2020-10-28 Mimi Zohar <firstname.lastname@example.org> version 1.3.2: * Bugfixes: importing keys * NEW: Docker based travis distro testing * Travis bugfixes, code cleanup, software version update, and script removal * Initial travis testing 2020-08-11 Mimi Zohar <email@example.com> version 1.3.1: * "--pcrs" support for per crypto algorithm * Drop/rename "ima_measurement" options * Moved this summary from "Changelog" to "NEWS", removing requirement for GNU empty files * Distro build fixes 2020-07-21 Mimi Zohar <firstname.lastname@example.org> version 1.3 new features: * NEW ima-evm-utils regression test infrastructure with two initial tests: - ima_hash.test: calculate/verify different crypto hash algorithms - sign_verify.test: EVM and IMA sign/verify signature tests * TPM 2.0 support - Calculate the new per TPM 2.0 bank template data digest - Support original padding the SHA1 template data digest - Compare ALL the re-calculated TPM 2.0 bank PCRs against the TPM 2.0 bank PCR values - Calculate the per TPM bank "boot_aggregate" values, including PCRs 8 & 9 in calculation - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS - boot_aggregate.test: compare the calculated "boot_aggregate" values with the "boot_aggregate" value included in the IMA measurement. * TPM 1.2 support - Additionally support reading the TPM 1.2 PCRs from a supplied file ("--pcrs" option) * Based on original IMA LTP and standalone version support - Calculate the TPM 1.2 "boot_aggregate" based on the exported TPM 1.2 BIOS event log. - In addition to verifying the IMA measurement list against the the TPM PCRs, verify the IMA template data digest against the template data. (Based on LTP "--verify" option.) - Ignore file measurement violations while verifying the IMA measurment list. (Based on LTP "--validate" option.) - Verify the file data signature included in the measurement list based on the file hash also included in the measurement list (--verify-sig) - Support original "ima" template (mixed templates not supported) * Support "sm3" crypto name Bug fixes and code cleanup: * Don't exit with -1 on failure, exit with 125 * On signature verification failure, include pathname. * Provide minimal hash_info.h file in case one doesn't exist, needed by the ima-evm-utils regression tests. * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs * Fix hash_algo type comparison mismatch * Simplify/clean up code * Address compiler complaints and failures * Fix memory allocations and leaks * Sanity check provided input files are regular files * Revert making "tsspcrread" a compile build time decision. * Limit additional messages based on log level (-v) 2019-07-30 Mimi Zohar <email@example.com> version 1.2.1 Bug fixes: * When verifying multiple file signatures, return correct status * Don't automatically use keys from x509 certs if user supplied "--rsa" * Fix verifying DIGSIG_VERSION_1 signatures * autoconf, openssl fixes 2019-07-24 Mimi Zohar <firstname.lastname@example.org> version 1.2 new features: * Generate EVM signatures based on the specified hash algorithm * include "security.apparmor" in EVM signature * Add support for writing & verifying "user.xxxx" xattrs for testing * Support Strebog/Gost hash functions * Add OpenSSL engine support * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures * Support verifying multiple signatures at once * Support new template "buf" field and warn about other unknown fields * Improve OpenSSL error reporting * Support reading TPM 2.0 PCRs using tsspcrread Bug fixes and code cleanup: * Update manpage stylesheet detection * Fix xattr.h include file * On error when reading TPM PCRs, don't log gargabe * Properly return keyid string to calc_keyid_v1/v2 callers, caused by limiting keyid output to verbose mode * Fix hash buffer overflow caused by EVM support for larger hashes, defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". * Linked with libcrypto instead of OpenSSL * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS * Include new "hash-info.gen" in tar * Log the hash algorithm, not just the hash value * Fixed memory leaks in: EV_MD_CTX, init_public_keys * Fixed other warnings/bugs discovered by clang, coverity * Remove indirect calls in verify_hash() to improve code readability * Don't fallback to using sha1 * Namespace some too generic object names * Make functions/arrays static if possible 2018-01-28 Mimi Zohar <email@example.com> version 1.1 * Support the new openssl 1.1 api * Support for validating multiple pcrs * Verify the measurement list signature based on the list digest * Verify the "ima-sig" measurement list using multiple keys * Fixed parsing the measurement template data field length * Portable & immutable EVM signatures (new format) * Multiple fixes that have been lingering in the next branch. Some are for experimental features that are not yet supported in the kernel. 2014-07-30 Dmitry Kasatkin <firstname.lastname@example.org> version 1.0 * Recursive hashing * Immutable EVM signatures (experimental) * Command 'ima_clear' to remove xattrs * Support for passing password to the library * Support for asking password safely from the user 2014-09-23 Dmitry Kasatkin <email@example.com> version 0.9 * Updated README * man page generated and added to the package * Use additional SMACK xattrs for EVM signature generation * Signing functions moved to libimaevm for external use (RPM) * Fixed setting of correct hash header 2014-05-05 Dmitry Kasatkin <firstname.lastname@example.org> version 0.8 * Symbilic names for keyrings * Hash list signing * License text fix for using OpenSSL * Help output fix 2014-02-17 Dmitry Kasatkin <email@example.com> version 0.7 * Fix symbolic links related bugs * Provide recursive fixing * Provide recursive signing * Move IMA verification to the library (first for LTP use) * Support for target architecture data size * Remove obsolete module signing code * Code cleanup 2013-08-28 Dmitry Kasatkin <firstname.lastname@example.org> version 0.6 * support for asymmetric crypto keys and new signature format (v2) * fixes to set correct hash algo for digital signature v1 * uuid support for EVM * signature verification support * test scripts removed * README updates 2012-05-18 Dmitry Kasatkin <email@example.com> version 0.3 * llistxattr returns 0 if there are no xattrs and it is valid * Added entry type to directory hash calculation * inline block variable renamed * Remove forced tag creation * Use libexec for programs and scripts * Some files updated * Do not search for algorithm as it is known * Refactored to remove redundant hash initialization code * Added hash calculation for special files 2012-04-05 Dmitry Kasatkin <firstname.lastname@example.org> version 0.2 * added RPM & TAR building makefile rules * renamed evm-utils to ima-evm-utils * added command options description * updated error handling * refactored redundant code 2012-04-02 Dmitry Kasatkin <email@example.com> version 0.1.0 * Fully functional version for lastest 3.x kernels 2011-08-24 Dmitry Kasatkin <firstname.lastname@example.org> version 0.1 * Initial public version.