linux/security/integrity, branch v6.18

ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr

2025-10-03T11:50:56Z

Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; } Signed-off-by: Coiby Xu Signed-off-by: Mimi Zohar

integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS

2025-10-03T11:50:56Z

Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS, since INTEGRITY_ASYMMETRIC_KEYS selects several options that depend on CRYPTO. This unblocks the removal of the CRYPTO selection from SIGNATURE. SIGNATURE (lib/digsig.c) itself will no longer need CRYPTO, but INTEGRITY_ASYMMETRIC_KEYS was depending on it indirectly via the chain SIGNATURE => INTEGRITY_SIGNATURE => INTEGRITY_ASYMMETRIC_KEYS. Signed-off-by: Eric Biggers Reviewed-by: Paul Menzel Signed-off-by: Mimi Zohar

Merge tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

2025-07-31T18:42:11Z

Pull integrity update from Mimi Zohar: "A single commit to permit disabling IMA from the boot command line for just the kdump kernel. The exception itself sort of makes sense. My concern is that exceptions do not remain as exceptions, but somehow morph to become the norm" * tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: add a knob ima= to allow disabling IMA in kdump kernel

Merge tag 'powerpc-6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

2025-07-30T03:28:38Z

Pull powerpc updates from Madhavan Srinivasan: - CONFIG_HZ changes to move the base_slice from 10ms to 1ms - Patchset to move some of the mutex handling to lock guard - Expose secvars relevant to the key management mode - Misc cleanups and fixes Thanks to Ankit Chauhan, Christophe Leroy, Donet Tom, Gautam Menghani, Haren Myneni, Johan Korsnes, Madadi Vineeth Reddy, Paul Mackerras, Shrikanth Hegde, Srish Srinivasan, Thomas Fourier, Thomas Huth, Thomas Weißschuh, Souradeep, Amit Machhiwal, R Nageswara Sastry, Venkat Rao Bagalkote, Andrew Donnellan, Greg Kroah-Hartman, Mimi Zohar, Mukesh Kumar Chaurasiya, Nayna Jain, Ritesh Harjani (IBM), Sourabh Jain, Srikar Dronamraju, Stefan Berger, Tyrel Datwyler, and Kowshik Jois. * tag 'powerpc-6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (23 commits) arch/powerpc: Remove .interp section in vmlinux powerpc: Drop GPL boilerplate text with obsolete FSF address powerpc: Don't use %pK through printk arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX misc: ocxl: Replace scnprintf() with sysfs_emit() in sysfs show functions integrity/platform_certs: Allow loading of keys in the static key management mode powerpc/secvar: Expose secvars relevant to the key management mode powerpc/pseries: Correct secvar format representation for static key management (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer powerpc: floppy: Add missing checks after DMA map book3s64/radix : Optimize vmemmap start alignment book3s64/radix : Handle error conditions properly in radix_vmemmap_populate powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO add KVM: PPC: Book3S HV: Add H_VIRT mapping for tracing exits powerpc: sysdev: use lock guard for mutex powerpc: powernv: ocxl: use lock guard for mutex powerpc: book3s: vas: use lock guard for mutex powerpc: fadump: use lock guard for mutex powerpc: rtas: use lock guard for mutex powerpc: eeh: use lock guard for mutex ...

integrity/platform_certs: Allow loading of keys in the static key management mode

2025-07-09T03:46:18Z

On PLPKS enabled PowerVM LPAR, there is no provision to load signed third-party kernel modules when the key management mode is static. This is because keys from secure boot secvars are only loaded when the key management mode is dynamic. Allow loading of the trustedcadb and moduledb keys even in the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan Tested-by: R Nageswara Sastry Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger Reviewed-by: Nayna Jain Reviewed-by: Andrew Donnellan Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20250610211907.101384-4-ssrish@linux.ibm.com

evm_secfs: clear securityfs interactions

2025-06-17T22:10:30Z

1) creation never returns NULL; error is reported as ERR_PTR() 2) no need to remove file before removing its parent Acked-by: Mimi Zohar Signed-off-by: Al Viro

ima_fs: get rid of lookup-by-dentry stuff

2025-06-17T22:10:14Z

lookup_template_data_hash_algo() machinery is used to locate the matching ima_algo_array[] element at read time; securityfs allows to stash that into inode->i_private at object creation time, so there's no need to bother Acked-by: Mimi Zohar Signed-off-by: Al Viro

ima_fs: don't bother with removal of files in directory we'll be removing

2025-06-17T22:09:52Z

removal of parent takes all children out Acked-by: Mimi Zohar Signed-off-by: Al Viro

ima: add a knob ima= to allow disabling IMA in kdump kernel

2025-06-16T13:15:13Z

Kdump kernel doesn't need IMA functionality, and enabling IMA will cost extra memory. It would be very helpful to allow IMA to be disabled for kdump kernel. Hence add a knob ima=on|off here to allow turning IMA off in kdump kernel if needed. Note that this IMA disabling is limited to kdump kernel, please don't abuse it in other kernel and thus serious consequences are caused. Signed-off-by: Baoquan He Signed-off-by: Mimi Zohar

ima: do not copy measurement list to kdump kernel

2025-05-14T10:40:09Z

Kdump kernel doesn't need IMA to do integrity measurement. Hence the measurement list in 1st kernel doesn't need to be copied to kdump kernel. Here skip allocating buffer for measurement list copying if loading kdump kernel. Then there won't be the later handling related to ima_kexec_buffer. Signed-off-by: Steven Chen Tested-by: Baoquan He Acked-by: Baoquan He Signed-off-by: Mimi Zohar