/openbmc/linux/tools/perf/Documentation/ |
H A D | security.txt | 6 https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html 13 Targeted policy with perf_event_open() access control capabilities: 15 1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31) 18 # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm 22 # rpmbuild -bp selinux-policy.spec 24 3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02 27 # patch -p1 < selinux-policy-perf-events-perfmon.patch 28 patching file policy/flask/access_vectors 29 patching file policy/flask/security_classes 30 # cat selinux-policy-perf-events-perfmon.patch [all …]
|
/openbmc/linux/security/apparmor/ |
H A D | Kconfig | 1 # SPDX-License-Identifier: GPL-2.0-only 14 http://apparmor.wiki.kernel.org 43 Set the default value of the apparmor.debug kernel parameter. 45 the kernel message buffer. 48 bool "Allow loaded policy to be introspected" 52 This option selects whether introspection of loaded policy 54 adds to kernel memory usage. It is required for introspection 55 of loaded policy, and check point and restore support. It 66 This option selects whether introspection of loaded policy 69 checking loaded policy. This option adds to policy load [all …]
|
/openbmc/linux/security/integrity/ima/ |
H A D | Kconfig | 1 # SPDX-License-Identifier: GPL-2.0-only 41 running kernel must be saved and restored on boot. 43 Depending on the IMA policy, the measurement list can grow to 60 Disabling this option will disregard LSM based policy rules. 70 limited to 255 characters. The 'ima-ng' measurement list 76 bool "ima-ng (default)" 78 bool "ima-sig" 83 default "ima-ng" if IMA_NG_TEMPLATE 84 default "ima-sig" if IMA_SIG_TEMPLATE 92 hash algorithm can be overwritten using the kernel command [all …]
|
H A D | ima_main.c | 1 // SPDX-License-Identifier: GPL-2.0-only 53 if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { in hash_setup() 93 mapping_writably_mapped(file->f_mapping)) { in mmap_violation_check() 94 rc = -ETXTBSY; in mmap_violation_check() 97 if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ in mmap_violation_check() 98 *pathname = ima_d_path(&file->f_path, pathbuf, in mmap_violation_check() 110 * - Opening a file for write when already open for read, 112 * - Opening a file for read when already open for write, 124 fmode_t mode = file->f_mode; in ima_rdwr_violation_check() 128 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { in ima_rdwr_violation_check() [all …]
|
/openbmc/linux/security/tomoyo/ |
H A D | Kconfig | 1 # SPDX-License-Identifier: GPL-2.0-only 11 This selects TOMOYO Linux, pathname-based access control. 23 that are automatically appended into policy at "learning mode". 36 audit logs that the kernel can hold on memory. 37 You can read the log via /sys/kernel/security/tomoyo/audit. 41 bool "Activate without calling userspace policy loader." 45 Say Y here if you want to activate access control as soon as built-in 46 policy was loaded. This option will be useful for systems where 48 needed before loading the policy. For example, you can activate 49 immediately after loading the fixed part of policy which will allow [all …]
|
/openbmc/linux/tools/testing/selftests/kexec/ |
H A D | test_kexec_file_load.sh | 2 # SPDX-License-Identifier: GPL-2.0 4 # Loading a kernel image via the kexec_file_load syscall can verify either 6 # both signatures depending on the IMA policy, or none. 8 # To determine whether the kernel image is signed, this test depends 9 # on pesign and getfattr. This test also requires the kernel to be 11 # enabled or access to the extract-ikconfig script. 16 trap "{ rm -f $IKCONFIG ; }" EXIT 18 # Some of the IMA builtin policies may require the kexec kernel image to 19 # be signed, but these policy rules may be replaced with a custom 20 # policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after [all …]
|
/openbmc/openbmc/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ |
H A D | ima | 3 # Loads IMA policy into the kernel. 19 if ! grep -w securityfs /proc/mounts >/dev/null; then 20 if ! mount -t securityfs securityfs /sys/kernel/security; then 24 if [ ! -d /sys/kernel/security/ima ]; then 25 fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." 28 # Instead of depending on the kernel to load the IMA X.509 certificate, 32 # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). 35 if [ -s $key ]; then 36 id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) 40 if [ -z "$id" ]; then [all …]
|
/openbmc/linux/Documentation/admin-guide/mm/ |
H A D | numa_memory_policy.rst | 2 NUMA Memory Policy 5 What is NUMA Memory Policy? 8 In the Linux kernel, "memory policy" determines from which node the kernel will 10 supported platforms with Non-Uniform Memory Access architectures since 2.4.?. 11 The current memory policy support was added to Linux 2.6 around May 2004. This 12 document attempts to describe the concepts and APIs of the 2.6 memory policy 16 (``Documentation/admin-guide/cgroup-v1/cpusets.rst``) 19 programming interface that a NUMA-aware application can take advantage of. When 24 Memory Policy Concepts 28 ------------------------ [all …]
|
H A D | hugetlbpage.rst | 9 the Linux kernel. This support is built on top of multiple page size support 13 256M and ppc64 supports 4K and 16M. A TLB is a cache of virtual-to-physical 19 Users can use the huge page support in Linux kernel by either using the mmap 22 First the Linux kernel needs to be built with the CONFIG_HUGETLBFS 28 persistent hugetlb pages in the kernel's huge page pool. It also displays 73 ``/sys/kernel/mm/hugepages`` (described below). 77 configured in the kernel. 80 pages in the kernel's huge page pool. "Persistent" huge pages will be 89 Pages that are used as huge pages are reserved inside the kernel and cannot 93 Once a number of huge pages have been pre-allocated to the kernel huge page [all …]
|
/openbmc/openbmc/meta-security/meta-integrity/ |
H A D | README.md | 5 The bbappend files for some recipes (e.g. linux-yocto) in this layer need 11 If meta-integrity is included, but integrity is not enabled as a 14 You have included the meta-integritry layer, but 31 URI: git://git.openembedded.org/openembedded-core 35 URI: git://github.com/01org/meta-security/meta-integrate 36 layers: security-framework 44 yocto-patches@yoctoproject.org mailing list. When submitting patches that way, 45 make sure to copy the maintainer and add a "[meta-integrity]" 65 Assuming the security repository exists at the top-level of your 72 /path/to/yocto/meta-yocto \ [all …]
|
/openbmc/linux/Documentation/admin-guide/LSM/ |
H A D | SELinux.rst | 6 to use the distro-provided policies, or install the 7 latest reference policy release from 11 However, if you want to install a dummy policy for 14 userspace to be installed - in particular you will 15 need checkpolicy to compile a kernel, and setfiles and 18 1. Compile the kernel with selinux enabled. 21 SELinux enabled and a real policy. If 29 Step 4 will create a new dummy policy valid for your 30 kernel, with a single selinux user, role, and type. 31 It will compile the policy, will set your ``SELINUXTYPE`` to [all …]
|
/openbmc/linux/Documentation/trace/ |
H A D | stm.rst | 1 .. SPDX-License-Identifier: GPL-2.0 26 To solve this mapping problem, stm class provides a policy management 28 identifiers to ranges of masters and channels. If these rules (policy) 32 This policy is a tree structure containing rules (policy_node) that 34 associated with it, located in "stp-policy" subsystem directory in 35 configfs. The topmost directory's name (the policy) is formatted as 36 the STM device name to which this policy applies and an arbitrary 40 $ ls /config/stp-policy/dummy_stm.my-policy/user 42 $ cat /config/stp-policy/dummy_stm.my-policy/user/masters 44 $ cat /config/stp-policy/dummy_stm.my-policy/user/channels [all …]
|
/openbmc/linux/drivers/cpufreq/ |
H A D | amd-pstate-ut.c | 1 // SPDX-License-Identifier: GPL-2.0-or-later 3 * AMD Processor P-state Frequency Driver Unit Test 9 * The AMD P-State Unit Test is a test module for testing the amd-pstate 11 * (SBIOS/Firmware or Hardware). 2) Kernel can have a basic function 12 * test to avoid the kernel regression during the update. 3) We can 19 * See Documentation/admin-guide/pm/amd-pstate.rst Unit Tests for 20 * amd-pstate to get more detail. 25 #include <linux/kernel.h> 29 #include <linux/amd-pstate.h> 35 * amd_pstate_ut: used as a shortform for AMD P-State unit test. [all …]
