aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-11-21 22:46:00 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2013-11-21 22:46:00 -0500
commit78dc53c422172a317adb0776dfb687057ffa28b7 (patch)
tree7c5d15da75d769d01f6a992c24c3490b3867d5b2 /Documentation
parent3eaded86ac3e7f00fb3eeb8162d89e9a34e42fb0 (diff)
parent62fe318256befbd1b4a6765e71d9c997f768fe79 (diff)
Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "In this patchset, we finally get an SELinux update, with Paul Moore taking over as maintainer of that code. Also a significant update for the Keys subsystem, as well as maintenance updates to Smack, IMA, TPM, and Apparmor" and since I wanted to know more about the updates to key handling, here's the explanation from David Howells on that: "Okay. There are a number of separate bits. I'll go over the big bits and the odd important other bit, most of the smaller bits are just fixes and cleanups. If you want the small bits accounting for, I can do that too. (1) Keyring capacity expansion. KEYS: Consolidate the concept of an 'index key' for key access KEYS: Introduce a search context structure KEYS: Search for auth-key by name rather than target key ID Add a generic associative array implementation. KEYS: Expand the capacity of a keyring Several of the patches are providing an expansion of the capacity of a keyring. Currently, the maximum size of a keyring payload is one page. Subtract a small header and then divide up into pointers, that only gives you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses a keyring to store ID mapping data, that has proven to be insufficient to the cause. Whatever data structure I use to handle the keyring payload, it can only store pointers to keys, not the keys themselves because several keyrings may point to a single key. This precludes inserting, say, and rb_node struct into the key struct for this purpose. I could make an rbtree of records such that each record has an rb_node and a key pointer, but that would use four words of space per key stored in the keyring. It would, however, be able to use much existing code. I selected instead a non-rebalancing radix-tree type approach as that could have a better space-used/key-pointer ratio. I could have used the radix tree implementation that we already have and insert keys into it by their serial numbers, but that means any sort of search must iterate over the whole radix tree. Further, its nodes are a bit on the capacious side for what I want - especially given that key serial numbers are randomly allocated, thus leaving a lot of empty space in the tree. So what I have is an associative array that internally is a radix-tree with 16 pointers per node where the index key is constructed from the key type pointer and the key description. This means that an exact lookup by type+description is very fast as this tells us how to navigate directly to the target key. I made the data structure general in lib/assoc_array.c as far as it is concerned, its index key is just a sequence of bits that leads to a pointer. It's possible that someone else will be able to make use of it also. FS-Cache might, for example. (2) Mark keys as 'trusted' and keyrings as 'trusted only'. KEYS: verify a certificate is signed by a 'trusted' key KEYS: Make the system 'trusted' keyring viewable by userspace KEYS: Add a 'trusted' flag and a 'trusted only' flag KEYS: Separate the kernel signature checking keyring from module signing These patches allow keys carrying asymmetric public keys to be marked as being 'trusted' and allow keyrings to be marked as only permitting the addition or linkage of trusted keys. Keys loaded from hardware during kernel boot or compiled into the kernel during build are marked as being trusted automatically. New keys can be loaded at runtime with add_key(). They are checked against the system keyring contents and if their signatures can be validated with keys that are already marked trusted, then they are marked trusted also and can thus be added into the master keyring. Patches from Mimi Zohar make this usable with the IMA keyrings also. (3) Remove the date checks on the key used to validate a module signature. X.509: Remove certificate date checks It's not reasonable to reject a signature just because the key that it was generated with is no longer valid datewise - especially if the kernel hasn't yet managed to set the system clock when the first module is loaded - so just remove those checks. (4) Make it simpler to deal with additional X.509 being loaded into the kernel. KEYS: Load *.x509 files into kernel keyring KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate The builder of the kernel now just places files with the extension ".x509" into the kernel source or build trees and they're concatenated by the kernel build and stuffed into the appropriate section. (5) Add support for userspace kerberos to use keyrings. KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches KEYS: Implement a big key type that can save to tmpfs Fedora went to, by default, storing kerberos tickets and tokens in tmpfs. We looked at storing it in keyrings instead as that confers certain advantages such as tickets being automatically deleted after a certain amount of time and the ability for the kernel to get at these tokens more easily. To make this work, two things were needed: (a) A way for the tickets to persist beyond the lifetime of all a user's sessions so that cron-driven processes can still use them. The problem is that a user's