From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>
Subject: Re: [PATCH v2] powerpc/ima: fix secure boot rules in ima arch policy
Date: Wed, 06 May 2020 22:05:16 -0400 [thread overview]
Message-ID: <1588817116.4624.51.camel@linux.ibm.com> (raw)
In-Reply-To: <1588342612-14532-1-git-send-email-nayna@linux.ibm.com>
On Fri, 2020-05-01 at 10:16 -0400, Nayna Jain wrote:
> To prevent verifying the kernel module appended signature twice
> (finit_module), once by the module_sig_check() and again by IMA, powerpc
> secure boot rules define an IMA architecture specific policy rule
> only if CONFIG_MODULE_SIG_FORCE is not enabled. This, unfortunately, does
> not take into account the ability of enabling "sig_enforce" on the boot
> command line (module.sig_enforce=1).
>
> Including the IMA module appraise rule results in failing the finit_module
> syscall, unless the module signing public key is loaded onto the IMA
> keyring.
>
> This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG
> instead.
>
> Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Thanks, Nayna.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] powerpc/ima: fix secure boot rules in ima arch policy
Date: Wed, 06 May 2020 22:05:16 -0400 [thread overview]
Message-ID: <1588817116.4624.51.camel@linux.ibm.com> (raw)
In-Reply-To: <1588342612-14532-1-git-send-email-nayna@linux.ibm.com>
On Fri, 2020-05-01 at 10:16 -0400, Nayna Jain wrote:
> To prevent verifying the kernel module appended signature twice
> (finit_module), once by the module_sig_check() and again by IMA, powerpc
> secure boot rules define an IMA architecture specific policy rule
> only if CONFIG_MODULE_SIG_FORCE is not enabled. This, unfortunately, does
> not take into account the ability of enabling "sig_enforce" on the boot
> command line (module.sig_enforce=1).
>
> Including the IMA module appraise rule results in failing the finit_module
> syscall, unless the module signing public key is loaded onto the IMA
> keyring.
>
> This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG
> instead.
>
> Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Thanks, Nayna.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
next prev parent reply other threads:[~2020-05-07 2:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 14:16 [PATCH v2] powerpc/ima: fix secure boot rules in ima arch policy Nayna Jain
2020-05-01 14:16 ` Nayna Jain
2020-05-07 2:05 ` Mimi Zohar [this message]
2020-05-07 2:05 ` Mimi Zohar
2020-05-13 12:43 ` Michael Ellerman
2020-05-13 12:43 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1588817116.4624.51.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.