04 Aug, 2015
8 commits
-
commit 24fd03c87695a76f0517df42a37e51b1597d2c8a upstream.
This patch defines a builtin measurement policy "tcb", similar to the
existing "ima_tcb", but with additional rules to also measure files
based on the effective uid and to measure files opened with the "read"
mode bit set (eg. read, read-write).Changing the builtin "ima_tcb" policy could potentially break existing
users. Instead of defining a new separate boot command line option each
time the builtin measurement policy is modified, this patch defines a
single generic boot command line option "ima_policy=" to specify the
builtin policy and deprecates the use of the builtin ima_tcb policy.[The "ima_policy=" boot command line option is based on Roberto Sassu's
"ima: added new policy type exec" patch.]Signed-off-by: Mimi Zohar
Signed-off-by: Dr. Greg Wettstein
Signed-off-by: Greg Kroah-Hartman -
commit 4351c294b8c1028077280f761e158d167b592974 upstream.
The current "mask" policy option matches files opened as MAY_READ,
MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask"
option to match files opened containing one of these modes. For
example, "mask=^MAY_READ" would match files opened read-write.Signed-off-by: Mimi Zohar
Signed-off-by: Dr. Greg Wettstein
Signed-off-by: Greg Kroah-Hartman -
commit 139069eff7388407f19794384c42a534d618ccd7 upstream.
The new "euid" policy condition measures files with the specified
effective uid (euid). In addition, for CAP_SETUID files it measures
files with the specified uid or suid.Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedbackSigned-off-by: Mimi Zohar
Signed-off-by: Dr. Greg Wettstein
Signed-off-by: Greg Kroah-Hartman -
commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream.
This patch fixes a bug introduced in "4d7aeee ima: define new template
ima-ng and template fields d-ng and n-ng".Changelog:
- change int to uint32 (Roberto Sassu's suggestion)Signed-off-by: Mimi Zohar
Signed-off-by: Roberto Sassu
Signed-off-by: Greg Kroah-Hartman -
commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.
To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled. As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.Some LSMs defer file labeling on pseudo filesystems. This patch
permits the labeling of existing files on pseudo files systems.Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman -
commit cd025f7f94108995383edddfb61fc8afea6c66a9 upstream.
Include don't appraise or measure rules for the NSFS filesystem
in the builtin ima_tcb and ima_appraise_tcb policies.Changelog:
- Update documentationSigned-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman -
commit 5577857f8e26e9027271f10daf96361640907300 upstream.
It's a bit easier to read this if we split it up into two for loops.
Signed-off-by: Dan Carpenter
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman -
commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream.
This patch adds a rule in the default measurement policy to skip inodes
in the cgroupfs filesystem. Measurements for this filesystem can be
avoided, as all the digests collected have the same value of the digest of
an empty file.Furthermore, this patch updates the documentation of IMA policies in
Documentation/ABI/testing/ima_policy to make it consistent with
the policies set in security/integrity/ima/ima_policy.c.Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman
16 Apr, 2015
1 commit
-
most of the ->d_inode uses there refer to the same inode IO would
go to, i.e. d_backing_inode()Signed-off-by: David Howells
Signed-off-by: Al Viro
20 Feb, 2015
1 commit
-
Pull kconfig updates from Michal Marek:
"Yann E Morin was supposed to take over kconfig maintainership, but
this hasn't happened. So I'm sending a few kconfig patches that I
collected:- Fix for missing va_end in kconfig
- merge_config.sh displays used if given too few arguments
- s/boolean/bool/ in Kconfig files for consistency, with the plan to
only support bool in the future"* 'kconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
kconfig: use va_end to match corresponding va_start
merge_config.sh: Display usage if given too few arguments
kconfig: use bool instead of boolean for type definition attributes
02 Feb, 2015
1 commit
-
/proc/keys is now mandatory and its config option no longer exists, so it
doesn't need selecting.Reported-by: Paul Bolle
Signed-off-by: David Howells
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
07 Jan, 2015
1 commit
-
Support for keyword 'boolean' will be dropped later on.
