Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security (36b8d186) · Commits · e / devices / android_kernel_fairphone_FP4

Documentation/ABI/testing/evm

0 → 100644

+23 −0

Original line number	Original line	Diff line number	Diff line
			What: security/evm
			Date: March 2011
			Contact: Mimi Zohar <zohar@us.ibm.com>
			Description:
			EVM protects a file's security extended attributes(xattrs)
			against integrity attacks. The initial method maintains an
			HMAC-sha1 value across the extended attributes, storing the
			value as the extended attribute 'security.evm'.

			EVM depends on the Kernel Key Retention System to provide it
			with a trusted/encrypted key for the HMAC-sha1 operation.
			The key is loaded onto the root's keyring using keyctl. Until
			EVM receives notification that the key has been successfully
			loaded onto the keyring (echo 1 > <securityfs>/evm), EVM
			can not create or validate the 'security.evm' xattr, but
			returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM
			should be done as early as possible. Normally this is done
			in the initramfs, which has already been measured as part
			of the trusted boot. For more information on creating and
			loading existing trusted/encrypted keys, refer to:
			Documentation/keys-trusted-encrypted.txt. (A sample dracut
			patch, which loads the trusted/encrypted key and enables
			EVM, is available from http://linux-ima.sourceforge.net/#EVM.)

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -49,6 +49,7 @@ parameter is applicable:
	EDD BIOS Enhanced Disk Drive Services (EDD) is enabled		EDD BIOS Enhanced Disk Drive Services (EDD) is enabled
	EFI EFI Partitioning (GPT) is enabled		EFI EFI Partitioning (GPT) is enabled
	EIDE EIDE/ATAPI support is enabled.		EIDE EIDE/ATAPI support is enabled.
			EVM Extended Verification Module
	FB The frame buffer device is enabled.		FB The frame buffer device is enabled.
	FTRACE Function tracing enabled.		FTRACE Function tracing enabled.
	GCOV GCOV profiling is enabled.		GCOV GCOV profiling is enabled.
	@@ -760,6 +761,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
	This option is obsoleted by the "netdev=" option, which		This option is obsoleted by the "netdev=" option, which
	has equivalent usage. See its documentation for details.		has equivalent usage. See its documentation for details.

			evm= [EVM]
			Format: { "fix" }
			Permit 'security.evm' to be updated regardless of
			current integrity status.

	failslab=		failslab=
	fail_page_alloc=		fail_page_alloc=
	fail_make_request=[KNL]		fail_make_request=[KNL]

+6 −1

Original line number	Original line	Diff line number	Diff line
	@@ -2552,6 +2552,11 @@ S: Maintained
	F: Documentation/filesystems/ext4.txt		F: Documentation/filesystems/ext4.txt
	F: fs/ext4/		F: fs/ext4/

			Extended Verification Module (EVM)
			M: Mimi Zohar <zohar@us.ibm.com>
			S: Supported
			F: security/integrity/evm/

	F71805F HARDWARE MONITORING DRIVER		F71805F HARDWARE MONITORING DRIVER
	M: Jean Delvare <khali@linux-fr.org>		M: Jean Delvare <khali@linux-fr.org>
	L: lm-sensors@lm-sensors.org		L: lm-sensors@lm-sensors.org
	@@ -6447,7 +6452,7 @@ L: tomoyo-users-en@lists.sourceforge.jp (subscribers-only, for users in English)
	L: tomoyo-dev@lists.sourceforge.jp (subscribers-only, for developers in Japanese)		L: tomoyo-dev@lists.sourceforge.jp (subscribers-only, for developers in Japanese)
	L: tomoyo-users@lists.sourceforge.jp (subscribers-only, for users in Japanese)		L: tomoyo-users@lists.sourceforge.jp (subscribers-only, for users in Japanese)
	W: http://tomoyo.sourceforge.jp/		W: http://tomoyo.sourceforge.jp/
	T: quilt http://svn.sourceforge.jp/svnroot/tomoyo/trunk/2.4.x/tomoyo-lsm/patches/		T: quilt http://svn.sourceforge.jp/svnroot/tomoyo/trunk/2.5.x/tomoyo-lsm/patches/
	S: Maintained		S: Maintained
	F: security/tomoyo/		F: security/tomoyo/

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -966,6 +966,9 @@ ssize_t tpm_show_durations(struct device dev, struct device_attribute attr,
	{		{
	struct tpm_chip *chip = dev_get_drvdata(dev);		struct tpm_chip *chip = dev_get_drvdata(dev);

			if (chip->vendor.duration[TPM_LONG] == 0)
			return 0;

	return sprintf(buf, "%d %d %d [%s]\n",		return sprintf(buf, "%d %d %d [%s]\n",
	jiffies_to_usecs(chip->vendor.duration[TPM_SHORT]),		jiffies_to_usecs(chip->vendor.duration[TPM_SHORT]),
	jiffies_to_usecs(chip->vendor.duration[TPM_MEDIUM]),		jiffies_to_usecs(chip->vendor.duration[TPM_MEDIUM]),

+9 −3

Original line number	Original line	Diff line number	Diff line
	@@ -63,6 +63,7 @@ u32 sas_get_pr_transport_id(
	unsigned char *buf)		unsigned char *buf)
	{		{
	unsigned char *ptr;		unsigned char *ptr;
			int ret;

	/*		/*
	* Set PROTOCOL IDENTIFIER to 6h for SAS		* Set PROTOCOL IDENTIFIER to 6h for SAS
	@@ -74,7 +75,9 @@ u32 sas_get_pr_transport_id(
	*/		*/
	ptr = &se_nacl->initiatorname[4]; /* Skip over 'naa. prefix */		ptr = &se_nacl->initiatorname[4]; /* Skip over 'naa. prefix */

	hex2bin(&buf[4], ptr, 8);		ret = hex2bin(&buf[4], ptr, 8);
			if (ret < 0)
			pr_debug("sas transport_id: invalid hex string\n");

	/*		/*
	* The SAS Transport ID is a hardcoded 24-byte length		* The SAS Transport ID is a hardcoded 24-byte length
	@@ -156,8 +159,9 @@ u32 fc_get_pr_transport_id(
	unsigned char *buf)		unsigned char *buf)
	{		{
	unsigned char *ptr;		unsigned char *ptr;
	int i;		int i, ret;
	u32 off = 8;		u32 off = 8;

	/*		/*
	* PROTOCOL IDENTIFIER is 0h for FCP-2		* PROTOCOL IDENTIFIER is 0h for FCP-2
	*		*
	@@ -174,7 +178,9 @@ u32 fc_get_pr_transport_id(
	i++;		i++;
	continue;		continue;
	}		}
	hex2bin(&buf[off++], &ptr[i], 1);		ret = hex2bin(&buf[off++], &ptr[i], 1);
			if (ret < 0)
			pr_debug("fc transport_id: invalid hex string\n");
	i += 2;		i += 2;
	}		}
	/*		/*