Eric Lee / smarc-fsl-linux-kernel

22 Feb, 2019

2 commits

  • 80fcc9871   doc: security: Add kern-doc for lsm_hooks.h ... Browse Code »

    There is a lot of kern-doc for the LSM internals, but it wasn't visible
    in the HTML output. This exposes some formatting flaws in lsm_hooks.h
    that will be fixed in a later series of patches.

    Signed-off-by: Kees Cook
    Signed-off-by: Jonathan Corbet

    Kees Cook
     
  • d61330c68   doc: sctp: Merge and clean up rst files ... Browse Code »

    The SCTP sections were ending up at the top-level table of contents
    under the security section when they should have be sections with the
    SCTP chapters. In addition to correcting the section and subsection
    headings, this merges the SCTP documents into a single file to organize
    the chapters more clearly, internally linkifies them, and adds the
    missing SPDX header.

    Signed-off-by: Kees Cook
    Acked-by: Paul Moore
    Signed-off-by: Jonathan Corbet

    Kees Cook
     

03 Jan, 2019

1 commit

  • f218a29c2   Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/j… ... Browse Code »

    …morris/linux-security

    Pull integrity updates from James Morris:
    "In Linux 4.19, a new LSM hook named security_kernel_load_data was
    upstreamed, allowing LSMs and IMA to prevent the kexec_load syscall.
    Different signature verification methods exist for verifying the
    kexec'ed kernel image. This adds additional support in IMA to prevent
    loading unsigned kernel images via the kexec_load syscall,
    independently of the IMA policy rules, based on the runtime "secure
    boot" flag. An initial IMA kselftest is included.

    In addition, this pull request defines a new, separate keyring named
    ".platform" for storing the preboot/firmware keys needed for verifying
    the kexec'ed kernel image's signature and includes the associated IMA
    kexec usage of the ".platform" keyring.

    (David Howell's and Josh Boyer's patches for reading the
    preboot/firmware keys, which were previously posted for a different
    use case scenario, are included here)"

    * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
    integrity: Remove references to module keyring
    ima: Use inode_is_open_for_write
    ima: Support platform keyring for kernel appraisal
    efi: Allow the "db" UEFI variable to be suppressed
    efi: Import certificates from UEFI Secure Boot
    efi: Add an EFI signature blob parser
    efi: Add EFI signature data types
    integrity: Load certs to the platform keyring
    integrity: Define a trusted platform keyring
    selftests/ima: kexec_load syscall test
    ima: don't measure/appraise files on efivarfs
    x86/ima: retry detecting secure boot mode
    docs: Extend trusted keys documentation for TPM 2.0
    x86/ima: define arch_get_ima_policy() for x86
    ima: add support for arch specific policies
    ima: refactor ima_init_policy()
    ima: prevent kexec_load syscall based on runtime secureboot flag
    x86/ima: define arch_ima_get_secureboot
    integrity: support new struct public_key_signature encoding field

    Linus Torvalds
     

30 Dec, 2018

1 commit

  • 3868772b9   Merge tag 'docs-5.0' of git://git.lwn.net/linux ... Browse Code »

    Pull documentation update from Jonathan Corbet:
    "A fairly normal cycle for documentation stuff. We have a new document
    on perf security, more Italian translations, more improvements to the
    memory-management docs, improvements to the pathname lookup
    documentation, and the usual array of smaller fixes.

    As is often the case, there are a few reaches outside of
    Documentation/ to adjust kerneldoc comments"

    * tag 'docs-5.0' of git://git.lwn.net/linux: (38 commits)
    docs: improve pathname-lookup document structure
    configfs: fix wrong name of struct in documentation
    docs/mm-api: link slab_common.c to "The Slab Cache" section
    slab: make kmem_cache_create{_usercopy} description proper kernel-doc
    doc:process: add links where missing
    docs/core-api: make mm-api.rst more structured
    x86, boot: documentation whitespace fixup
    Documentation: devres: note checking needs when converting
    doc:it: add some process/* translations
    doc:it: fixes in process/1.Intro
    Documentation: convert path-lookup from markdown to resturctured text
    Documentation/admin-guide: update admin-guide index.rst
    Documentation/admin-guide: introduce perf-security.rst file
    scripts/kernel-doc: Fix struct and struct field attribute processing
    Documentation: dev-tools: Fix typos in index.rst
    Correct gen_init_cpio tool's documentation
    Document /proc/pid PID reuse behavior
    Documentation: update path-lookup.md for parallel lookups
    Documentation: Use "while" instead of "whilst"
    dmaengine: Add mailing list address to the documentation
    ...

    Linus Torvalds
     

14 Dec, 2018

1 commit

11 Dec, 2018

1 commit

  • 4264f27a0   docs: Extend trusted keys documentation for TPM 2.0 ... Browse Code »

    Extend the documentation for trusted keys with documentation for how to
    set up a key for a TPM 2.0 so it can be used with a TPM 2.0 as well.

    Signed-off-by: Stefan Berger
    Reviewed-by: Mimi Zohar
    Reviewed-by: Dave Jiang
    Acked-by: Dan Williams
    Acked-by: Jerry Snitselaar
    Signed-off-by: Mimi Zohar

    Stefan Berger
     

21 Nov, 2018

1 commit

  • 806654a96   Documentation: Use "while" instead of "whilst" ... Browse Code »

    Whilst making an unrelated change to some Documentation, Linus sayeth:

    | Afaik, even in Britain, "whilst" is unusual and considered more
    | formal, and "while" is the common word.
    |
    | [...]
    |
    | Can we just admit that we work with computers, and we don't need to
    | use þe eald Englisc spelling of words that most of the world never
    | uses?

    dictionary.com refers to the word as "Chiefly British", which is
    probably an undesirable attribute for technical documentation.

    Replace all occurrences under Documentation/ with "while".

    Cc: David Howells
    Cc: Liam Girdwood
    Cc: Chris Wilson
    Cc: Michael Halcrow
    Cc: Jonathan Corbet
    Reported-by: Linus Torvalds
    Signed-off-by: Will Deacon
    Signed-off-by: Jonathan Corbet

    Will Deacon
     

02 Nov, 2018

2 commits

  • baa888d25   Merge branch 'next-keys2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull keys updates from James Morris:
    "Provide five new operations in the key_type struct that can be used to
    provide access to asymmetric key operations. These will be implemented
    for the asymmetric key type in a later patch and may refer to a key
    retained in RAM by the kernel or a key retained in crypto hardware.

    int (*asym_query)(const struct kernel_pkey_params *params,
    struct kernel_pkey_query *info);
    int (*asym_eds_op)(struct kernel_pkey_params *params,
    const void *in, void *out);
    int (*asym_verify_signature)(struct kernel_pkey_params *params,
    const void *in, const void *in2);

    Since encrypt, decrypt and sign are identical in their interfaces,
    they're rolled together in the asym_eds_op() operation and there's an
    operation ID in the params argument to distinguish them.

    Verify is different in that we supply the data and the signature
    instead and get an error value (or 0) as the only result on the
    expectation that this may well be how a hardware crypto device may
    work"

    * 'next-keys2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (22 commits)
    KEYS: asym_tpm: Add support for the sign operation [ver #2]
    KEYS: asym_tpm: Implement tpm_sign [ver #2]
    KEYS: asym_tpm: Implement signature verification [ver #2]
    KEYS: asym_tpm: Implement the decrypt operation [ver #2]
    KEYS: asym_tpm: Implement tpm_unbind [ver #2]
    KEYS: asym_tpm: Add loadkey2 and flushspecific [ver #2]
    KEYS: Move trusted.h to include/keys [ver #2]
    KEYS: trusted: Expose common functionality [ver #2]
    KEYS: asym_tpm: Implement encryption operation [ver #2]
    KEYS: asym_tpm: Implement pkey_query [ver #2]
    KEYS: Add parser for TPM-based keys [ver #2]
    KEYS: asym_tpm: extract key size & public key [ver #2]
    KEYS: asym_tpm: add skeleton for asym_tpm [ver #2]
    crypto: rsa-pkcs1pad: Allow hash to be optional [ver #2]
    KEYS: Implement PKCS#8 RSA Private Key parser [ver #2]
    KEYS: Implement encrypt, decrypt and sign for software asymmetric key [ver #2]
    KEYS: Allow the public_key struct to hold a private key [ver #2]
    KEYS: Provide software public key query function [ver #2]
    KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type [ver #2]
    KEYS: Provide missing asymmetric key subops for new key type ops [ver #2]
    ...