No functional change.
Reference: http://lkml.kernel.org/r/cover.1418003065.git.cj@linux.com
Signed-off-by: Christoph Jaeger
Signed-off-by: Michal Marek
16 Dec, 2014
1 commit
-
…-integrity into for-linus
15 Dec, 2014
1 commit
-
Pull security layer updates from James Morris:
"In terms of changes, there's general maintenance to the Smack,
SELinux, and integrity code.The IMA code adds a new kconfig option, IMA_APPRAISE_SIGNED_INIT,
which allows IMA appraisal to require signatures. Support for reading
keys from rootfs before init is call is also added"* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits)
selinux: Remove security_ops extern
security: smack: fix out-of-bounds access in smk_parse_smack()
VFS: refactor vfs_read()
ima: require signature based appraisal
integrity: provide a hook to load keys when rootfs is ready
ima: load x509 certificate from the kernel
integrity: provide a function to load x509 certificate from the kernel
integrity: define a new function integrity_read_file()
Security: smack: replace kzalloc with kmem_cache for inode_smack
Smack: Lock mode for the floor and hat labels
ima: added support for new kernel cmdline parameter ima_template_fmt
ima: allocate field pointers array on demand in template_desc_init_fields()
ima: don't allocate a copy of template_fmt in template_desc_init_fields()
ima: display template format in meas. list if template name length is zero
ima: added error messages to template-related functions
ima: use atomic bit operations to protect policy update interface
ima: ignore empty and with whitespaces policy lines
ima: no need to allocate entry for comment
ima: report policy load status
ima: use path names cache
...
09 Dec, 2014
1 commit
07 Dec, 2014
1 commit
-
On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to:
warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies (TCG_TPM && PPC_PSERIES)
tpm_ibmvtpm.c:(.text+0x14f3e8): undefined reference to `.plpar_hcall_norets'I'm not sure why IMA needs to select those user-visible symbols, but if
it must then the simplest fix is to just express the proper dependencies
on the select.Tested-by: Hon Ching (Vicky) Lo
Signed-off-by: Michael Ellerman
Signed-off-by: Mimi Zohar
20 Nov, 2014
1 commit
-
Signed-off-by: Al Viro
18 Nov, 2014
6 commits
-
integrity_kernel_read() duplicates the file read operations code
in vfs_read(). This patch refactors vfs_read() code creating a
helper function __vfs_read(). It is used by both vfs_read() and
integrity_kernel_read().Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
option to force IMA appraisal using signatures. This is useful, when EVM
key is not initialized yet and we want securely initialize integrity or
any other functionality.It forces embedded policy to require signature. Signed initialization
script can initialize EVM key, update the IMA policy and change further
requirement of everything to be signed.Changes in v3:
* kernel parameter fixed to configuration option in the patch descriptionChanges in v2:
* policy change of this patch separated from the key loading patchSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Keys can only be loaded once the rootfs is mounted. Initcalls
are not suitable for that. This patch defines a special hook
to load the x509 public keys onto the IMA keyring, before
attempting to access any file. The keys are required for
verifying the file's signature. The hook is called after the
root filesystem is mounted and before the kernel calls 'init'.Changes in v3:
* added more explanation to the patch description (Mimi)Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
keys by integrity subsystem.
* Hook patch moved after defining loading functionsSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Define configuration option to load X509 certificate into the
IMA trusted kernel keyring. It implements ima_load_x509() hook
to load X509 certificate into the .ima trusted kernel keyring
from the root filesystem.Changes in v3:
* use ima_policy_flag in ima_get_action()
ima_load_x509 temporarily clears ima_policy_flag to disable
appraisal to load key. Use it to skip appraisal rules.
