Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri...

Pull integrity updates from James Morris:
 "Mimi Zohar says:

   'Linux 5.0 introduced the platform keyring to allow verifying the IMA
    kexec kernel image signature using the pre-boot keys. This pull
    request similarly makes keys on the platform keyring accessible for
    verifying the PE kernel image signature.

    Also included in this pull request is a new IMA hook that tags tmp
    files, in policy, indicating the file hash needs to be calculated.
    The remaining patches are cleanup'"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  evm: Use defined constant for UUID representation
  ima: define ima_post_create_tmpfile() hook and add missing call
  evm: remove set but not used variable 'xattr'
  encrypted-keys: fix Opt_err/Opt_error = -1
  kexec, KEYS: Make use of platform keyring for signature verify
  integrity, KEYS: add a reference to platform keyring

diff --combined arch/x86/kernel/kexec-bzimage64.c
index 1f3b77367948d4abd67c7c0f4d4e6bfff85fb380,e1215a600064b3b5416b87fd03e86df246c2b742..22f60dd26460c1d91477c3a0ca16b8ec8c7b4a0c
--- 1/arch/x86/kernel/kexec-bzimage64.c
--- 2/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@@ -167,9 -167,6 +167,9 @@@ setup_efi_state(struct boot_params *par
        struct efi_info *current_ei = &boot_params.efi_info;
        struct efi_info *ei = &params->efi_info;
  
 +      if (!efi_enabled(EFI_RUNTIME_SERVICES))
 +              return 0;
 +
        if (!current_ei->efi_memmap_size)
                return 0;
  
@@@ -218,9 -215,6 +218,9 @@@ setup_boot_parameters(struct kimage *im
        params->screen_info.ext_mem_k = 0;
        params->alt_mem_k = 0;
  
 +      /* Always fill in RSDP: it is either 0 or a valid value */
 +      params->acpi_rsdp_addr = boot_params.acpi_rsdp_addr;
 +
        /* Default APM info */
        memset(&params->apm_bios_info, 0, sizeof(params->apm_bios_info));
  
@@@ -259,6 -253,7 +259,6 @@@
        setup_efi_state(params, params_load_addr, efi_map_offset, efi_map_sz,
                        efi_setup_data_offset);
  #endif
 -
        /* Setup EDD info */
        memcpy(params->eddbuf, boot_params.eddbuf,
                                EDDMAXNR * sizeof(struct edd_info));
@@@ -439,7 -434,6 +439,7 @@@ static void *bzImage64_load(struct kima
        kbuf.memsz = PAGE_ALIGN(header->init_size);
        kbuf.buf_align = header->kernel_alignment;
        kbuf.buf_min = MIN_KERNEL_LOAD_ADDR;
 +      kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
        ret = kexec_add_buffer(&kbuf);
        if (ret)
                goto out_free_params;
@@@ -454,7 -448,6 +454,7 @@@
                kbuf.bufsz = kbuf.memsz = initrd_len;
                kbuf.buf_align = PAGE_SIZE;
                kbuf.buf_min = MIN_INITRD_LOAD_ADDR;
 +              kbuf.mem = KEXEC_BUF_MEM_UNKNOWN;
                ret = kexec_add_buffer(&kbuf);
                if (ret)
                        goto out_free_params;
@@@ -538,9 -531,17 +538,17 @@@ static int bzImage64_cleanup(void *load
  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
  {
-       return verify_pefile_signature(kernel, kernel_len,
-                                      VERIFY_USE_SECONDARY_KEYRING,
-                                      VERIFYING_KEXEC_PE_SIGNATURE);
+       int ret;
+ 
+       ret = verify_pefile_signature(kernel, kernel_len,
+                                     VERIFY_USE_SECONDARY_KEYRING,
+                                     VERIFYING_KEXEC_PE_SIGNATURE);
+       if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+               ret = verify_pefile_signature(kernel, kernel_len,
+                                             VERIFY_USE_PLATFORM_KEYRING,
+                                             VERIFYING_KEXEC_PE_SIGNATURE);
+       }
+       return ret;
  }
  #endif
  

diff --combined fs/namei.c
index 0a8c5c27f90ece13c76f1a701c241ecbdbfc40a8,373a7ec4b09d3b6660c81a6453e0c91a198a62e8..3662a09830be685b1b359497580ec745b1bd6737
--- 1/fs/namei.c
--- 2/fs/namei.c
+++ b/fs/namei.c
@@@ -39,6 -39,7 +39,6 @@@
  #include <linux/bitops.h>
  #include <linux/init_task.h>
  #include <linux/uaccess.h>
 -#include <linux/build_bug.h>
  
  #include "internal.h"
  #include "mount.h"
@@@ -130,6 -131,7 +130,6 @@@ getname_flags(const char __user *filena
        struct filename *result;
        char *kname;
        int len;
 -      BUILD_BUG_ON(offsetof(struct filename, iname) % sizeof(long) != 0);
  
        result = audit_reusename(filename);
        if (result)
@@@ -2718,7 -2720,7 +2718,7 @@@ filename_mountpoint(int dfd, struct fil
        if (unlikely(error == -ESTALE))
                error = path_mountpoint(&nd, flags | LOOKUP_REVAL, path);
        if (likely(!error))
 -              audit_inode(name, path->dentry, 0);
 +              audit_inode(name, path->dentry, flags & LOOKUP_NO_EVAL);
        restore_nameidata();
        putname(name);
        return error;
@@@ -3460,6 -3462,7 +3460,7 @@@ struct dentry *vfs_tmpfile(struct dentr
                inode->i_state |= I_LINKABLE;
                spin_unlock(&inode->i_lock);
        }
+       ima_post_create_tmpfile(inode);
        return child;
  
  out_err: