File: NEWS

package info (click to toggle)
ima-evm-utils 1.3.2-2.1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 620 kB
  • sloc: ansic: 3,425; sh: 1,096; makefile: 66
file content (202 lines) | stat: -rw-r--r-- 7,392 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
2020-10-28  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3.2:
	* Bugfixes: importing keys
	* NEW: Docker based travis distro testing
	* Travis bugfixes, code cleanup, software version update,
	  and script removal
	* Initial travis testing

2020-08-11  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3.1:
	* "--pcrs" support for per crypto algorithm
	* Drop/rename "ima_measurement" options
	* Moved this summary from "Changelog" to "NEWS", removing
	  requirement for GNU empty files
	* Distro build fixes

2020-07-21  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3 new features:
	* NEW ima-evm-utils regression test infrastructure with two initial
	  tests:
	  - ima_hash.test: calculate/verify different crypto hash algorithms
	  - sign_verify.test: EVM and IMA sign/verify signature tests
	* TPM 2.0 support
	  - Calculate the new per TPM 2.0 bank template data digest
	  - Support original padding the SHA1 template data digest
	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
	    TPM 2.0 bank PCR values
	  - Calculate the per TPM bank "boot_aggregate" values, including
	    PCRs 8 & 9 in calculation
	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
	  - boot_aggregate.test: compare the calculated "boot_aggregate"
	    values with the "boot_aggregate" value included in the IMA
	    measurement.
	* TPM 1.2 support
	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
	    ("--pcrs" option)
	* Based on original IMA LTP and standalone version support
	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
	    TPM 1.2 BIOS event log.
	  - In addition to verifying the IMA measurement list against the
	    the TPM PCRs, verify the IMA template data digest against the
	    template data.  (Based on LTP "--verify" option.)
	  - Ignore file measurement violations while verifying the IMA
	    measurment list. (Based on LTP "--validate" option.)
	  - Verify the file data signature included in the measurement list
	    based on the file hash also included in the measurement list
	    (--verify-sig)
	  - Support original "ima" template (mixed templates not supported)
	* Support "sm3" crypto name

	Bug fixes and code cleanup:
	* Don't exit with -1 on failure, exit with 125
	* On signature verification failure, include pathname.
	* Provide minimal hash_info.h file in case one doesn't exist, needed
	  by the ima-evm-utils regression tests.
	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
	* Fix hash_algo type comparison mismatch
	* Simplify/clean up code
	* Address compiler complaints and failures
	* Fix memory allocations and leaks
	* Sanity check provided input files are regular files
	* Revert making "tsspcrread" a compile build time decision.
	* Limit additional messages based on log level (-v)

2019-07-30  Mimi Zohar <zohar@linux.ibm.com>

	version 1.2.1 Bug fixes:
	* When verifying multiple file signatures, return correct status
	* Don't automatically use keys from x509 certs if user supplied "--rsa"
	* Fix verifying DIGSIG_VERSION_1 signatures
	* autoconf, openssl fixes


2019-07-24  Mimi Zohar <zohar@linux.ibm.com>

	version 1.2 new features:
	* Generate EVM signatures based on the specified hash algorithm
	* include "security.apparmor" in EVM signature
	* Add support for writing & verifying "user.xxxx" xattrs for testing
	* Support Strebog/Gost hash functions
	* Add OpenSSL engine support
	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
	* Support verifying multiple signatures at once
	* Support new template "buf" field and warn about other unknown fields
	* Improve OpenSSL error reporting
	* Support reading TPM 2.0 PCRs using tsspcrread

	Bug fixes and code cleanup:
	* Update manpage stylesheet detection
	* Fix xattr.h include file
	* On error when reading TPM PCRs, don't log gargabe
	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
	  limiting keyid output to verbose mode
	* Fix hash buffer overflow caused by EVM support for larger hashes,
	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
	* Linked with libcrypto instead of OpenSSL
	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
	* Include new "hash-info.gen" in tar
	* Log the hash algorithm, not just the hash value
	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
	* Fixed other warnings/bugs discovered by clang, coverity
	* Remove indirect calls in verify_hash() to improve code readability
	* Don't fallback to using sha1
	* Namespace some too generic object names
	* Make functions/arrays static if possible


2018-01-28  Mimi Zohar <zohar@us.ibm.com>

	version 1.1
	* Support the new openssl 1.1 api
	* Support for validating multiple pcrs
	* Verify the measurement list signature based on the list digest
	* Verify the "ima-sig" measurement list using multiple keys
	* Fixed parsing the measurement template data field length
	* Portable & immutable EVM signatures (new format)
	* Multiple fixes that have been lingering in the next branch. Some
	  are for experimental features that are not yet supported in the
	  kernel.

2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

	version 1.0
	* Recursive hashing
	* Immutable EVM signatures (experimental)
	* Command 'ima_clear' to remove xattrs
	* Support for passing password to the library
	* Support for asking password safely from the user

2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.9
	* Updated README
	* man page generated and added to the package
	* Use additional SMACK xattrs for EVM signature generation
	* Signing functions moved to libimaevm for external use (RPM)
	* Fixed setting of correct hash header

2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.8
	* Symbilic names for keyrings
	* Hash list signing
	* License text fix for using OpenSSL
	* Help output fix

2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.7
	* Fix symbolic links related bugs
	* Provide recursive fixing
	* Provide recursive signing
	* Move IMA verification to the library (first for LTP use)
	* Support for target architecture data size
	* Remove obsolete module signing code
	* Code cleanup

2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.6
	* support for asymmetric crypto keys and new signature format (v2)
	* fixes to set correct hash algo for digital signature v1
	* uuid support for EVM
	* signature verification support
	* test scripts removed
	* README updates

2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.3
	* llistxattr returns 0 if there are no xattrs and it is valid
	* Added entry type to directory hash calculation
	* inline block variable renamed
	* Remove forced tag creation
	* Use libexec for programs and scripts
	* Some files updated
	* Do not search for algorithm as it is known
	* Refactored to remove redundant hash initialization code
	* Added hash calculation for special files

2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.2
	* added RPM & TAR building makefile rules
	* renamed evm-utils to ima-evm-utils
	* added command options description
	* updated error handling
	* refactored redundant code

2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.1.0
	* Fully functional version for lastest 3.x kernels

2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.1
	* Initial public version.