* Key directory path changed to /etc/keys (Mimi)
* Expand IMA_LOAD_X509 Kconfig helpChanges in v2:
* added '__init'
* use ima_policy_flag to disable appraisal to load keysSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Provide the function to load x509 certificates from the kernel into the
integrity kernel keyring.Changes in v2:
* configuration option removed
* function declared as '__init'Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch defines a new function called integrity_read_file()
to read file from the kernel into a buffer. Subsequent patches
will read a file containing the public keys and load them onto
the IMA keyring.This patch moves and renames ima_kernel_read(), the non-security
checking version of kernel_read(), to integrity_kernel_read().Changes in v3:
* Patch descriptions improved (Mimi)
* Add missing cast (kbuild test robot)Changes in v2:
* configuration option removed
* function declared as '__init'Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
29 Oct, 2014
1 commit
-
…linux-integrity into for-linus
28 Oct, 2014
2 commits
-
evm_inode_setxattr() can be called with no value. The function does not
check the length so that following command can be used to produce the
kernel oops: setfattr -n security.evm FOO. This patch fixes it.Changes in v3:
* there is no reason to return different error codes for EVM_XATTR_HMAC
and non EVM_XATTR_HMAC. Remove unnecessary test then.Changes in v2:
* testing for validity of xattr type[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1106.398192] IP: [] evm_inode_setxattr+0x2a/0x48
[ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
[ 1106.399953] Oops: 0000 [#1] SMP
[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
[ 1106.400020] RIP: 0010:[] [] evm_inode_setxattr+0x2a/0x48
[ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246
[ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
[ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
[ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
[ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
[ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
[ 1106.400020] Stack:
[ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
[ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
[ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
[ 1106.400020] Call Trace:
[ 1106.400020] [] security_inode_setxattr+0x5d/0x6a
[ 1106.400020] [] vfs_setxattr+0x6b/0x9f
[ 1106.400020] [] setxattr+0x122/0x16c
[ 1106.400020] [] ? mnt_want_write+0x21/0x45
[ 1106.400020] [] ? __sb_start_write+0x10f/0x143
[ 1106.400020] [] ? mnt_want_write+0x21/0x45
[ 1106.400020] [] ? __mnt_want_write+0x48/0x4f
[ 1106.400020] [] SyS_setxattr+0x6e/0xb0
[ 1106.400020] [] system_call_fastpath+0x16/0x1b
[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
[ 1106.400020] RIP [] evm_inode_setxattr+0x2a/0x48
[ 1106.400020] RSP
[ 1106.400020] CR2: 0000000000000000
[ 1106.428061] ---[ end trace ae08331628ba3050 ]---Reported-by: Jan Kara
Signed-off-by: Dmitry Kasatkin
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar -
ima_inode_setxattr() can be called with no value. Function does not
check the length so that following command can be used to produce
kernel oops: setfattr -n security.ima FOO. This patch fixes it.Changes in v3:
* for stable reverted "allow setting hash only in fix or log mode"
It will be a separate patch.Changes in v2:
* testing validity of xattr type
* allow setting hash only in fix or log mode (Mimi)[ 261.562522] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 261.564109] IP: [] ima_inode_setxattr+0x3e/0x5a
[ 261.564109] PGD 3112f067 PUD 42965067 PMD 0
[ 261.564109] Oops: 0000 [#1] SMP
[ 261.564109] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[ 261.564109] CPU: 0 PID: 3299 Comm: setxattr Not tainted 3.16.0-kds+ #2924
[ 261.564109] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 261.564109] task: ffff8800428c2430 ti: ffff880042be0000 task.ti: ffff880042be0000
[ 261.564109] RIP: 0010:[] [] ima_inode_setxattr+0x3e/0x5a
[ 261.564109] RSP: 0018:ffff880042be3d50 EFLAGS: 00010246
[ 261.564109] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000015
[ 261.564109] RDX: 0000001500000000 RSI: 0000000000000000 RDI: ffff8800375cc600
[ 261.564109] RBP: ffff880042be3d68 R08: 0000000000000000 R09: 00000000004d6256