session keyrings are deleted when the session that spawned them logs out and the user's user keyring is deleted when the UID is deleted (typically when the last log out happens), so neither of these places is suitable. I've added a system keyring into which a 'persistent' keyring is created for each UID on request. Each time a user requests their persistent keyring, the expiry time on it is set anew. If the user doesn't ask for it for, say, three days, the keyring is automatically expired and garbage collected using the existing gc. All the kerberos tokens it held are then also gc'd. (b) A key type that can hold really big tickets (up to 1MB in size). The problem is that Active Directory can return huge tickets with lots of auxiliary data attached. We don't, however, want to eat up huge tracts of unswappable kernel space for this, so if the ticket is greater than a certain size, we create a swappable shmem file and dump the contents in there and just live with the fact we then have an inode and a dentry overhead. If the ticket is smaller than that, we slap it in a kmalloc()'d buffer" * 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits) KEYS: Fix keyring content gc scanner KEYS: Fix error handling in big_key instantiation KEYS: Fix UID check in keyctl_get_persistent() KEYS: The RSA public key algorithm needs to select MPILIB ima: define '_ima' as a builtin 'trusted' keyring ima: extend the measurement list to include the file signature kernel/system_certificate.S: use real contents instead of macro GLOBAL() KEYS: fix error return code in big_key_instantiate() KEYS: Fix keyring quota misaccounting on key replacement and unlink KEYS: Fix a race between negating a key and reading the error set KEYS: Make BIG_KEYS boolean apparmor: remove the "task" arg from may_change_ptraced_domain() apparmor: remove parent task info from audit logging apparmor: remove tsk field from the apparmor_audit_struct apparmor: fix capability to not use the current task, during reporting Smack: Ptrace access check mode ima: provide hash algo info in the xattr ima: enable support for larger default filedata hash algorithms ima: define kernel parameter 'ima_template=' to change configured default ima: add Kconfig default measurement list template ...
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/assoc_array.txt574
-rw-r--r--Documentation/devicetree/bindings/i2c/trivial-devices.txt3
-rw-r--r--Documentation/kernel-parameters.txt11
-rw-r--r--Documentation/security/00-INDEX2
-rw-r--r--Documentation/security/IMA-templates.txt87
-rw-r--r--Documentation/security/keys.txt20
6 files changed, 687 insertions, 10 deletions
diff --git a/Documentation/assoc_array.txt b/Documentation/assoc_array.txt
new file mode 100644
index 000000000000..f4faec0f66e4
--- /dev/null
+++ b/Documentation/assoc_array.txt
@@ -0,0 +1,574 @@
1 ========================================
2 GENERIC ASSOCIATIVE ARRAY IMPLEMENTATION
3 ========================================
4
5Contents:
6
7 - Overview.
8
9 - The public API.
10 - Edit script.
11 - Operations table.
12 - Manipulation functions.
13 - Access functions.
14 - Index key form.
15
16 - Internal workings.
17 - Basic internal tree layout.
18 - Shortcuts.
19 - Splitting and collapsing nodes.
20 - Non-recursive iteration.
21 - Simultaneous alteration and iteration.
22
23
24========
25OVERVIEW
26========
27
28This associative array implementation is an object container with the following
29properties:
30
31 (1) Objects are opaque pointers. The implementation does not care where they
32 point (if anywhere) or what they point to (if anything).
33
34 [!] NOTE: Pointers to objects _must_ be zero in the least significant bit.
35
36 (2) Objects do not need to contain linkage blocks for use by the array. This
37 permits an object to be located in multiple arrays simultaneously.
38 Rather, the array is made up of metadata blocks that point to objects.
39
40 (3) Objects require index keys to locate them within the array.
41
42 (4) Index keys must be unique. Inserting an object with the same key as one
43 already in the array will replace the old object.
44
45 (5) Index keys can be of any length and can be of different lengths.
46
47 (6) Index keys should encode the length early on, before any variation due to
48 length is seen.
49
50 (7) Index keys can include a hash to scatter objects throughout the array.
51
52 (8) The array can iterated over. The objects will not necessarily come out in
53 key order.
54
55 (9) The array can be iterated over whilst it is being modified, provided the
56 RCU readlock is being held by the iterator. Note, however, under these
57 circumstances, some objects may be seen more than once. If this is a
58 problem, the iterator should lock against modification. Objects will not
59 be missed, however, unless deleted.
60
61(10) Objects in the array can be looked up by means of their index key.
62
63(11) Objects can be looked up whilst the array is being modified, provided the
64 RCU readlock is being held by the thread doing the look up.
65
66The implementation uses a tree of 16-pointer nodes internally that are indexed
67on each level by nibbles from the index key in the same manner as in a radix
68tree. To improve memory efficiency, shortcuts can be emplaced to skip over
69what would otherwise be a series of single-occupancy nodes. Further, nodes
70pack leaf object pointers into spare space in the node rather than making an
71extra branch until as such time an object needs to be added to a full node.