|
/openbmc/linux/Documentation/filesystems/ |
H A D | fscrypt.rst | 2 Filesystem-level encryption (fscrypt) 11 Note: "fscrypt" in this document refers to the kernel-level portion, 14 covers the kernel-level portion. For command-line examples of how to 20 <https://source.android.com/security/encryption/file-based>`_, over 21 using the kernel's API directly. Using existing tools reduces the 23 completeness this documentation covers the kernel's API anyway.) 25 Unlike dm-crypt, fscrypt operates at the filesystem level rather than 28 filesystem. This is useful for multi-user systems where each user's 29 data-at-rest needs to be cryptographically isolated from the others. 34 directly into supported filesystems --- currently ext4, F2FS, and [all …]
|
H A D | tmpfs.rst | 1 .. SPDX-License-Identifier: GPL-2.0 14 tmpfs puts everything into the kernel internal caches and grows and 21 fly using a remount ('mount -o remount ...') of the filesystem. A tmpfs 45 1) There is always a kernel internal mount which you will not see at 63 mount is used for that. (In the 2.3 kernel versions it was 72 4) And probably a lot more I do not know about :-) 101 extended attributes: "df -i"'s IUsed and IUse% increase, IFree decreases. 111 tmpfs also supports Transparent Huge Pages which requires a kernel 124 See also Documentation/admin-guide/mm/transhuge.rst, which describes the 125 sysfs file /sys/kernel/mm/transparent_hugepage/shmem_enabled: which can [all …]
|
/openbmc/linux/Documentation/admin-guide/pm/ |
H A D | cpufreq.rst | 1 .. SPDX-License-Identifier: GPL-2.0 20 Operating Performance Points or P-states (in ACPI terminology). As a rule, 24 time (or the more power is drawn) by the CPU in the given P-state. Therefore 29 as possible and then there is no reason to use any P-states different from the 30 highest one (i.e. the highest-performance frequency/voltage configuration 38 put into different P-states. 41 capacity, so as to decide which P-states to put the CPUs into. Of course, since 51 The Linux kernel supports CPU performance scaling by means of the ``CPUFreq`` 64 information on the available P-states (or P-state ranges in some cases) and 65 access platform-specific hardware interfaces to change CPU P-states as requested [all …]
|
H A D | intel_pstate.rst | 1 .. SPDX-License-Identifier: GPL-2.0 17 :doc:`CPU performance scaling subsystem <cpufreq>` in the Linux kernel 22 Documentation/admin-guide/pm/cpufreq.rst if you have not done that yet.] 24 For the processors supported by ``intel_pstate``, the P-state concept is broader 27 information about that). For this reason, the representation of P-states used 32 ``intel_pstate`` maps its internal representation of P-states to frequencies too 38 Since the hardware P-state selection interface used by ``intel_pstate`` is 40 CPUs. Consequently, if ``intel_pstate`` is in use, every ``CPUFreq`` policy 43 time the corresponding CPU is taken offline and need to be re-initialized when 47 only way to pass early-configuration-time parameters to it is via the kernel [all …]
|
/openbmc/linux/Documentation/cpu-freq/ |
H A D | core.rst | 1 .. SPDX-License-Identifier: GPL-2.0 8 - Dominik Brodowski <linux@brodo.de> 9 - David Kimdon <dwhedon@debian.org> 10 - Rafael J. Wysocki <rafael.j.wysocki@intel.com> 11 - Viresh Kumar <viresh.kumar@linaro.org> 26 drivers or other part of the kernel that need to be informed of 27 policy changes (ex. thermal modules like ACPI) or of all 30 kernel "constant" loops_per_jiffy is updated on frequency changes 37 policy doesn't get freed while being used. 42 CPUFreq notifiers conform to the standard kernel notifier interface. [all …]
|
/openbmc/openbmc/meta-openembedded/meta-networking/recipes-support/linux-atm/linux-atm/ |