[ 261.564109] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88002149ba00
[ 261.564109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 261.564109] FS: 00007f6c1e219740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[ 261.564109] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 261.564109] CR2: 0000000000000000 CR3: 000000003b35a000 CR4: 00000000000006f0
[ 261.564109] Stack:
[ 261.564109] ffff88002149ba00 ffff880042be3df8 0000000000000000 ffff880042be3d98
[ 261.564109] ffffffff812a101b ffff88002149ba00 ffff880042be3df8 0000000000000000
[ 261.564109] 0000000000000000 ffff880042be3de0 ffffffff8116d08a ffff880042be3dc8
[ 261.564109] Call Trace:
[ 261.564109] [] security_inode_setxattr+0x48/0x6a
[ 261.564109] [] vfs_setxattr+0x6b/0x9f
[ 261.564109] [] setxattr+0x122/0x16c
[ 261.564109] [] ? mnt_want_write+0x21/0x45
[ 261.564109] [] ? __sb_start_write+0x10f/0x143
[ 261.564109] [] ? mnt_want_write+0x21/0x45
[ 261.564109] [] ? __mnt_want_write+0x48/0x4f
[ 261.564109] [] SyS_setxattr+0x6e/0xb0
[ 261.564109] [] system_call_fastpath+0x16/0x1b
[ 261.564109] Code: 48 89 f7 48 c7 c6 58 36 81 81 53 31 db e8 73 27 04 00 85 c0 75 28 bf 15 00 00 00 e8 8a a5 d9 ff 84 c0 75 05 83 cb ff eb 15 31 f6 80 7d 00 03 49 8b 7c 24 68 40 0f 94 c6 e8 e1 f9 ff ff 89 d8
[ 261.564109] RIP [] ima_inode_setxattr+0x3e/0x5a
[ 261.564109] RSP
[ 261.564109] CR2: 0000000000000000
[ 261.599998] ---[ end trace 39a89a3fc267e652 ]---Reported-by: Jan Kara
Signed-off-by: Dmitry Kasatkin
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar
14 Oct, 2014
1 commit
-
Replaced the use of a Variable Length Array In Struct (VLAIS) with a C99
compliant equivalent. This patch allocates the appropriate amount of memory
using a char array using the SHASH_DESC_ON_STACK macro.The new code can be compiled with both gcc and clang.
Signed-off-by: Behan Webster
Reviewed-by: Mark Charlebois
Reviewed-by: Jan-Simon Möller
Acked-by: Herbert Xu
Acked-by: Dmitry Kasatkin
Cc: tglx@linutronix.de
13 Oct, 2014
5 commits
-
This patch allows users to provide a custom template format through the
new kernel command line parameter 'ima_template_fmt'. If the supplied
format is not valid, IMA uses the default template descriptor.Changelog:
- v3:
- added check for 'fields' and 'num_fields' in
template_desc_init_fields() (suggested by Mimi Zohar)- v2:
- using template_desc_init_fields() to validate a format string
(Roberto Sassu)
- updated documentation by stating that only the chosen template
descriptor is initialized (Roberto Sassu)- v1:
- simplified code of ima_template_fmt_setup()
(Roberto Sassu, suggested by Mimi Zohar)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
The allocation of a field pointers array is moved at the end of
template_desc_init_fields() and done only if the value of the 'fields'
and 'num_fields' parameters is not NULL. For just validating a template
format string, retrieved template field pointers are placed in a temporary
array.Changelog:
- v3:
- do not check in this patch if 'fields' and 'num_fields' are NULL
(suggested by Mimi Zohar)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
This patch removes the allocation of a copy of 'template_fmt', needed for
iterating over all fields in the passed template format string. The removal
was possible by replacing strcspn(), which modifies the passed string,
with strchrnul(). The currently processed template field is copied in
a temporary variable.The purpose of this change is use template_desc_init_fields() in two ways:
for just validating a template format string (the function should work
if called by a setup function, when memory cannot be allocated), and for
actually initializing a template descriptor. The implementation of this
feature will be complete with the next patch.Changelog:
- v3:
- added 'goto out' in template_desc_init_fields() to free allocated
memory if a template field length is not valid (suggested by
Mimi Zohar)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
a user can define a new template descriptor with custom format. However,
in this case, userspace tools will be unable to parse the measurements
list because the new template is unknown. For this reason, this patch
modifies the current IMA behavior to display in the list the template
