Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-21 19:41:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
7c373e4f14
linux/drivers
History
Deven Bowers a6af7bc3d7 dm-verity: expose root hash digest and signature data to LSMs 
dm-verity provides a strong guarantee of a block device's integrity. As
a generic way to check the integrity of a block device, it provides
those integrity guarantees to its higher layers, including the filesystem
level.

However, critical security metadata like the dm-verity roothash and its
signing information are not easily accessible to the LSMs.
To address this limitation, this patch introduces a mechanism to store
and manage these essential security details within a newly added LSM blob
in the block_device structure.

This addition allows LSMs to make access control decisions on the integrity
data stored within the block_device, enabling more flexible security
policies. For instance, LSMs can now revoke access to dm-verity devices
based on their roothashes, ensuring that only authorized and verified
content is accessible. Additionally, LSMs can enforce policies to only
allow files from dm-verity devices that have a valid digital signature to
execute, effectively blocking any unsigned files from execution, thus
enhancing security against unauthorized modifications.

The patch includes new hook calls, `security_bdev_setintegrity()`, in
dm-verity to expose the dm-verity roothash and the roothash signature to
LSMs via preresume() callback. By using the preresume() callback, it
ensures that the security metadata is consistently in sync with the
metadata of the dm-verity target in the current active mapping table.
The hook calls are depended on CONFIG_SECURITY.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
[PM: moved sig_size field as discussed]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-08-20 14:02:38 -04:00
..
accel
accessibility
acpi RISC-V Patches for the 6.11 Merge Window, Part 2 2024-07-27 10:14:34 -07:00
amba
android
ata Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
atm
auxdisplay auxdisplay updates for v6.11 2024-07-26 11:04:28 -07:00
base regmap: Fix for v6.11 2024-07-27 12:26:09 -07:00
bcma
block block-6.11-20240726 2024-07-27 15:28:53 -07:00
bluetooth virtio: features, fixes, cleanups 2024-07-19 11:57:55 -07:00
bus Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
cache
cdrom sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
cdx
char sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
clk Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
clocksource of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
comedi
connector
counter Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
cpufreq Power management updates for 6.11-rc1 2024-07-16 15:54:03 -07:00
cpuidle
crypto ARM: 2024-07-20 12:41:03 -07:00
cxl CXL for v6.11 merge window 2024-07-28 09:33:28 -07:00
dax Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
dca Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
devfreq
dio
dma Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
dma-buf - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
dpll
edac minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
eisa
extcon
firewire Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
firmware RISC-V Patches for the 6.11 Merge Window, Part 2 2024-07-27 10:14:34 -07:00
fpga Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
fsi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
gnss
gpio gpio fixes for v6.11-rc1 2024-07-27 12:54:06 -07:00
gpu minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
greybus Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hid Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hsi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hte
hv Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
hwmon Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
hwspinlock
hwtracing Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
i2c Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
i3c I3C for 6.11 2024-07-27 10:53:06 -07:00
idle
iio of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
infiniband IOMMU Updates for Linux v6.11 2024-07-19 09:59:58 -07:00
input Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
interconnect Char/Misc and other driver changes for 6.11-rc1 2024-07-19 15:55:08 -07:00
iommu IOMMU Fixes for Linux v6.11-rc1 2024-07-27 12:39:55 -07:00
ipack
irqchip of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-07-25 08:05:05 -07:00
leds - Core Frameworks 2024-07-17 17:51:30 -07:00
macintosh sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-25 12:58:36 -07:00
mailbox mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() 2024-07-19 21:25:23 -05:00
mcb Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
md dm-verity: expose root hash digest and signature data to LSMs 2024-08-20 14:02:38 -04:00
media a couple of leaks on failure exits missing fdput() 2024-07-26 10:26:33 -07:00
memory
memstick Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
message
mfd Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
misc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
mmc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
most Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
mtd This pull request contains updates (actually, just fixes) for UBI and UBIFS: 2024-07-28 11:51:51 -07:00
mux
net minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
nfc
ntb Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
nubus
nvdimm Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
nvme nvme fixes for Linux 6.11 2024-07-26 08:06:15 -06:00
nvmem Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
of IOMMU Updates for Linux v6.11 2024-07-19 09:59:58 -07:00
opp
parisc
parport sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-25 12:58:36 -07:00
pci Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
pcmcia Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
peci Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
perf RISC-V Patches for the 6.11 Merge Window, Part 2 2024-07-27 10:14:34 -07:00
phy phy-for-6.11 2024-07-24 13:11:28 -07:00
pinctrl of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
platform Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
pmdomain
pnp
power power supply and reset changes for the 6.11 series 2024-07-23 09:38:27 -07:00
powercap
pps Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
ps3
ptp Networking changes for 6.11. Not much excitement - a handful of large 2024-07-16 19:28:34 -07:00
pwm of: remove internal arguments from of_property_for_each_u32() 2024-07-25 06:53:47 -05:00
rapidio
ras - The AMD memory controllers data fabric version 4.5 supports 2024-07-15 18:20:24 -07:00
regulator regulator: Fixes for v6.11 2024-07-27 12:27:52 -07:00
remoteproc rpmsg updates for v6.11 2024-07-23 13:41:59 -07:00
reset Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
rpmsg Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
rtc
s390 more s390 updates for 6.11 merge window 2024-07-26 10:47:53 -07:00
sbus
scsi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
sh
siox Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
slimbus Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
soc Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
soundwire Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
spi spi: Fixes for v6.11 2024-07-27 12:29:10 -07:00
spmi Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
ssb
staging Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
target
tc
tee Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
thermal thermal: core: Back off when polling thermal zones on errors 2024-07-24 12:40:23 +02:00
thunderbolt Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
tty Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
ufs SCSI misc on 20240718 2024-07-19 10:56:58 -07:00
uio
usb Devicetree fixes for 6.11, part 1 2024-07-27 12:46:16 -07:00
vdpa Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
vfio Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
vhost virtio: features, fixes, cleanups 2024-07-19 11:57:55 -07:00
video - 875fa64577da ("mm/hugetlb_vmemmap: fix race with speculative PFN 2024-07-21 17:15:46 -07:00
virt ARM: 2024-07-20 12:41:03 -07:00
virtio Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
w1
watchdog linux-watchdog 6.11-rc1 tag 2024-07-25 10:18:35 -07:00
xen Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
zorro Driver core changes for 6.11-rc1 2024-07-25 10:42:22 -07:00
Kconfig
Makefile