DSI / DigSig: linux kernel security++ / News: Recent posts

In Linux Kernel 2.6.19, major changes have taken place in the security hashing infrastructure. Hence, a patch is required to upgrade the older digsig module to current kernel interfaces. digsig-1.5 supported only kernels till 2.6.16. The digsig-1.5-rev has all the required changes for switching between crypto_digest to crypto_hash infrastructure. And it gets compiled and works fine with the 2.6.19 and above kernels.

You'll find them on our home page, disec.sourceforge.net

It turned out that we had a bug in signature verification. We fixed that bug. If you're running 1.4.0 please consider switching t0 1.4.1.

You probably already know the news ;-)
In addition, the home page has been updated.

Two new papers added + information concerning DigSig major milestones.

You can read details at http://disec.sourceforge.net/docs/digsig.pdf .
This is a working document (~draft).

Hi all,

Thanks to Serge Hallyn who did all the coding for this new release, we have a new DigSig release with caching now supported at kernel level.

Added to README:

From release 1.2, the caching of signatures at kernel level is supported.
Once the signature of a binary is verified, its signature is cached in the
kernel memory. Therefore, there is no need for signature verification in
subsequent calls to this binary.
When a binary file is modified, the corresponding cache entry in the memory
is invalidated.
Best Regards,
Makan

Vincent did a little bug fix, which eliminates one extra useless signature verification for shared libraries. As the changes were small but the improvement is important: the signature verification time is divided by two, I did a new release DigSig 1.1.