From: Seth Forshee <seth.forshee@canonical.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
David Howells <dhowells@redhat.com>,
Justin Forbes <jforbes@redhat.com>,
Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH] x86/ima: require signed kernel modules
Date: Tue, 5 Feb 2019 12:32:01 -0600 [thread overview]
Message-ID: <20190205183201.GA3218@ubuntu-xps13> (raw)
In-Reply-To: <1549385244.4146.148.camel@linux.ibm.com>
On Tue, Feb 05, 2019 at 11:47:24AM -0500, Mimi Zohar wrote:
> Hi Seth,
>
> On Tue, 2019-02-05 at 09:18 -0600, Seth Forshee wrote:
> > On Thu, Jan 31, 2019 at 02:18:59PM -0500, Mimi Zohar wrote:
> > > Require signed kernel modules on systems with secure boot mode enabled.
> > >
> > > To coordinate between appended kernel module signatures and IMA
> > > signatures, only define an IMA MODULE_CHECK policy rule if
> > > CONFIG_MODULE_SIG is not enabled.
> > >
> > > This patch defines a function named set_module_sig_required() and renames
> > > is_module_sig_enforced() to is_module_sig_enforced_or_required(). The
> > > call to set_module_sig_required() is dependent on CONFIG_IMA_ARCH_POLICY
> > > being enabled.
> > >
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> >
> > With respect to interactions with the kernel lockdown patches, this
> > looks better than the patches I saw previously. I don't feel like I know
> > enough about what's going on with IMA to ack the patch, but I feel
> > confident that it's at least not going to break signature enforcement
> > for us.
>
> Thank you for testing! Could this be translated into a "tested-by"
> "(for w/lockdown patches)"?
Yeah, that's fine. To be clear about what I tested, I've confirmed that
it doesn't interfere with requiring signed modules under lockdown with
CONFIG_IMA_ARCH_POLICY=n and IMA appraisal enabled.
Tested-by: Seth Forshee <seth.forshee@canonical.com>
next prev parent reply other threads:[~2019-02-05 18:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-31 19:18 [PATCH] ima: requiring signed kernel modules Mimi Zohar
2019-01-31 19:18 ` [PATCH] x86/ima: require " Mimi Zohar
2019-02-04 20:38 ` Luis Chamberlain
2019-02-04 22:05 ` Mimi Zohar
2019-02-04 22:30 ` Luis Chamberlain
2019-02-05 12:24 ` Mimi Zohar
2019-02-05 21:13 ` Luis Chamberlain
2019-02-05 23:13 ` Mimi Zohar
2019-02-05 15:18 ` Seth Forshee
2019-02-05 16:47 ` Mimi Zohar
2019-02-05 18:32 ` Seth Forshee [this message]
2019-02-05 18:52 ` Mimi Zohar
2019-02-08 19:21 ` Seth Forshee
2019-02-10 15:39 ` Mimi Zohar
2019-02-05 16:10 ` Nayna
2019-02-11 15:56 ` Jessica Yu
2019-02-11 16:19 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190205183201.GA3218@ubuntu-xps13 \
--to=seth.forshee@canonical.com \
--cc=dhowells@redhat.com \
--cc=jeyu@kernel.org \
--cc=jforbes@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mjg59@google.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.