72
73
74==============
75THE PUBLIC API
76==============
77
78The public API can be found in <linux/assoc_array.h>. The associative array is
79rooted on the following structure:
80
81 struct assoc_array {
82 ...
83 };
84
85The code is selected by enabling CONFIG_ASSOCIATIVE_ARRAY.
86
87
88EDIT SCRIPT
89-----------
90
91The insertion and deletion functions produce an 'edit script' that can later be
92applied to effect the changes without risking ENOMEM. This retains the
93preallocated metadata blocks that will be installed in the internal tree and
94keeps track of the metadata blocks that will be removed from the tree when the
95script is applied.
96
97This is also used to keep track of dead blocks and dead objects after the
98script has been applied so that they can be freed later. The freeing is done
99after an RCU grace period has passed - thus allowing access functions to
100proceed under the RCU read lock.
101
102The script appears as outside of the API as a pointer of the type:
103
104 struct assoc_array_edit;
105
106There are two functions for dealing with the script:
107
108 (1) Apply an edit script.
109
110 void assoc_array_apply_edit(struct assoc_array_edit *edit);
111
112 This will perform the edit functions, interpolating various write barriers
113 to permit accesses under the RCU read lock to continue. The edit script
114 will then be passed to call_rcu() to free it and any dead stuff it points
115 to.
116
117 (2) Cancel an edit script.
118
119 void assoc_array_cancel_edit(struct assoc_array_edit *edit);
120
121 This frees the edit script and all preallocated memory immediately. If
122 this was for insertion, the new object is _not_ released by this function,
123 but must rather be released by the caller.
124
125These functions are guaranteed not to fail.
126
127
128OPERATIONS TABLE
129----------------
130
131Various functions take a table of operations:
132
133 struct assoc_array_ops {
134 ...
135 };
136
137This points to a number of methods, all of which need to be provided:
138
139 (1) Get a chunk of index key from caller data:
140
141 unsigned long (*get_key_chunk)(const void *index_key, int level);
142
143 This should return a chunk of caller-supplied index key starting at the
144 *bit* position given by the level argument. The level argument will be a
145 multiple of ASSOC_ARRAY_KEY_CHUNK_SIZE and the function should return
146 ASSOC_ARRAY_KEY_CHUNK_SIZE bits. No error is possible.
147
148
149 (2) Get a chunk of an object's index key.
150
151 unsigned long (*get_object_key_chunk)(const void *object, int level);
152
153 As the previous function, but gets its data from an object in the array
154 rather than from a caller-supplied index key.
155
156
157 (3) See if this is the object we're looking for.
158
159 bool (*compare_object)(const void *object, const void *index_key);
160
161 Compare the object against an index key and return true if it matches and
162 false if it doesn't.
163
164
165 (4) Diff the index keys of two objects.
166
167 int (*diff_objects)(const void *a, const void *b);
168
169 Return the bit position at which the index keys of two objects differ or
170 -1 if they are the same.
171
172
173 (5) Free an object.
174
175 void (*free_object)(void *object);
176
177 Free the specified object. Note that this may be called an RCU grace
178 period after assoc_array_apply_edit() was called, so synchronize_rcu() may
179 be necessary on module unloading.
180
181
182MANIPULATION FUNCTIONS
183----------------------
184
185There are a number of functions for manipulating an associative array:
186
187 (1) Initialise an associative array.
188
189 void assoc_array_init(struct assoc_array *array);
190
191 This initialises the base structure for an associative array. It can't
192 fail.
193
194
195 (2) Insert/replace an object in an associative array.
196
197 struct assoc_array_edit *
198 assoc_array_insert(struct assoc_array *array,
199 const struct assoc_array_ops *ops,
200 const void *index_key,
201 void *object);
202
203 This inserts the given object into the array. Note that the least
204 significant bit of the pointer must be zero as it's used to type-mark
205 pointers internally.
206
207 If an object already exists for that key then it will be replaced with the
208 new object and the old one will be freed automatically.
209
210 The index_key argument should hold index key information and is
211 passed to the methods in the ops table when they are called.
212
213 This function makes no alteration to the array itself, but rather returns
214 an edit script that must be applied. -ENOMEM is returned in the case of
215 an out-of-memory error.
216
217 The caller should lock exclusively against other modifiers of the array.
218
219
220 (3) Delete an object from an associative array.
221
222 struct assoc_array_edit *
223 assoc_array_delete(struct assoc_array *array,
224 const struct assoc_array_ops *ops,
225 const void *index_key);
226
227 This deletes an object that matches the specified data from the array.
228
229 The index_key argument should hold index key information and is
230 passed to the methods in the ops table when they are called.
