- Update to version 1.5
* CI changes:
* New: UML kernel testing environment
* Support for running specific test(s)
* Update distros
* Update software release versions
* New features:
* Signing fs-verity signatures
* Reading TPM 2.0 PCRs via sysfs interface
* New tests:
* Missing IMA mmapped file measurements
* Overlapping IMA policy rules
* EVM portable signatures
* fs-verity file measurements in the IMA measurement list
* Build and library changes:
* OpenSSL 3.0 version related changes
* New configuration options: --disable-engine, --enable-sigv1
* Deprecate IMA signature v1 format
* Misc bug fixes and code cleanup:
* memory leaks, bounds checking, use after free
* Fix and update test output
* Add missing sanity checks
* Documentation:
* Store the sourceforge ima-evm-utils wiki for historical
purposes.
- Upstream bumped soname to 4.0.0
- Add BuildRequires: e2fsprogs util-linux (required by tests, which are mandatory)
- /usr/sbin to PATH (0001-fsverity.test-Add-usr-sbin-into-PATH.patch, sent to upstream ML) (forwarded request 1070704 from pevik)
OBS-URL: https://build.opensuse.org/request/show/1070713
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ima-evm-utils?expand=0&rev=22
- Update to version 1.5
* CI changes:
* New: UML kernel testing environment
* Support for running specific test(s)
* Update distros
* Update software release versions
* New features:
* Signing fs-verity signatures
* Reading TPM 2.0 PCRs via sysfs interface
* New tests:
* Missing IMA mmapped file measurements
* Overlapping IMA policy rules
* EVM portable signatures
* fs-verity file measurements in the IMA measurement list
* Build and library changes:
* OpenSSL 3.0 version related changes
* New configuration options: --disable-engine, --enable-sigv1
* Deprecate IMA signature v1 format
* Misc bug fixes and code cleanup:
* memory leaks, bounds checking, use after free
* Fix and update test output
* Add missing sanity checks
* Documentation:
* Store the sourceforge ima-evm-utils wiki for historical
purposes.
- Upstream bumped soname to 4.0.0
- Add BuildRequires: e2fsprogs util-linux (required by tests, which are mandatory)
- /usr/sbin to PATH (0001-fsverity.test-Add-usr-sbin-into-PATH.patch, sent to upstream ML)
OBS-URL: https://build.opensuse.org/request/show/1070704
OBS-URL: https://build.opensuse.org/package/show/security/ima-evm-utils?expand=0&rev=54
- Update to version 1.4
* Elliptic curve support and tests
* PKCS11 support and tests
* Ability to manually specify the keyid included in the IMA xattr
* Improve IMA measurement list per TPM bank verification
* Linking with IBM TSS
* Set default hash algorithm in package configuration
* (Minimal) support and test EVM portable signatures
* CI testing:
* Refresh and include new distros
* Podman support
* GitHub Actions
* Limit "sudo" usage
* Misc bug fixes and code cleanup
* Fix static analysis bug reports, memory leaks
* Remove experimental code that was never upstreamed in the kernel
* Use unsigned variable, remove unused variables, etc
- Upstream bumped soname to 3.0.0
OBS-URL: https://build.opensuse.org/request/show/929570
OBS-URL: https://build.opensuse.org/package/show/security/ima-evm-utils?expand=0&rev=51
- Update to version 1.3
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurment list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
OBS-URL: https://build.opensuse.org/request/show/822216
OBS-URL: https://build.opensuse.org/package/show/security/ima-evm-utils?expand=0&rev=40
- Update to version 1.2.1 (included changes of unreleased v1.2)
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible (forwarded request 719901 from pevik)
OBS-URL: https://build.opensuse.org/request/show/722572
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ima-evm-utils?expand=0&rev=15
- Update to version 1.2.1 (included changes of unreleased v1.2)
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible
OBS-URL: https://build.opensuse.org/request/show/719901
OBS-URL: https://build.opensuse.org/package/show/security/ima-evm-utils?expand=0&rev=38
- Update to version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
- Drop ima-evm-utils-openssl1.patch (not needed any more as IMA got
backward compatible support for openssl 1.1). (forwarded request 587829 from pevik)
OBS-URL: https://build.opensuse.org/request/show/587839
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ima-evm-utils?expand=0&rev=13
- Update to version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
- Drop ima-evm-utils-openssl1.patch (not needed any more as IMA got
backward compatible support for openssl 1.1).
OBS-URL: https://build.opensuse.org/request/show/587829
OBS-URL: https://build.opensuse.org/package/show/security/ima-evm-utils?expand=0&rev=34
