Linux kernel source tree
Go to file
Fan Wu 31f8c8682f ipe: enable support for fs-verity as a trust provider
Enable IPE policy authors to indicate trust for a singular fsverity
file, identified by the digest information, through "fsverity_digest"
and all files using valid fsverity builtin signatures via
"fsverity_signature".

This enables file-level integrity claims to be expressed in IPE,
allowing individual files to be authorized, giving some flexibility
for policy authors. Such file-level claims are important to be expressed
for enforcing the integrity of packages, as well as address some of the
scalability issues in a sole dm-verity based solution (# of loop back
devices, etc).

This solution cannot be done in userspace as the minimum threat that
IPE should mitigate is an attacker downloads malicious payload with
all required dependencies. These dependencies can lack the userspace
check, bypassing the protection entirely. A similar attack succeeds if
the userspace component is replaced with a version that does not
perform the check. As a result, this can only be done in the common
entry point - the kernel.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-08-20 14:03:35 -04:00
arch minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
block block,lsm: add LSM blob and new LSM hooks for block devices 2024-08-20 14:02:33 -04:00
certs
crypto
Documentation fsverity: expose verified fsverity built-in signatures to LSMs 2024-08-20 14:03:18 -04:00
drivers dm-verity: expose root hash digest and signature data to LSMs 2024-08-20 14:02:38 -04:00
fs fsverity: expose verified fsverity built-in signatures to LSMs 2024-08-20 14:03:18 -04:00
include fsverity: expose verified fsverity built-in signatures to LSMs 2024-08-20 14:03:18 -04:00
init initramfs,lsm: add a security hook to do_populate_rootfs() 2024-08-20 14:01:41 -04:00
io_uring io_uring/napi: pass ktime to io_napi_adjust_timeout 2024-07-26 08:31:59 -06:00
ipc
kernel Fixes and minor updates for the timer migration code: 2024-07-27 10:19:55 -07:00
lib Rust changes for v6.11 2024-07-27 13:44:54 -07:00
LICENSES
mm mm/page_alloc: fix pcp->count race between drain_pages_zone() vs __rmqueue_pcplist() 2024-07-26 14:33:09 -07:00
net minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
rust Rust changes for v6.11 2024-07-27 13:44:54 -07:00
samples
scripts Kbuild fixes for v6.11 2024-07-28 14:02:48 -07:00
security ipe: enable support for fs-verity as a trust provider 2024-08-20 14:03:35 -04:00
sound Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
tools lsm: add IPE lsm 2024-08-19 22:36:26 -04:00
usr
virt
.clang-format
.cocciconfig
.editorconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap MAINTAINERS: mailmap: update James Clark's email address 2024-07-26 14:32:35 -07:00
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS CXL for v6.11 merge window 2024-07-28 09:33:28 -07:00
Makefile Linux 6.11-rc1 2024-07-28 14:19:55 -07:00
README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.