled-in data and from hardware key stores, but | 1783 | module verification, kexec image verification and firmware blob |
| 1775 | userspace may only add extra keys if those keys can be verified by | 1784 | verification. |
| 1776 | keys already in the keyring. | ||
| 1777 | |||
| 1778 | Keys in this keyring are used by module signature checking. | ||
| 1779 | 1785 | ||
| 1780 | config PROFILING | 1786 | config PROFILING |
| 1781 | bool "Profiling support" | 1787 | bool "Profiling support" |
| @@ -1885,20 +1891,16 @@ config MODULE_SRCVERSION_ALL | |||
| 1885 | config MODULE_SIG | 1891 | config MODULE_SIG |
| 1886 | bool "Module signature verification" | 1892 | bool "Module signature verification" |
| 1887 | depends on MODULES | 1893 | depends on MODULES |
| 1888 | select SYSTEM_TRUSTED_KEYRING | 1894 | select SYSTEM_DATA_VERIFICATION |
| 1889 | select KEYS | ||
| 1890 | select CRYPTO | ||
| 1891 | select ASYMMETRIC_KEY_TYPE | ||
| 1892 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE | ||
| 1893 | select PUBLIC_KEY_ALGO_RSA | ||
| 1894 | select ASN1 | ||
| 1895 | select OID_REGISTRY | ||
| 1896 | select X509_CERTIFICATE_PARSER | ||
| 1897 | help | 1895 | help |
| 1898 | Check modules for valid signatures upon load: the signature | 1896 | Check modules for valid signatures upon load: the signature |
| 1899 | is simply appended to the module. For more information see | 1897 | is simply appended to the module. For more information see |
| 1900 | Documentation/module-signing.txt. | 1898 | Documentation/module-signing.txt. |
| 1901 | 1899 | ||
| 1900 | Note that this option adds the OpenSSL development packages as a | ||
| 1901 | kernel build dependency so that the signing tool can use its crypto | ||
| 1902 | library. | ||
| 1903 | |||
| 1902 | !!!WARNING!!! If you enable this option, you MUST make sure that the | 1904 | !!!WARNING!!! If you enable this option, you MUST make sure that the |
| 1903 | module DOES NOT get stripped after being signed. This includes the | 1905 | module DOES NOT get stripped after being signed. This includes the |
| 1904 | debuginfo strip done by some packagers (such as rpmbuild) and | 1906 | debuginfo strip done by some packagers (such as rpmbuild) and |