Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "This is basically a maintenance update for the TPM driver and EVM/IMA" Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits) tpm/ibmvtpm: build only when IBM pseries is configured ima: digital signature verification using asymmetric keys ima: rename hash calculation functions ima: use new crypto_shash API instead of old crypto_hash ima: add policy support for file system uuid evm: add file system uuid to EVM hmac tpm_tis: check pnp_acpi_device return code char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment tpm_i2c_stm_st33: removed unused variables/code TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup tpm: Fix cancellation of TPM commands (interrupt mode) tpm: Fix cancellation of TPM commands (polling mode) tpm: Store TPM vendor ID TPM: Work around buggy TPMs that block during continue self test tpm_i2c_stm_st33: fix oops when i2c client is unavailable char/tpm: Use struct dev_pm_ops for power management TPM: STMicroelectronics ST33 I2C BUILD STUFF ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-02-21 11:18:12 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-02-21 11:18:12 -0500
commit: 33673dcb372b5d8179c22127ca71deb5f3dc7016 (patch)
tree: d182e9dc6aa127375a92b5eb619d6cd2ddc23ce7 /security/integrity/evm
parent: fe9453a1dcb5fb146f9653267e78f4a558066f6f (diff)
parent: 5b2660326039a32b28766cb4c1a8b1bdcfadc375 (diff)
5 files changed, 18 insertions, 16 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index afbb59dd262d..fea9749c3756 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -11,3 +11,16 @@ config EVM
          integrity attacks.
          If you are unsure how to answer this question, answer N.
+config EVM_HMAC_VERSION
+        int "EVM HMAC version"
+        depends on EVM
+        default 2
+        help
+          This options adds EVM HMAC version support.
+          1 - original version
+          2 - add per filesystem unique identifier (UUID) (default)
+          WARNING: changing the HMAC calculation method or adding 
+          additional info to the calculation, requires existing EVM
+          labeled file systems to be relabeled.  
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index c885247ebcf7..30bd1ec0232e 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,6 +24,7 @@
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;
+extern int evm_hmac_version;
 extern struct crypto_shash *hmac_tfm;
 extern struct crypto_shash *hash_tfm;
@@ -45,6 +46,5 @@ extern int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
 extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr,
                         char *hmac_val);
 extern int evm_init_secfs(void);
-extern void evm_cleanup_secfs(void);
 #endif
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 7dd538ef5b83..3bab89eb21d6 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -110,6 +110,9 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
        hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
        hmac_misc.mode = inode->i_mode;
        crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
+        if (evm_hmac_version > 1)
+                crypto_shash_update(desc, inode->i_sb->s_uuid,
+                                    sizeof(inode->i_sb->s_uuid));
        crypto_shash_final(desc, digest);
 }
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index eb5484504f50..cdbde1762189 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -26,6 +26,7 @@ int evm_initialized;
 char *evm_hmac = "hmac(sha1)";
 char *evm_hash = "sha1";
+int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
 char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SELINUX
@@ -427,15 +428,6 @@ err:
        return error;
 }
-static void __exit cleanup_evm(void)
-{
-        evm_cleanup_secfs();
-        if (hmac_tfm)
-                crypto_free_shash(hmac_tfm);
-        if (hash_tfm)
-                crypto_free_shash(hash_tfm);
-}
 /*
 * evm_display_config - list the EVM protected security extended attributes
 */
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index ac7629950578..30f670ad6ac3 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -100,9 +100,3 @@ int __init evm_init_secfs(void)
                error = -EFAULT;
        return error;
 }
-void __exit evm_cleanup_secfs(void)
-{
-        if (evm_init_tpm)
-                securityfs_remove(evm_init_tpm);
-}
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-02-21 11:18:12 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-02-21 11:18:12 -0500
commit	33673dcb372b5d8179c22127ca71deb5f3dc7016 (patch)
tree	d182e9dc6aa127375a92b5eb619d6cd2ddc23ce7 /security/integrity/evm
parent	fe9453a1dcb5fb146f9653267e78f4a558066f6f (diff)
parent	5b2660326039a32b28766cb4c1a8b1bdcfadc375 (diff)