Re: [PATCH v2] x86/ima: require signed kernel modules

From: Mimi Zohar
Date: Thu Mar 07 2019 - 17:42:17 EST

Next message: Kees Cook: "Re: [PATCH v3 0/7] lib/string: Add strscpy_pad() function"
Previous message: Nathan Chancellor: "[PATCH] pwm: img: Turn final 'else if' into 'else' in img_pwm_config"
In reply to: Matthew Garrett: "Re: [PATCH v2] x86/ima: require signed kernel modules"
Next in thread: Matthew Garrett: "Re: [PATCH v2] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote:
> On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> >
> > On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:
> > > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
> > > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > > + if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > > + set_module_sig_enforced();
> > > > return sb_arch_rules;
> > >
> > > Linus previously pushed back on having the lockdown features
> > > automatically enabled on secure boot systems. Why are we doing the
> > > same in IMA?
> >
> > IMA-appraisal is extending the "secure boot" concept to the running
> > system.
>
> Right, but how is this different to what Linus was objecting to?

Both Andy Lutomirski and Linus objected to limiting the "lockdown"
patch set to secure boot enabled systems.

Mimi

Next message: Kees Cook: "Re: [PATCH v3 0/7] lib/string: Add strscpy_pad() function"
Previous message: Nathan Chancellor: "[PATCH] pwm: img: Turn final 'else if' into 'else' in img_pwm_config"
In reply to: Matthew Garrett: "Re: [PATCH v2] x86/ima: require signed kernel modules"
Next in thread: Matthew Garrett: "Re: [PATCH v2] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]