    Linus Torvalds
     
  • 2d6bb6adb   Merge tag 'stackleak-v4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux ... Browse Code »

    Pull stackleak gcc plugin from Kees Cook:
    "Please pull this new GCC plugin, stackleak, for v4.20-rc1. This plugin
    was ported from grsecurity by Alexander Popov. It provides efficient
    stack content poisoning at syscall exit. This creates a defense
    against at least two classes of flaws:

    - Uninitialized stack usage. (We continue to work on improving the
    compiler to do this in other ways: e.g. unconditional zero init was
    proposed to GCC and Clang, and more plugin work has started too).

    - Stack content exposure. By greatly reducing the lifetime of valid
    stack contents, exposures via either direct read bugs or unknown
    cache side-channels become much more difficult to exploit. This
    complements the existing buddy and heap poisoning options, but
    provides the coverage for stacks.

    The x86 hooks are included in this series (which have been reviewed by
    Ingo, Dave Hansen, and Thomas Gleixner). The arm64 hooks have already
    been merged through the arm64 tree (written by Laura Abbott and
    reviewed by Mark Rutland and Will Deacon).

    With VLAs having been removed this release, there is no need for
    alloca() protection, so it has been removed from the plugin"

    * tag 'stackleak-v4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
    arm64: Drop unneeded stackleak_check_alloca()
    stackleak: Allow runtime disabling of kernel stack erasing
    doc: self-protection: Add information about STACKLEAK feature
    fs/proc: Show STACKLEAK metrics in the /proc file system
    lkdtm: Add a test for STACKLEAK
    gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
    x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls

    Linus Torvalds
     

26 Oct, 2018

2 commits

  • 00d60fd3b   KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2] ... Browse Code »

    Provide five keyctl functions that permit userspace to make use of the new
    key type ops for accessing and driving asymmetric keys.

    (*) Query an asymmetric key.

    long keyctl(KEYCTL_PKEY_QUERY,
    key_serial_t key, unsigned long reserved,
    struct keyctl_pkey_query *info);

    Get information about an asymmetric key. The information is returned
    in the keyctl_pkey_query struct:

    __u32 supported_ops;

    A bit mask of flags indicating which ops are supported. This is
    constructed from a bitwise-OR of:

    KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}

    __u32 key_size;

    The size in bits of the key.

    __u16 max_data_size;
    __u16 max_sig_size;
    __u16 max_enc_size;
    __u16 max_dec_size;

    The maximum sizes in bytes of a blob of data to be signed, a signature
    blob, a blob to be encrypted and a blob to be decrypted.

    reserved must be set to 0. This is intended for future use to hand
    over one or more passphrases needed unlock a key.

    If successful, 0 is returned. If the key is not an asymmetric key,
    EOPNOTSUPP is returned.

    (*) Encrypt, decrypt, sign or verify a blob using an asymmetric key.

    long keyctl(KEYCTL_PKEY_ENCRYPT,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

    long keyctl(KEYCTL_PKEY_DECRYPT,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

    long keyctl(KEYCTL_PKEY_SIGN,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

    long keyctl(KEYCTL_PKEY_VERIFY,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    const void *in2);

    Use an asymmetric key to perform a public-key cryptographic operation
    a blob of data.

    The parameter block pointed to by params contains a number of integer
    values:

    __s32 key_id;
    __u32 in_len;
    __u32 out_len;
    __u32 in2_len;

    For a given operation, the in and out buffers are used as follows:

    Operation ID in,in_len out,out_len in2,in2_len
    ======================= =============== =============== ===========
    KEYCTL_PKEY_ENCRYPT Raw data Encrypted data -
    KEYCTL_PKEY_DECRYPT Encrypted data Raw data -
    KEYCTL_PKEY_SIGN Raw data Signature -
    KEYCTL_PKEY_VERIFY Raw data - Signature

    info is a string of key=value pairs that supply supplementary
    information.

    The __spare space in the parameter block must be set to 0. This is
    intended, amongst other things, to allow the passing of passphrases
    required to unlock a key.