231
232 This function makes no alteration to the array itself, but rather returns
233 an edit script that must be applied. -ENOMEM is returned in the case of
234 an out-of-memory error. NULL will be returned if the specified object is
235 not found within the array.
236
237 The caller should lock exclusively against other modifiers of the array.
238
239
240 (4) Delete all objects from an associative array.
241
242 struct assoc_array_edit *
243 assoc_array_clear(struct assoc_array *array,
244 const struct assoc_array_ops *ops);
245
246 This deletes all the objects from an associative array and leaves it
247 completely empty.
248
249 This function makes no alteration to the array itself, but rather returns
250 an edit script that must be applied. -ENOMEM is returned in the case of
251 an out-of-memory error.
252
253 The caller should lock exclusively against other modifiers of the array.
254
255
256 (5) Destroy an associative array, deleting all objects.
257
258 void assoc_array_destroy(struct assoc_array *array,
259 const struct assoc_array_ops *ops);
260
261 This destroys the contents of the associative array and leaves it
262 completely empty. It is not permitted for another thread to be traversing
263 the array under the RCU read lock at the same time as this function is
264 destroying it as no RCU deferral is performed on memory release -
265 something that would require memory to be allocated.
266
267 The caller should lock exclusively against other modifiers and accessors
268 of the array.
269
270
271 (6) Garbage collect an associative array.
272
273 int assoc_array_gc(struct assoc_array *array,
274 const struct assoc_array_ops *ops,
275 bool (*iterator)(void *object, void *iterator_data),
276 void *iterator_data);
277
278 This iterates over the objects in an associative array and passes each one
279 to iterator(). If iterator() returns true, the object is kept. If it
280 returns false, the object will be freed. If the iterator() function
281 returns true, it must perform any appropriate refcount incrementing on the
282 object before returning.
283
284 The internal tree will be packed down if possible as part of the iteration
285 to reduce the number of nodes in it.
286
287 The iterator_data is passed directly to iterator() and is otherwise
288 ignored by the function.
289
290 The function will return 0 if successful and -ENOMEM if there wasn't
291 enough memory.
292
293 It is possible for other threads to iterate over or search the array under
294 the RCU read lock whilst this function is in progress. The caller should
295 lock exclusively against other modifiers of the array.
296
297
298ACCESS FUNCTIONS
299----------------
300
301There are two functions for accessing an associative array:
302
303 (1) Iterate over all the objects in an associative array.
304
305 int assoc_array_iterate(const struct assoc_array *array,
306 int (*iterator)(const void *object,
307 void *iterator_data),
308 void *iterator_data);
309
310 This passes each object in the array to the iterator callback function.
311 iterator_data is private data for that function.
312
313 This may be used on an array at the same time as the array is being
314 modified, provided the RCU read lock is held. Under such circumstances,
315 it is possible for the iteration function to see some objects twice. If
316 this is a problem, then modification should be locked against. The
317 iteration algorithm should not, however, miss any objects.
318
319 The function will return 0 if no objects were in the array or else it will
320 return the result of the last iterator function called. Iteration stops
321 immediately if any call to the iteration function results in a non-zero
322 return.
323
324
325 (2) Find an object in an associative array.
326
327 void *assoc_array_find(const struct assoc_array *array,
328 const struct assoc_array_ops *ops,
329 const void *index_key);
330
331 This walks through the array's internal tree directly to the object
332 specified by the index key..
333
334 This may be used on an array at the same time as the array is being
335 modified, provided the RCU read lock is held.
336
337 The function will return the object if found (and set *_type to the object
338 type) or will return NULL if the object was not found.
339
340
341INDEX KEY FORM
342--------------
343
344The index key can be of any form, but since the algorithms aren't told how long
345the key is, it is strongly recommended that the index key includes its length
346very early on before any variation due to the length would have an effect on
347comparisons.
348
349This will cause leaves with different length keys to scatter away from each
350other - and those with the same length keys to cluster together.
351
352It is also recommended that the index key begin with a hash of the rest of the
353key to maximise scattering throughout keyspace.
354
355The better the scattering, the wider and lower the internal tree will be.
356
357Poor scattering isn't too much of a problem as there are shortcuts and nodes
358can contain mixtures of leaves and metadata pointers.
359
360The index key is read in chunks of machine word. Each chunk is subdivided into
361one nibble (4 bits) per level, so on a 32-bit CPU this is good for 8 levels and
362on a 64-bit CPU, 16 levels. Unless the scattering is really poor, it is
363unlikely that more than one word of any particular index key will have to be
364used.
365
366
367=================
368INTERNAL WORKINGS
369=================
370
371The associative array data structure has an internal tree. This tree is
372constructed of two types of metadata blocks: nodes and shortcuts.
