Re: [GIT PULL] Security subsystem: integrity updates for v4.15

From: Mimi Zohar
Date: Wed Nov 15 2017 - 07:38:12 EST


On Mon, 2017-11-13 at 09:05 +1100, James Morris wrote:
> Hi Linus,
>
> Please pull these fixes for the Integrity subsystem.
>
> (From Mimi)
>
> "There is a mixture of bug fixes, code cleanup, preparatory code for new
> functionality and new functionality.
>
> Commit 26ddabfe96bb "evm: enable EVM when X509 certificate is loaded"
> enabled EVM without loading a symmetric key, but was limited to defining
> the x509 certificate pathname at build. Included in this set of patches
> is the ability of enabling EVM, without loading the EVM symmetric key,
> from userspace. New is the ability to prevent the loading of an EVM
> symmetric key."

James, thank you for keeping the integrity patches separate, as
requested, and sending the extra pull request. ÂThis is extra work for
you, but I really appreciate it. ÂThe pull request seems to have gone
smoothly.

So much of the integrity subsystem is dependent on the other security
subsystems (eg. keys, TPM, LSM hooks). ÂHaving a common security
testing branch is really helpful. ÂIt makes collaboration that much
easier.

Thanks!

Mimi