    If successful, encrypt, decrypt and sign all return the amount of data
    written into the output buffer. Verification returns 0 on success.

    Signed-off-by: David Howells
    Tested-by: Marcel Holtmann
    Reviewed-by: Marcel Holtmann
    Reviewed-by: Denis Kenzior
    Tested-by: Denis Kenzior
    Signed-off-by: James Morris

    David Howells
     
  • 70025f84e   KEYS: Provide key type operations for asymmetric key ops [ver #2] ... Browse Code »

    Provide five new operations in the key_type struct that can be used to
    provide access to asymmetric key operations. These will be implemented for
    the asymmetric key type in a later patch and may refer to a key retained in
    RAM by the kernel or a key retained in crypto hardware.

    int (*asym_query)(const struct kernel_pkey_params *params,
    struct kernel_pkey_query *info);
    int (*asym_eds_op)(struct kernel_pkey_params *params,
    const void *in, void *out);
    int (*asym_verify_signature)(struct kernel_pkey_params *params,
    const void *in, const void *in2);

    Since encrypt, decrypt and sign are identical in their interfaces, they're
    rolled together in the asym_eds_op() operation and there's an operation ID
    in the params argument to distinguish them.

    Verify is different in that we supply the data and the signature instead
    and get an error value (or 0) as the only result on the expectation that
    this may well be how a hardware crypto device may work.

    Signed-off-by: David Howells
    Tested-by: Marcel Holtmann
    Reviewed-by: Marcel Holtmann
    Reviewed-by: Denis Kenzior
    Tested-by: Denis Kenzior
    Signed-off-by: James Morris

    David Howells
     

25 Oct, 2018

1 commit

  • 01aa9d518   Merge tag 'docs-4.20' of git://git.lwn.net/linux ... Browse Code »

    Pull documentation updates from Jonathan Corbet:
    "This is a fairly typical cycle for documentation. There's some welcome
    readability improvements for the formatted output, some LICENSES
    updates including the addition of the ISC license, the removal of the
    unloved and unmaintained 00-INDEX files, the deprecated APIs document
    from Kees, more MM docs from Mike Rapoport, and the usual pile of typo
    fixes and corrections"

    * tag 'docs-4.20' of git://git.lwn.net/linux: (41 commits)
    docs: Fix typos in histogram.rst
    docs: Introduce deprecated APIs list
    kernel-doc: fix declaration type determination
    doc: fix a typo in adding-syscalls.rst
    docs/admin-guide: memory-hotplug: remove table of contents
    doc: printk-formats: Remove bogus kobject references for device nodes
    Documentation: preempt-locking: Use better example
    dm flakey: Document "error_writes" feature
    docs/completion.txt: Fix a couple of punctuation nits
    LICENSES: Add ISC license text
    LICENSES: Add note to CDDL-1.0 license that it should not be used
    docs/core-api: memory-hotplug: add some details about locking internals
    docs/core-api: rename memory-hotplug-notifier to memory-hotplug
    docs: improve readability for people with poorer eyesight
    yama: clarify ptrace_scope=2 in Yama documentation
    docs/vm: split memory hotplug notifier description to Documentation/core-api
    docs: move memory hotplug description into admin-guide/mm
    doc: Fix acronym "FEKEK" in ecryptfs
    docs: fix some broken documentation references
    iommu: Fix passthrough option documentation
    ...

    Linus Torvalds
     

10 Oct, 2018

1 commit

  • e6123c524   security: fix LSM description location ... Browse Code »

    Acked-by: Kees Cook

    Fix Documentation location reference for where LSM descriptions should
    be placed.

    Suggested-by: Kees Cook
    Signed-off-by: Randy Dunlap
    Cc: James Morris
    Cc: "Serge E. Hallyn"
    Cc: linux-security-module@vger.kernel.org
    Signed-off-by: James Morris

    Randy Dunlap
     

21 Sep, 2018

1 commit

05 Sep, 2018

1 commit

14 Jun, 2018

1 commit

  • 050e9baa9   Kbuild: rename CC_STACKPROTECTOR[_STRONG] config variables ... Browse Code »

    The changes to automatically test for working stack protector compiler
    support in the Kconfig files removed the special STACKPROTECTOR_AUTO
    option that picked the strongest stack protector that the compiler
    supported.