373
374A node is an array of slots. Each slot can contain one of four things:
375
376 (*) A NULL pointer, indicating that the slot is empty.
377
378 (*) A pointer to an object (a leaf).
379
380 (*) A pointer to a node at the next level.
381
382 (*) A pointer to a shortcut.
383
384
385BASIC INTERNAL TREE LAYOUT
386--------------------------
387
388Ignoring shortcuts for the moment, the nodes form a multilevel tree. The index
389key space is strictly subdivided by the nodes in the tree and nodes occur on
390fixed levels. For example:
391
392 Level: 0 1 2 3
393 =============== =============== =============== ===============
394 NODE D
395 NODE B NODE C +------>+---+
396 +------>+---+ +------>+---+ | | 0 |
397 NODE A | | 0 | | | 0 | | +---+
398 +---+ | +---+ | +---+ | : :
399 | 0 | | : : | : : | +---+
400 +---+ | +---+ | +---+ | | f |
401 | 1 |---+ | 3 |---+ | 7 |---+ +---+
402 +---+ +---+ +---+
403 : : : : | 8 |---+
404 +---+ +---+ +---+ | NODE E
405 | e |---+ | f | : : +------>+---+
406 +---+ | +---+ +---+ | 0 |
407 | f | | | f | +---+
408 +---+ | +---+ : :
409 | NODE F +---+
410 +------>+---+ | f |
411 | 0 | NODE G +---+
412 +---+ +------>+---+
413 : : | | 0 |
414 +---+ | +---+
415 | 6 |---+ : :
416 +---+ +---+
417 : : | f |
418 +---+ +---+
419 | f |
420 +---+
421
422In the above example, there are 7 nodes (A-G), each with 16 slots (0-f).
423Assuming no other meta data nodes in the tree, the key space is divided thusly:
424
425 KEY PREFIX NODE
426 ========== ====
427 137* D
428 138* E
429 13[0-69-f]* C
430 1[0-24-f]* B
431 e6* G
432 e[0-57-f]* F
433 [02-df]* A
434
435So, for instance, keys with the following example index keys will be found in
436the appropriate nodes:
437
438 INDEX KEY PREFIX NODE
439 =============== ======= ====
440 13694892892489 13 C
441 13795289025897 137 D
442 13889dde88793 138 E
443 138bbb89003093 138 E
444 1394879524789 12 C
445 1458952489 1 B
446 9431809de993ba - A
447 b4542910809cd - A
448 e5284310def98 e F
449 e68428974237 e6 G
450 e7fffcbd443 e F
451 f3842239082 - A
452
453To save memory, if a node can hold all the leaves in its portion of keyspace,
454then the node will have all those leaves in it and will not have any metadata
455pointers - even if some of those leaves would like to be in the same slot.
456
457A node can contain a heterogeneous mix of leaves and metadata pointers.
458Metadata pointers must be in the slots that match their subdivisions of key
459space. The leaves can be in any slot not occupied by a metadata pointer. It
460is guaranteed that none of the leaves in a node will match a slot occupied by a
461metadata pointer. If the metadata pointer is there, any leaf whose key matches
462the metadata key prefix must be in the subtree that the metadata pointer points
463to.
464
465In the above example list of index keys, node A will contain:
466
467 SLOT CONTENT INDEX KEY (PREFIX)
468 ==== =============== ==================
469 1 PTR TO NODE B 1*
470 any LEAF 9431809de993ba
471 any LEAF b4542910809cd
472 e PTR TO NODE F e*
473 any LEAF f3842239082
474
475and node B:
476
477 3 PTR TO NODE C 13*
478 any LEAF 1458952489
479
480
481SHORTCUTS
482---------
483
484Shortcuts are metadata records that jump over a piece of keyspace. A shortcut
485is a replacement for a series of single-occupancy nodes ascending through the
486levels. Shortcuts exist to save memory and to speed up traversal.
487
488It is possible for the root of the tree to be a shortcut - say, for example,
489the tree contains at least 17 nodes all with key prefix '1111'. The insertion
490algorithm will insert a shortcut to skip over the '1111' keyspace in a single
491bound and get to the fourth level where these actually become different.
492
493
494SPLITTING AND COLLAPSING NODES
495------------------------------
496
497Each node has a maximum capacity of 16 leaves and metadata pointers. If the
498insertion algorithm finds that it is trying to insert a 17th object into a
499node, that node will be split such that at least two leaves that have a common
500key segment at that level end up in a separate node rooted on that slot for
501that common key segment.
502
503If the leaves in a full node and the leaf that is being inserted are
504sufficiently similar, then a shortcut will be inserted into the tree.
