mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-04-27 22:32:31 +02:00
318a3e6b2d
Updated both the release and library (ABI change) versions. See the NEWS file for a short summary and the git history for details. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
223 lines
7.9 KiB
Plaintext
223 lines
7.9 KiB
Plaintext
2021-10-22 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.4:
|
|
* Elliptic curve support and tests
|
|
* PKCS11 support and tests
|
|
* Ability to manually specify the keyid included in the IMA xattr
|
|
* Improve IMA measurement list per TPM bank verification
|
|
* Linking with IBM TSS
|
|
* Set default hash algorithm in package configuration
|
|
* (Minimal) support and test EVM portable signatures
|
|
* CI testing:
|
|
* Refresh and include new distros
|
|
* Podman support
|
|
* GitHub Actions
|
|
* Limit "sudo" usage
|
|
* Misc bug fixes and code cleanup
|
|
* Fix static analysis bug reports, memory leaks
|
|
* Remove experimental code that was never upstreamed in the kernel
|
|
* Use unsigned variable, remove unused variables, etc
|
|
|
|
2020-10-28 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.3.2:
|
|
* Bugfixes: importing keys
|
|
* NEW: Docker based travis distro testing
|
|
* Travis bugfixes, code cleanup, software version update,
|
|
and script removal
|
|
* Initial travis testing
|
|
|
|
2020-08-11 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.3.1:
|
|
* "--pcrs" support for per crypto algorithm
|
|
* Drop/rename "ima_measurement" options
|
|
* Moved this summary from "Changelog" to "NEWS", removing
|
|
requirement for GNU empty files
|
|
* Distro build fixes
|
|
|
|
2020-07-21 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.3 new features:
|
|
* NEW ima-evm-utils regression test infrastructure with two initial
|
|
tests:
|
|
- ima_hash.test: calculate/verify different crypto hash algorithms
|
|
- sign_verify.test: EVM and IMA sign/verify signature tests
|
|
* TPM 2.0 support
|
|
- Calculate the new per TPM 2.0 bank template data digest
|
|
- Support original padding the SHA1 template data digest
|
|
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
|
|
TPM 2.0 bank PCR values
|
|
- Calculate the per TPM bank "boot_aggregate" values, including
|
|
PCRs 8 & 9 in calculation
|
|
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
|
|
- boot_aggregate.test: compare the calculated "boot_aggregate"
|
|
values with the "boot_aggregate" value included in the IMA
|
|
measurement.
|
|
* TPM 1.2 support
|
|
- Additionally support reading the TPM 1.2 PCRs from a supplied file
|
|
("--pcrs" option)
|
|
* Based on original IMA LTP and standalone version support
|
|
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
|
|
TPM 1.2 BIOS event log.
|
|
- In addition to verifying the IMA measurement list against the
|
|
the TPM PCRs, verify the IMA template data digest against the
|
|
template data. (Based on LTP "--verify" option.)
|
|
- Ignore file measurement violations while verifying the IMA
|
|
measurment list. (Based on LTP "--validate" option.)
|
|
- Verify the file data signature included in the measurement list
|
|
based on the file hash also included in the measurement list
|
|
(--verify-sig)
|
|
- Support original "ima" template (mixed templates not supported)
|
|
* Support "sm3" crypto name
|
|
|
|
Bug fixes and code cleanup:
|
|
* Don't exit with -1 on failure, exit with 125
|
|
* On signature verification failure, include pathname.
|
|
* Provide minimal hash_info.h file in case one doesn't exist, needed
|
|
by the ima-evm-utils regression tests.
|
|
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
|
|
* Fix hash_algo type comparison mismatch
|
|
* Simplify/clean up code
|
|
* Address compiler complaints and failures
|
|
* Fix memory allocations and leaks
|
|
* Sanity check provided input files are regular files
|
|
* Revert making "tsspcrread" a compile build time decision.