H A D | 0001-include-string-h-from-memcpy-and-strcpy-function-pro.patch | 3 Date: Mon, 29 Aug 2022 16:36:21 -0700 6 Upstream-Status: Pending 7 Signed-off-by: Khem Raj <raj.khem@gmail.com> 8 --- 13 src/sigd/kernel.c | 1 + 14 src/sigd/policy.c | 1 + 17 diff --git a/src/led/address.c b/src/led/address.c 19 --- a/src/led/address.c 21 @@ -31,6 +31,7 @@ 29 diff --git a/src/led/display.c b/src/led/display.c [all …]
|
/openbmc/linux/Documentation/arch/x86/ |
H A D | intel_txt.rst | 6 Technology (Intel(R) TXT), defines platform-level enhancements that 13 - Provides dynamic root of trust for measurement (DRTM) 14 - Data protection in case of improper shutdown 15 - Measurement and verification of launched environment 18 non-vPro systems. It is currently available on desktop systems 30 - LinuxTAG 2008: 31 http://www.linuxtag.org/2008/en/conf/events/vp-donnerstag.html 33 - TRUST2008: 34 http://www.trust-conference.eu/downloads/Keynote-Speakers/ 35 3_David-Grawrock_The-Front-Door-of-Trusted-Computing.pdf [all …]
|
/openbmc/linux/tools/power/cpupower/lib/ |
H A D | cpufreq.h | 1 /* SPDX-License-Identifier: GPL-2.0-only */ 3 * cpufreq.h - definitions for libcpufreq 5 * Copyright (C) 2004-2009 Dominik Brodowski <linux@dominikbrodowski.de> 50 * - _kernel variant means kernel's opinion of CPU frequency 51 * - _hardware variant means actual hardware CPU frequency, 66 * returns 0 on failure, else transition latency in 10^(-9) s = nanoseconds 74 * considerations by cpufreq policy notifiers in the kernel. 93 /* determine CPUfreq policy currently used 102 void cpufreq_put_policy(struct cpufreq_policy *policy); 122 * Only present on _some_ ->target() cpufreq drivers. For information purposes [all …]
|
/openbmc/linux/drivers/macintosh/ |
H A D | windfarm_cpufreq_clamp.c | 1 // SPDX-License-Identifier: GPL-2.0-only 4 #include <linux/kernel.h> 65 struct cpufreq_policy *policy; in wf_cpufreq_clamp_init() local 70 policy = cpufreq_cpu_get(0); in wf_cpufreq_clamp_init() 71 if (!policy) { in wf_cpufreq_clamp_init() 72 pr_warn("%s: cpufreq policy not found cpu0\n", __func__); in wf_cpufreq_clamp_init() 73 return -EPROBE_DEFER; in wf_cpufreq_clamp_init() 76 min_freq = policy->cpuinfo.min_freq; in wf_cpufreq_clamp_init() 77 max_freq = policy->cpuinfo.max_freq; in wf_cpufreq_clamp_init() 79 ret = freq_qos_add_request(&policy->constraints, &qos_req, FREQ_QOS_MAX, in wf_cpufreq_clamp_init() [all …]
|
/openbmc/qemu/docs/system/i386/ |
H A D | amd-memory-encryption.rst | 6 SEV is an extension to the AMD-V architecture which supports running encrypted 15 AMD secure processor (AMD-SP), which is present in AMD SOCs. Firmware running 16 inside the AMD-SP provides commands to support a common VM lifecycle. This 21 Secure Encrypted Virtualization - Encrypted State (SEV-ES) builds on the SEV 28 Launching (SEV and SEV-ES) 29 -------------------------- 38 For a SEV-ES guest, the ``LAUNCH_UPDATE_VMSA`` command is also used to encrypt the 42 the firmware. To create this context, guest owner must provide a guest policy, 43 its public Diffie-Hellman key (PDH) and session parameters. These inputs 44 should be treated as a binary blob and must be passed as-is to the SEV firmware. [all …]
|
/openbmc/linux/Documentation/userspace-api/ |
H A D | landlock.rst | 1 .. SPDX-License-Identifier: GPL-2.0 2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> 3 .. Copyright © 2019-2020 ANSSI 4 .. Copyright © 2021-2022 Microsoft Corporation 16 in addition to the existing system-wide access-controls. This kind of sandbox 22 looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep 23 landlock || journalctl -kg landlock`` . Developers can also easily check for 25 Landlock is not currently supported, we need to :ref:`configure the kernel 36 Defining and enforcing a security policy 37 ---------------------------------------- [all …]
|
/openbmc/linux/Documentation/userspace-api/netlink/ |
H A D | genetlink-legacy.rst | 1 .. SPDX-License-Identifier: BSD-3-Clause 9 the ``genetlink-legacy`` protocol level. 15 -------------------- 17 New Netlink families should use ``multi-attr`` to define arrays. 21 For reference the ``multi-attr`` array may look like this:: 23 [ARRAY-ATTR] 27 [SOME-OTHER-ATTR] 28 [ARRAY-ATTR] 33 where ``ARRAY-ATTR`` is the array entry type. 35 array-nest [all …]
|