    That was all a nice cleanup - it makes no sense to have the AUTO case
    now that the Kconfig phase can just determine the compiler support
    directly.

    HOWEVER.

    It also meant that doing "make oldconfig" would now _disable_ the strong
    stackprotector if you had AUTO enabled, because in a legacy config file,
    the sane stack protector configuration would look like

    CONFIG_HAVE_CC_STACKPROTECTOR=y
    # CONFIG_CC_STACKPROTECTOR_NONE is not set
    # CONFIG_CC_STACKPROTECTOR_REGULAR is not set
    # CONFIG_CC_STACKPROTECTOR_STRONG is not set
    CONFIG_CC_STACKPROTECTOR_AUTO=y

    and when you ran this through "make oldconfig" with the Kbuild changes,
    it would ask you about the regular CONFIG_CC_STACKPROTECTOR (that had
    been renamed from CONFIG_CC_STACKPROTECTOR_REGULAR to just
    CONFIG_CC_STACKPROTECTOR), but it would think that the STRONG version
    used to be disabled (because it was really enabled by AUTO), and would
    disable it in the new config, resulting in:

    CONFIG_HAVE_CC_STACKPROTECTOR=y
    CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
    CONFIG_CC_STACKPROTECTOR=y
    # CONFIG_CC_STACKPROTECTOR_STRONG is not set
    CONFIG_CC_HAS_SANE_STACKPROTECTOR=y

    That's dangerously subtle - people could suddenly find themselves with
    the weaker stack protector setup without even realizing.

    The solution here is to just rename not just the old RECULAR stack
    protector option, but also the strong one. This does that by just
    removing the CC_ prefix entirely for the user choices, because it really
    is not about the compiler support (the compiler support now instead
    automatially impacts _visibility_ of the options to users).

    This results in "make oldconfig" actually asking the user for their
    choice, so that we don't have any silent subtle security model changes.
    The end result would generally look like this:

    CONFIG_HAVE_CC_STACKPROTECTOR=y
    CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
    CONFIG_STACKPROTECTOR=y
    CONFIG_STACKPROTECTOR_STRONG=y
    CONFIG_CC_HAS_SANE_STACKPROTECTOR=y

    where the "CC_" versions really are about internal compiler
    infrastructure, not the user selections.

    Acked-by: Masahiro Yamada
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

08 May, 2018

1 commit

21 Mar, 2018

1 commit

27 Feb, 2018

1 commit

23 Feb, 2018

1 commit

09 Jan, 2018

1 commit

  • 0b345d722   Documentation: security/credentials.rst: explain need to sort group_list ... Browse Code »

    This patch updates the documentation with the observations that led
    to commit bdcf0a423ea1 ("kernel: make groups_sort calling a
    responsibility group_info allocators") and the new behaviour required.
    Specifically that groups_sort() should be called on a new group_list
    before set_groups() or set_current_groups() is called.

    Signed-off-by: NeilBrown
    [jc: use proper :c:func: references]
    Signed-off-by: Jonathan Corbet

    NeilBrown
     

22 Dec, 2017

1 commit

  • 227d1a61e   doc: add documentation on printing kernel addresses ... Browse Code »

    Hashing addresses printed with printk specifier %p was implemented
    recently. During development a number of issues were raised regarding
    leaking kernel addresses to userspace. Other documentation was updated but
    security/self-protection missed out.

    Add self-protection documentation regarding printing kernel addresses.

    Signed-off-by: Tobin C. Harding
    Signed-off-by: Jonathan Corbet

    Tobin C. Harding
     

16 Nov, 2017

1 commit

  • be543dd62   KEYS: fix in-kernel documentation for keyctl_read() ... Browse Code »

    When keyctl_read() is passed a buffer that is too small, the behavior is
    inconsistent. Some key types will fill as much of the buffer as
    possible, while others won't copy anything. Moreover, the in-kernel
    documentation contradicted the man page on this point.

    Update the in-kernel documentation to say that this point is
    unspecified.

    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     

13 Oct, 2017

1 commit

31 Aug, 2017

1 commit

25 Aug, 2017

1 commit

14 Jul, 2017

1 commit

19 May, 2017

13 commits