505
506When the number of objects in the subtree rooted at a node falls to 16 or
507fewer, then the subtree will be collapsed down to a single node - and this will
508ripple towards the root if possible.
509
510
511NON-RECURSIVE ITERATION
512-----------------------
513
514Each node and shortcut contains a back pointer to its parent and the number of
515slot in that parent that points to it. None-recursive iteration uses these to
516proceed rootwards through the tree, going to the parent node, slot N + 1 to
517make sure progress is made without the need for a stack.
518
519The backpointers, however, make simultaneous alteration and iteration tricky.
520
521
522SIMULTANEOUS ALTERATION AND ITERATION
523-------------------------------------
524
525There are a number of cases to consider:
526
527 (1) Simple insert/replace. This involves simply replacing a NULL or old
528 matching leaf pointer with the pointer to the new leaf after a barrier.
529 The metadata blocks don't change otherwise. An old leaf won't be freed
530 until after the RCU grace period.
531
532 (2) Simple delete. This involves just clearing an old matching leaf. The
533 metadata blocks don't change otherwise. The old leaf won't be freed until
534 after the RCU grace period.
535
536 (3) Insertion replacing part of a subtree that we haven't yet entered. This
537 may involve replacement of part of that subtree - but that won't affect
538 the iteration as we won't have reached the pointer to it yet and the
539 ancestry blocks are not replaced (the layout of those does not change).
540
541 (4) Insertion replacing nodes that we're actively processing. This isn't a
542 problem as we've passed the anchoring pointer and won't switch onto the
543 new layout until we follow the back pointers - at which point we've
544 already examined the leaves in the replaced node (we iterate over all the
545 leaves in a node before following any of its metadata pointers).
546
547 We might, however, re-see some leaves that have been split out into a new
548 branch that's in a slot further along than we were at.
549
550 (5) Insertion replacing nodes that we're processing a dependent branch of.
551 This won't affect us until we follow the back pointers. Similar to (4).
552
553 (6) Deletion collapsing a branch under us. This doesn't affect us because the
554 back pointers will get us back to the parent of the new node before we
555 could see the new node. The entire collapsed subtree is thrown away
556 unchanged - and will still be rooted on the same slot, so we shouldn't
557 process it a second time as we'll go back to slot + 1.
558
559Note:
560
561 (*) Under some circumstances, we need to simultaneously change the parent
562 pointer and the parent slot pointer on a node (say, for example, we
563 inserted another node before it and moved it up a level). We cannot do
564 this without locking against a read - so we have to replace that node too.
565
566 However, when we're changing a shortcut into a node this isn't a problem
567 as shortcuts only have one slot and so the parent slot number isn't used
568 when traversing backwards over one. This means that it's okay to change
569 the slot number first - provided suitable barriers are used to make sure
570 the parent slot number is read after the back pointer.
571
572Obsolete blocks and leaves are freed up after an RCU grace period has passed,
573so as long as anyone doing walking or iteration holds the RCU read lock, the
574old superstructure should not go away on them.
diff --git a/Documentation/devicetree/bindings/i2c/trivial-devices.txt b/Documentation/devicetree/bindings/i2c/trivial-devices.txt
index ad6a73852f08..f1fb26eed0e9 100644
--- a/Documentation/devicetree/bindings/i2c/trivial-devices.txt
+++ b/Documentation/devicetree/bindings/i2c/trivial-devices.txt
@@ -15,6 +15,7 @@ adi,adt7461 +/-1C TDM Extended Temp Range I.C
15adt7461 +/-1C TDM Extended Temp Range I.C 15adt7461 +/-1C TDM Extended Temp Range I.C
16at,24c08 i2c serial eeprom (24cxx) 16at,24c08 i2c serial eeprom (24cxx)
17atmel,24c02 i2c serial eeprom (24cxx) 17atmel,24c02 i2c serial eeprom (24cxx)
18atmel,at97sc3204t i2c trusted platform module (TPM)
18catalyst,24c32 i2c serial eeprom 19catalyst,24c32 i2c serial eeprom
19dallas,ds1307 64 x 8, Serial, I2C Real-Time Clock 20dallas,ds1307 64 x 8, Serial, I2C Real-Time Clock
20dallas,ds1338 I2C RTC with 56-Byte NV RAM 21dallas,ds1338 I2C RTC with 56-Byte NV RAM
@@ -44,6 +45,7 @@ mc,rv3029c2 Real Time Clock Module with I2C-Bus