format instead of the name (only if the length of the latter is zero)
so that a tool can extract needed information if it can handle listed
fields.This patch also correctly displays the error log message in
ima_init_template() if the selected template cannot be initialized.Changelog:
- v3:
- check the first byte of 'e->template_desc->name' instead of using
strlen() in ima_fs.c (suggested by Mimi Zohar)- v2:
- print the template format in ima_init_template(), if the selected
template is custom (Roberto Sassu)- v1:
- fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
- set 'template_name' variable in ima_fs.c only once
(Roberto Sassu, suggested by Mimi Zohar)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
This patch adds some error messages to inform users about the following
events: template descriptor not found, invalid template descriptor,
template field not found and template initialization failed.Changelog:
- v2:
- display an error message if the format string contains too many
fields (Roberto Sassu)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
12 Oct, 2014
4 commits
-
The current implementation uses an atomic counter to provide exclusive
access to the sysfs 'policy' entry to update the IMA policy. While it is
highly unlikely, the usage of a counter might potentially allow another
process to overflow the counter, open the interface and insert additional
rules into the policy being loaded.This patch replaces using an atomic counter with atomic bit operations
which is more reliable and a widely used method to provide exclusive access.As bit operation keep the interface locked after successful update, it makes
it unnecessary to verify if the default policy was set or not during parsing
and interface closing. This patch also removes that code.Changes in v3:
* move audit log message to ima_relead_policy() to report successful and
unsuccessful result
* unnecessary comment removedChanges in v2:
* keep interface locked after successful policy load as in original design
* remove sysfs entry as in original designSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Empty policy lines cause parsing failures which is, especially
for new users, hard to spot. This patch prevents it.Changes in v2:
* strip leading blanks and tabs in rules to prevent parsing failuresSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
If a rule is a comment, there is no need to allocate an entry.
Move the checking for comments before allocating the entry.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Audit messages are rate limited, often causing the policy update
info to not be visible. Report policy loading status also using
pr_info.Changes in v2:
* reporting moved to ima_release_policy to notice parsing errors
* reporting both completed and failed statusSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
08 Oct, 2014
4 commits
-
__getname() uses slab allocation which is faster than kmalloc.
Make use of it.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
If filesystem is mounted read-only or file is immutable, updating
xattr will fail. This is a usual case during early boot until
filesystem is remount read-write. This patch verifies conditions
to skip unnecessary attempt to calculate HMAC and set xattr.Changes in v2:
* indention changed according to Lindent (requested by Mimi)Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
integrity_init_keyring() is used only from kernel '__init'
functions. Add it there as well.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch completes the switching to the 'ima_policy_flag' variable
in the checks at the beginning of IMA functions, starting with the
commit a756024e.Checking 'iint_initialized' is completely unnecessary, because
S_IMA flag is unset if iint was not allocated. At the same time
the integrity cache is allocated with SLAB_PANIC and the kernel will
panic if the allocation fails during kernel initialization. So on
a running system iint_initialized is always true and can be removed.Changes in v3:
* not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)Changes in v2:
* 'iint_initialized' removal patch merged to this patch (requested
by Mimi)Signed-off-by: Dmitry Kasatkin
Acked-by: Roberto Sassu
