Re: [PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled

From: Mimi Zohar
Date: Thu Jul 27 2023 - 14:13:27 EST

Next message: Liam R. Howlett: "Re: [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (2)"
Previous message: Yosry Ahmed: "Re: [PATCH 1/3] mm: zswap: use zswap_invalidate_entry() for duplicates"
In reply to: Coiby Xu: "[PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2023-07-26 at 10:08 +0800, Coiby Xu wrote:
> With commit 099f26f22f58 ("integrity: machine keyring CA
> configuration"), users are able to add custom IMA CA keys via
> MOK. This allows users to sign their own IMA polices without
> recompiling the kernel. For the sake of security, mandate signed IMA
> policy when UEFI secure boot is enabled.
>
> Note this change may affect existing users/tests i.e users won't be able
> to load an unsigned IMA policy when the IMA architecture specific policy
> is configured and UEFI secure boot is enabled.
>
> Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
> ---
> v2
> - improve commit message [Mimi]
> - explicitly mention the dependent commit
> - add a note that the change will affect user space
> - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code
> readability

Thank you for updating the commit message. The patch is now queued in
next-integrity-testing.

--
thanks,

Mimi

Next message: Liam R. Howlett: "Re: [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (2)"
Previous message: Yosry Ahmed: "Re: [PATCH 1/3] mm: zswap: use zswap_invalidate_entry() for duplicates"
In reply to: Coiby Xu: "[PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]