44national,lm75 I2C TEMP SENSOR 45national,lm75 I2C TEMP SENSOR
45national,lm80 Serial Interface ACPI-Compatible Microprocessor System Hardware Monitor 46national,lm80 Serial Interface ACPI-Compatible Microprocessor System Hardware Monitor
46national,lm92 ±0.33°C Accurate, 12-Bit + Sign Temperature Sensor and Thermal Window Comparator with Two-Wire Interface 47national,lm92 ±0.33°C Accurate, 12-Bit + Sign Temperature Sensor and Thermal Window Comparator with Two-Wire Interface
48nuvoton,npct501 i2c trusted platform module (TPM)
47nxp,pca9556 Octal SMBus and I2C registered interface 49nxp,pca9556 Octal SMBus and I2C registered interface
48nxp,pca9557 8-bit I2C-bus and SMBus I/O port with reset 50nxp,pca9557 8-bit I2C-bus and SMBus I/O port with reset
49nxp,pcf8563 Real-time clock/calendar 51nxp,pcf8563 Real-time clock/calendar
@@ -61,3 +63,4 @@ taos,tsl2550 Ambient Light Sensor with SMBUS/Two Wire Serial Interface
61ti,tsc2003 I2C Touch-Screen Controller 63ti,tsc2003 I2C Touch-Screen Controller
62ti,tmp102 Low Power Digital Temperature Sensor with SMBUS/Two Wire Serial Interface 64ti,tmp102 Low Power Digital Temperature Sensor with SMBUS/Two Wire Serial Interface
63ti,tmp275 Digital Temperature Sensor 65ti,tmp275 Digital Temperature Sensor
66winbond,wpct301 i2c trusted platform module (TPM)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 9ca3e74a10e1..50680a59a2ff 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1190,15 +1190,24 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
1190 owned by uid=0. 1190 owned by uid=0.
1191 1191
1192 ima_hash= [IMA] 1192 ima_hash= [IMA]
1193 Format: { "sha1" | "md5" } 1193 Format: { md5 | sha1 | rmd160 | sha256 | sha384
1194 | sha512 | ... }
1194 default: "sha1" 1195 default: "sha1"
1195 1196
1197 The list of supported hash algorithms is defined
1198 in crypto/hash_info.h.
1199
1196 ima_tcb [IMA] 1200 ima_tcb [IMA]
1197 Load a policy which meets the needs of the Trusted 1201 Load a policy which meets the needs of the Trusted
1198 Computing Base. This means IMA will measure all 1202 Computing Base. This means IMA will measure all
1199 programs exec'd, files mmap'd for exec, and all files 1203 programs exec'd, files mmap'd for exec, and all files
1200 opened for read by uid=0. 1204 opened for read by uid=0.
1201 1205
1206 ima_template= [IMA]
1207 Select one of defined IMA measurements template formats.
1208 Formats: { "ima" | "ima-ng" }
1209 Default: "ima-ng"
1210
1202 init= [KNL] 1211 init= [KNL]
1203 Format: <full_path> 1212 Format: <full_path>
1204 Run specified binary instead of /sbin/init as init 1213 Run specified binary instead of /sbin/init as init
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 414235c1fcfc..45c82fd3e9d3 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -22,3 +22,5 @@ keys.txt
22 - description of the kernel key retention service. 22 - description of the kernel key retention service.
23tomoyo.txt 23tomoyo.txt
24 - documentation on the TOMOYO Linux Security Module. 24 - documentation on the TOMOYO Linux Security Module.
25IMA-templates.txt
26 - documentation on the template management mechanism for IMA.
diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
new file mode 100644
index 000000000000..a777e5f1df5b
--- /dev/null
+++ b/Documentation/security/IMA-templates.txt
@@ -0,0 +1,87 @@
1 IMA Template Management Mechanism
2
3
4==== INTRODUCTION ====
5
6The original 'ima' template is fixed length, containing the filedata hash
7and pathname. The filedata hash is limited to 20 bytes (md5/sha1).
8The pathname is a null terminated string, limited to 255 characters.
9To overcome these limitations and to add additional file metadata, it is
10necessary to extend the current version of IMA by defining additional
11templates. For example, information that could be possibly reported are
12the inode UID/GID or the LSM labels either of the inode and of the process
13that is accessing it.
14
15However, the main problem to introduce this feature is that, each time
16a new template is defined, the functions that generate and display
17the measurements list would include the code for handling a new format
18and, thus, would significantly grow over the time.
19
20The proposed solution solves this problem by separating the template
21management from the remaining IMA code. The core of this solution is the
22definition of two new data structures: a template descriptor, to determine
23which information should be included in the measurement list; a template
24field, to generate and display data of a given type.
