mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2024-11-22 04:38:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
31f8c8682f
linux/Documentation
History
Fan Wu 7c373e4f14 fsverity: expose verified fsverity built-in signatures to LSMs 
This patch enhances fsverity's capabilities to support both integrity and
authenticity protection by introducing the exposure of built-in
signatures through a new LSM hook. This functionality allows LSMs,
e.g. IPE, to enforce policies based on the authenticity and integrity of
files, specifically focusing on built-in fsverity signatures. It enables
a policy enforcement layer within LSMs for fsverity, offering granular
control over the usage of authenticity claims. For instance, a policy
could be established to only permit the execution of all files with
verified built-in fsverity signatures.

The introduction of a security_inode_setintegrity() hook call within
fsverity's workflow ensures that the verified built-in signature of a file
is exposed to LSMs. This enables LSMs to recognize and label fsverity files
that contain a verified built-in fsverity signature. This hook is invoked
subsequent to the fsverity_verify_signature() process, guaranteeing the
signature's verification against fsverity's keyring. This mechanism is
crucial for maintaining system security, as it operates in kernel space,
effectively thwarting attempts by malicious binaries to bypass user space
stack interactions.

The second to last commit in this patch set will add a link to the IPE
documentation in fsverity.rst.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-08-20 14:03:18 -04:00
..
ABI CXL for v6.11 merge window 2024-07-28 09:33:28 -07:00
accel
accounting
admin-guide more s390 updates for 6.11 merge window 2024-07-26 10:47:53 -07:00
arch RISC-V: Provide the frequency of time CSR via hwprobe 2024-07-26 05:50:51 -07:00
block
bpf
cdrom
core-api Updates for the interrupt subsystem: 2024-07-22 13:52:05 -07:00
cpu-freq
crypto
dev-tools - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
devicetree Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
doc-guide
driver-api CXL for v6.11 merge window 2024-07-28 09:33:28 -07:00
fault-injection
fb
features LoongArch: Add ARCH_HAS_DEBUG_VM_PGTABLE support 2024-07-20 22:40:59 +08:00
filesystems fsverity: expose verified fsverity built-in signatures to LSMs 2024-08-20 14:03:18 -04:00
firmware_class
firmware-guide
fpga
gpu
hid
hwmon
i2c
iio
images
infiniband
input
isdn
kbuild kbuild: doc: gcc to CC change 2024-07-24 01:18:25 +09:00
kernel-hacking
leds
litmus-tests
livepatch
locking
maintainer
mhi
misc-devices
mm - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
netlabel
netlink
networking bpf-for-netdev 2024-07-25 07:40:25 -07:00
nvdimm
nvme
PCI
pcmcia
peci
power
process Rust changes for v6.11 2024-07-27 13:44:54 -07:00
RCU
rust Rust changes for v6.11 2024-07-27 13:44:54 -07:00
scheduler
scsi
security
sound
sphinx
sphinx-static
spi
staging
target
tee
timers
tools
trace
translations pci-v6.11-changes 2024-07-19 19:03:18 -07:00
usb
userspace-api Landlock updates for v6.11-rc1 2024-07-20 11:41:52 -07:00
virt This pull request contains the following changes for UML: 2024-07-25 12:33:08 -07:00
w1
watchdog
wmi
.gitignore
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py
docutils.conf
dontdiff
index.rst
Kconfig
Makefile
memory-barriers.txt
SubmittingPatches
subsystem-apis.rst