Blob Blame History Raw
2020-10-28  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3.2:
	* Bugfixes: importing keys
	* NEW: Docker based travis distro testing
	* Travis bugfixes, code cleanup, software version update,
	  and script removal
	* Initial travis testing

2020-08-11  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3.1:
	* "--pcrs" support for per crypto algorithm
	* Drop/rename "ima_measurement" options
	* Moved this summary from "Changelog" to "NEWS", removing
	  requirement for GNU empty files
	* Distro build fixes

2020-07-21  Mimi Zohar <zohar@linux.ibm.com>

	version 1.3 new features:
	* NEW ima-evm-utils regression test infrastructure with two initial
	  tests:
	  - ima_hash.test: calculate/verify different crypto hash algorithms
	  - sign_verify.test: EVM and IMA sign/verify signature tests
	* TPM 2.0 support
	  - Calculate the new per TPM 2.0 bank template data digest
	  - Support original padding the SHA1 template data digest
	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
	    TPM 2.0 bank PCR values
	  - Calculate the per TPM bank "boot_aggregate" values, including
	    PCRs 8 & 9 in calculation
	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
	  - boot_aggregate.test: compare the calculated "boot_aggregate"
	    values with the "boot_aggregate" value included in the IMA
	    measurement.
	* TPM 1.2 support
	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
	    ("--pcrs" option)
	* Based on original IMA LTP and standalone version support
	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
	    TPM 1.2 BIOS event log.
	  - In addition to verifying the IMA measurement list against the
	    the TPM PCRs, verify the IMA template data digest against the
	    template data.  (Based on LTP "--verify" option.)
	  - Ignore file measurement violations while verifying the IMA
	    measurment list. (Based on LTP "--validate" option.)
	  - Verify the file data signature included in the measurement list
	    based on the file hash also included in the measurement list
	    (--verify-sig)
	  - Support original "ima" template (mixed templates not supported)
	* Support "sm3" crypto name

	Bug fixes and code cleanup:
	* Don't exit with -1 on failure, exit with 125
	* On signature verification failure, include pathname.
	* Provide minimal hash_info.h file in case one doesn't exist, needed
	  by the ima-evm-utils regression tests.
	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
	* Fix hash_algo type comparison mismatch
	* Simplify/clean up code
	* Address compiler complaints and failures
	* Fix memory allocations and leaks
	* Sanity check provided input files are regular files
	* Revert making "tsspcrread" a compile build time decision.
	* Limit additional messages based on log level (-v)

2019-07-30  Mimi Zohar <zohar@linux.ibm.com>

	version 1.2.1 Bug fixes:
	* When verifying multiple file signatures, return correct status
	* Don't automatically use keys from x509 certs if user supplied "--rsa"
	* Fix verifying DIGSIG_VERSION_1 signatures
	* autoconf, openssl fixes


2019-07-24  Mimi Zohar <zohar@linux.ibm.com>

	version 1.2 new features:
	* Generate EVM signatures based on the specified hash algorithm
	* include "security.apparmor" in EVM signature
	* Add support for writing & verifying "user.xxxx" xattrs for testing
	* Support Strebog/Gost hash functions
	* Add OpenSSL engine support
	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
	* Support verifying multiple signatures at once
	* Support new template "buf" field and warn about other unknown fields
	* Improve OpenSSL error reporting
	* Support reading TPM 2.0 PCRs using tsspcrread

	Bug fixes and code cleanup:
	* Update manpage stylesheet detection
	* Fix xattr.h include file
	* On error when reading TPM PCRs, don't log gargabe
	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
	  limiting keyid output to verbose mode
	* Fix hash buffer overflow caused by EVM support for larger hashes,
	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
	* Linked with libcrypto instead of OpenSSL
	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
	* Include new "hash-info.gen" in tar
	* Log the hash algorithm, not just the hash value
	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
	* Fixed other warnings/bugs discovered by clang, coverity
	* Remove indirect calls in verify_hash() to improve code readability
	* Don't fallback to using sha1
	* Namespace some too generic object names
	* Make functions/arrays static if possible


2018-01-28  Mimi Zohar <zohar@us.ibm.com>

	version 1.1
	* Support the new openssl 1.1 api
	* Support for validating multiple pcrs
	* Verify the measurement list signature based on the list digest
	* Verify the "ima-sig" measurement list using multiple keys
	* Fixed parsing the measurement template data field length
	* Portable & immutable EVM signatures (new format)
	* Multiple fixes that have been lingering in the next branch. Some
	  are for experimental features that are not yet supported in the
	  kernel.

2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

	version 1.0
	* Recursive hashing
	* Immutable EVM signatures (experimental)
	* Command 'ima_clear' to remove xattrs
	* Support for passing password to the library
	* Support for asking password safely from the user

2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.9
	* Updated README
	* man page generated and added to the package
	* Use additional SMACK xattrs for EVM signature generation
	* Signing functions moved to libimaevm for external use (RPM)
	* Fixed setting of correct hash header

2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.8
	* Symbilic names for keyrings
	* Hash list signing
	* License text fix for using OpenSSL
	* Help output fix

2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.7
	* Fix symbolic links related bugs
	* Provide recursive fixing
	* Provide recursive signing
	* Move IMA verification to the library (first for LTP use)
	* Support for target architecture data size
	* Remove obsolete module signing code
	* Code cleanup

2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>

	version 0.6
	* support for asymmetric crypto keys and new signature format (v2)
	* fixes to set correct hash algo for digital signature v1
	* uuid support for EVM
	* signature verification support
	* test scripts removed
	* README updates

2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.3
	* llistxattr returns 0 if there are no xattrs and it is valid
	* Added entry type to directory hash calculation
	* inline block variable renamed
	* Remove forced tag creation
	* Use libexec for programs and scripts
	* Some files updated
	* Do not search for algorithm as it is known
	* Refactored to remove redundant hash initialization code
	* Added hash calculation for special files

2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.2
	* added RPM & TAR building makefile rules
	* renamed evm-utils to ima-evm-utils
	* added command options description
	* updated error handling
	* refactored redundant code

2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.1.0
	* Fully functional version for lastest 3.x kernels

2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	version 0.1
	* Initial public version.