| 2020-10-28 Mimi Zohar <zohar@linux.ibm.com> |
| |
| version 1.3.2: |
| * Bugfixes: importing keys |
| * NEW: Docker based travis distro testing |
| * Travis bugfixes, code cleanup, software version update, |
| and script removal |
| * Initial travis testing |
| |
| 2020-08-11 Mimi Zohar <zohar@linux.ibm.com> |
| |
| version 1.3.1: |
| * "--pcrs" support for per crypto algorithm |
| * Drop/rename "ima_measurement" options |
| * Moved this summary from "Changelog" to "NEWS", removing |
| requirement for GNU empty files |
| * Distro build fixes |
| |
| 2020-07-21 Mimi Zohar <zohar@linux.ibm.com> |
| |
| version 1.3 new features: |
| * NEW ima-evm-utils regression test infrastructure with two initial |
| tests: |
| - ima_hash.test: calculate/verify different crypto hash algorithms |
| - sign_verify.test: EVM and IMA sign/verify signature tests |
| * TPM 2.0 support |
| - Calculate the new per TPM 2.0 bank template data digest |
| - Support original padding the SHA1 template data digest |
| - Compare ALL the re-calculated TPM 2.0 bank PCRs against the |
| TPM 2.0 bank PCR values |
| - Calculate the per TPM bank "boot_aggregate" values, including |
| PCRs 8 & 9 in calculation |
| - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS |
| - boot_aggregate.test: compare the calculated "boot_aggregate" |
| values with the "boot_aggregate" value included in the IMA |
| measurement. |
| * TPM 1.2 support |
| - Additionally support reading the TPM 1.2 PCRs from a supplied file |
| ("--pcrs" option) |
| * Based on original IMA LTP and standalone version support |
| - Calculate the TPM 1.2 "boot_aggregate" based on the exported |
| TPM 1.2 BIOS event log. |
| - In addition to verifying the IMA measurement list against the |
| the TPM PCRs, verify the IMA template data digest against the |
| template data. (Based on LTP "--verify" option.) |
| - Ignore file measurement violations while verifying the IMA |
| measurment list. (Based on LTP "--validate" option.) |
| - Verify the file data signature included in the measurement list |
| based on the file hash also included in the measurement list |
| (--verify-sig) |
| - Support original "ima" template (mixed templates not supported) |
| * Support "sm3" crypto name |
| |
| Bug fixes and code cleanup: |
| * Don't exit with -1 on failure, exit with 125 |
| * On signature verification failure, include pathname. |
| * Provide minimal hash_info.h file in case one doesn't exist, needed |
| by the ima-evm-utils regression tests. |
| * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs |
| * Fix hash_algo type comparison mismatch |
| * Simplify/clean up code |
| * Address compiler complaints and failures |
| * Fix memory allocations and leaks |
| * Sanity check provided input files are regular files |
| * Revert making "tsspcrread" a compile build time decision. |
| * Limit additional messages based on log level (-v) |
| |
| 2019-07-30 Mimi Zohar <zohar@linux.ibm.com> |
| |
| version 1.2.1 Bug fixes: |
| * When verifying multiple file signatures, return correct status |
| * Don't automatically use keys from x509 certs if user supplied "--rsa" |
| * Fix verifying DIGSIG_VERSION_1 signatures |
| * autoconf, openssl fixes |
| |
| |
| 2019-07-24 Mimi Zohar <zohar@linux.ibm.com> |
| |
| version 1.2 new features: |
| * Generate EVM signatures based on the specified hash algorithm |
| * include "security.apparmor" in EVM signature |
| * Add support for writing & verifying "user.xxxx" xattrs for testing |
| * Support Strebog/Gost hash functions |
| * Add OpenSSL engine support |
| * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures |
| * Support verifying multiple signatures at once |
| * Support new template "buf" field and warn about other unknown fields |
| * Improve OpenSSL error reporting |
| * Support reading TPM 2.0 PCRs using tsspcrread |
| |
| Bug fixes and code cleanup: |
| * Update manpage stylesheet detection |
| * Fix xattr.h include file |
| * On error when reading TPM PCRs, don't log gargabe |
| * Properly return keyid string to calc_keyid_v1/v2 callers, caused by |
| limiting keyid output to verbose mode |
| * Fix hash buffer overflow caused by EVM support for larger hashes, |
| defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". |
| * Linked with libcrypto instead of OpenSSL |
| * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS |
| * Include new "hash-info.gen" in tar |
| * Log the hash algorithm, not just the hash value |
| * Fixed memory leaks in: EV_MD_CTX, init_public_keys |
| * Fixed other warnings/bugs discovered by clang, coverity |
| * Remove indirect calls in verify_hash() to improve code readability |
| * Don't fallback to using sha1 |
| * Namespace some too generic object names |
| * Make functions/arrays static if possible |
| |
| |
| 2018-01-28 Mimi Zohar <zohar@us.ibm.com> |
| |
| version 1.1 |
| * Support the new openssl 1.1 api |
| * Support for validating multiple pcrs |
| * Verify the measurement list signature based on the list digest |
| * Verify the "ima-sig" measurement list using multiple keys |
| * Fixed parsing the measurement template data field length |
| * Portable & immutable EVM signatures (new format) |
| * Multiple fixes that have been lingering in the next branch. Some |
| are for experimental features that are not yet supported in the |
| kernel. |
| |
| 2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com> |
| |
| version 1.0 |
| * Recursive hashing |
| * Immutable EVM signatures (experimental) |
| * Command 'ima_clear' to remove xattrs |
| * Support for passing password to the library |
| * Support for asking password safely from the user |
| |
| 2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com> |
| |
| version 0.9 |
| * Updated README |
| * man page generated and added to the package |
| * Use additional SMACK xattrs for EVM signature generation |
| * Signing functions moved to libimaevm for external use (RPM) |
| * Fixed setting of correct hash header |
| |
| 2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com> |
| |
| version 0.8 |
| * Symbilic names for keyrings |
| * Hash list signing |
| * License text fix for using OpenSSL |
| * Help output fix |
| |
| 2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com> |
| |
| version 0.7 |
| * Fix symbolic links related bugs |
| * Provide recursive fixing |
| * Provide recursive signing |
| * Move IMA verification to the library (first for LTP use) |
| * Support for target architecture data size |
| * Remove obsolete module signing code |
| * Code cleanup |
| |
| 2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com> |
| |
| version 0.6 |
| * support for asymmetric crypto keys and new signature format (v2) |
| * fixes to set correct hash algo for digital signature v1 |
| * uuid support for EVM |
| * signature verification support |
| * test scripts removed |
| * README updates |
| |
| 2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com> |
| |
| version 0.3 |
| * llistxattr returns 0 if there are no xattrs and it is valid |
| * Added entry type to directory hash calculation |
| * inline block variable renamed |
| * Remove forced tag creation |
| * Use libexec for programs and scripts |
| * Some files updated |
| * Do not search for algorithm as it is known |
| * Refactored to remove redundant hash initialization code |
| * Added hash calculation for special files |
| |
| 2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com> |
| |
| version 0.2 |
| * added RPM & TAR building makefile rules |
| * renamed evm-utils to ima-evm-utils |
| * added command options description |
| * updated error handling |
| * refactored redundant code |
| |
| 2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com> |
| |
| version 0.1.0 |
| * Fully functional version for lastest 3.x kernels |
| |
| 2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com> |
| |
| version 0.1 |
| * Initial public version. |
| |