|
|
* Limit additional messages based on log level (-v)
|
|
|
|
2019-07-30 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.2.1 Bug fixes:
|
|
* When verifying multiple file signatures, return correct status
|
|
* Don't automatically use keys from x509 certs if user supplied "--rsa"
|
|
* Fix verifying DIGSIG_VERSION_1 signatures
|
|
* autoconf, openssl fixes
|
|
|
|
|
|
2019-07-24 Mimi Zohar <zohar@linux.ibm.com>
|
|
|
|
version 1.2 new features:
|
|
* Generate EVM signatures based on the specified hash algorithm
|
|
* include "security.apparmor" in EVM signature
|
|
* Add support for writing & verifying "user.xxxx" xattrs for testing
|
|
* Support Strebog/Gost hash functions
|
|
* Add OpenSSL engine support
|
|
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
|
|
* Support verifying multiple signatures at once
|
|
* Support new template "buf" field and warn about other unknown fields
|
|
* Improve OpenSSL error reporting
|
|
* Support reading TPM 2.0 PCRs using tsspcrread
|
|
|
|
Bug fixes and code cleanup:
|
|
* Update manpage stylesheet detection
|
|
* Fix xattr.h include file
|
|
* On error when reading TPM PCRs, don't log gargabe
|
|
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
|
|
limiting keyid output to verbose mode
|
|
* Fix hash buffer overflow caused by EVM support for larger hashes,
|
|
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
|
|
* Linked with libcrypto instead of OpenSSL
|
|
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
|
|
* Include new "hash-info.gen" in tar
|
|
* Log the hash algorithm, not just the hash value
|
|
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
|
|
* Fixed other warnings/bugs discovered by clang, coverity
|
|
* Remove indirect calls in verify_hash() to improve code readability
|
|
* Don't fallback to using sha1
|
|
* Namespace some too generic object names
|
|
* Make functions/arrays static if possible
|
|
|
|
|
|
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
|
|
|
|
version 1.1
|
|
* Support the new openssl 1.1 api
|
|
* Support for validating multiple pcrs
|
|
* Verify the measurement list signature based on the list digest
|
|
* Verify the "ima-sig" measurement list using multiple keys
|
|
* Fixed parsing the measurement template data field length
|
|
* Portable & immutable EVM signatures (new format)
|
|
* Multiple fixes that have been lingering in the next branch. Some
|
|
are for experimental features that are not yet supported in the
|
|
kernel.
|
|
|
|
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
|
|
|
|
version 1.0
|
|
* Recursive hashing
|
|
* Immutable EVM signatures (experimental)
|
|
* Command 'ima_clear' to remove xattrs
|
|
* Support for passing password to the library
|
|
* Support for asking password safely from the user
|
|
|
|
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
|
|
|
|
version 0.9
|
|
* Updated README
|
|
* man page generated and added to the package
|
|
* Use additional SMACK xattrs for EVM signature generation
|
|
* Signing functions moved to libimaevm for external use (RPM)
|
|
* Fixed setting of correct hash header
|
|
|
|
2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com>
|
|
|
|
version 0.8
|
|
* Symbilic names for keyrings
|
|
* Hash list signing
|
|
* License text fix for using OpenSSL
|
|
* Help output fix
|
|
|
|
2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com>
|
|
|
|
version 0.7
|
|
* Fix symbolic links related bugs
|
|
* Provide recursive fixing
|
|
* Provide recursive signing
|
|
* Move IMA verification to the library (first for LTP use)
|
|
* Support for target architecture data size
|
|
* Remove obsolete module signing code
|
|
* Code cleanup
|
|
|
|
2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com>
|
|
|
|
version 0.6
|
|
* support for asymmetric crypto keys and new signature format (v2)
|
|
* fixes to set correct hash algo for digital signature v1
|
|
* uuid support for EVM
|
|
* signature verification support
|
|
* test scripts removed
|
|
* README updates
|
|
|
|
2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
|
|
|
|
version 0.3
|
|
* llistxattr returns 0 if there are no xattrs and it is valid
|
|
* Added entry type to directory hash calculation
|
|
* inline block variable renamed
|
|
* Remove forced tag creation
|
|
* Use libexec for programs and scripts
|
|
* Some files updated
|
|
* Do not search for algorithm as it is known
|
|
* Refactored to remove redundant hash initialization code
|
|
* Added hash calculation for special files
|
|
|
|
2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
|
|
|
|
version 0.2
|
|
* added RPM & TAR building makefile rules
|
|
* renamed evm-utils to ima-evm-utils
|
|
* added command options description
|
|
* updated error handling
|
|
* refactored redundant code
|
|
|
|
2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
|
|
|
|
version 0.1.0
|
|
* Fully functional version for lastest 3.x kernels
|
|
|
|
2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
|
|
|
|
version 0.1
|
|
* Initial public version.
|
|
|