25
26Managing templates with these structures is very simple. To support
27a new data type, developers define the field identifier and implement
28two functions, init() and show(), respectively to generate and display
29measurement entries. Defining a new template descriptor requires
30specifying the template format, a string of field identifiers separated
31by the '|' character. While in the current implementation it is possible
32to define new template descriptors only by adding their definition in the
33template specific code (ima_template.c), in a future version it will be
34possible to register a new template on a running kernel by supplying to IMA
35the desired format string. In this version, IMA initializes at boot time
36all defined template descriptors by translating the format into an array
37of template fields structures taken from the set of the supported ones.
38
39After the initialization step, IMA will call ima_alloc_init_template()
40(new function defined within the patches for the new template management
41mechanism) to generate a new measurement entry by using the template
42descriptor chosen through the kernel configuration or through the newly
43introduced 'ima_template=' kernel command line parameter. It is during this
44phase that the advantages of the new architecture are clearly shown:
45the latter function will not contain specific code to handle a given template
46but, instead, it simply calls the init() method of the template fields
47associated to the chosen template descriptor and store the result (pointer
48to allocated data and data length) in the measurement entry structure.
49
50The same mechanism is employed to display measurements entries.
51The functions ima[_ascii]_measurements_show() retrieve, for each entry,
52the template descriptor used to produce that entry and call the show()
53method for each item of the array of template fields structures.
54
55
56
57==== SUPPORTED TEMPLATE FIELDS AND DESCRIPTORS ====
58
59In the following, there is the list of supported template fields
60('<identifier>': description), that can be used to define new template
61descriptors by adding their identifier to the format string
62(support for more data types will be added later):
63
64 - 'd': the digest of the event (i.e. the digest of a measured file),
65 calculated with the SHA1 or MD5 hash algorithm;
66 - 'n': the name of the event (i.e. the file name), with size up to 255 bytes;
67 - 'd-ng': the digest of the event, calculated with an arbitrary hash
68 algorithm (field format: [<hash algo>:]digest, where the digest
69 prefix is shown only if the hash algorithm is not SHA1 or MD5);
70 - 'n-ng': the name of the event, without size limitations.
71
72
73Below, there is the list of defined template descriptors:
74 - "ima": its format is 'd|n';
75 - "ima-ng" (default): its format is 'd-ng|n-ng'.
76
77
78
79==== USE ====
80
81To specify the template descriptor to be used to generate measurement entries,
82currently the following methods are supported:
83
84 - select a template descriptor among those supported in the kernel
85 configuration ('ima-ng' is the default choice);
86 - specify a template descriptor name from the kernel command line through
87 the 'ima_template=' parameter.
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 7b4145d00452..a4c33f1a7c6d 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -865,15 +865,14 @@ encountered:
865 calling processes has a searchable link to the key from one of its 865 calling processes has a searchable link to the key from one of its
866 keyrings. There are three functions for dealing with these: 866 keyrings. There are three functions for dealing with these:
867 867
868 key_ref_t make_key_ref(const struct key *key, 868 key_ref_t make_key_ref(const struct key *key, bool possession);
869 unsigned long possession);
870 869
871 struct key *key_ref_to_ptr(const key_ref_t key_ref); 870 struct key *key_ref_to_ptr(const key_ref_t key_ref);
872 871
873 unsigned long is_key_possessed(const key_ref_t key_ref); 872 bool is_key_possessed(const key_ref_t key_ref);
874 873
875 The first function constructs a key reference from a key pointer and 874 The first function constructs a key reference from a key pointer and
876 possession information (which must be 0 or 1 and not any other value). 875 possession information (which must be true or false).
877 876
878 The second function retrieves the key pointer from a reference and the 877 The second function retrieves the key pointer from a reference and the
879 third retrieves the possession flag. 878 third retrieves the possession flag.
@@ -961,14 +960,17 @@ payload contents" for more information.
961 the argument will not be parsed. 960 the argument will not be parsed.
962 961
963 962
964(*) Extra references can be made to a key by calling the following function: 963(*) Extra references can be made to a key by calling one of the following
964 functions:
965 965
966 struct key *__key_get(struct key *key);
966 struct key *key_get(struct key *key); 967 struct key *key_get(struct key *key);
967 968
968 These need to be disposed of by calling key_put() when they've been 969 Keys so references will need to be disposed of by calling key_put() when
969 finished with. The key pointer passed in will be returned. If the pointer 970 they've been finished with. The key pointer passed in will be returned.
970 is NULL or CONFIG_KEYS is not set then the key will not be dereferenced and 971
971 no increment will take place. 972 In the case of key_get(), if the pointer is NULL or CONFIG_KEYS is not set
973 then the key will not be dereferenced and no increment will take place.
972 974
973 975
974(*) A key's serial number can be obtained by calling: 976(*) A key's serial number can be obtained by calling: