From: joeyli <jlee@suse.com>
To: Takashi Iwai <tiwai@suse.de>, Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co
Date: Thu, 16 Dec 2021 00:03:45 +0800 [thread overview]
Message-ID: <20211215160345.GF3786@linux-l9pv.suse> (raw)
In-Reply-To: <s5hpmpz9o08.wl-tiwai@suse.de>
Hi Takashi, Mimi,
On Tue, Dec 14, 2021 at 04:58:47PM +0100, Takashi Iwai wrote:
> On Tue, 14 Dec 2021 16:31:21 +0100,
> Mimi Zohar wrote:
> >
> > Hi Takashi,
> >
> > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:
> > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
> > > defined only when CONFIG_IMA is set, and this makes the code calling
> > > those functions without CONFIG_IMA failing. Although there is no such
> > > in-tree users, but the out-of-tree users already hit it.
> > >
> > > Move the declaration and the dummy definition of those functions
> > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols.
> > >
> > > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> >
> > Before lockdown was upstreamed, we made sure that IMA and lockdown
> > could co-exist. This patch makes the stub functions available even
> > when IMA is not configured. Do the remaining downstream patches
> > require IMA to be disabled or can IMA co-exist?
>
> I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's
> used in a part of MODSIGN stuff in SUSE kernels, and it's calling
> unconditionally this function for checking whether the system is with
> the Secure Boot or not.
>
Actually in downstream code, I used arch_ima_get_secureboot() in
load_uefi_certs() to prevent the mok be loaded when secure boot is
disabled. Because the security of MOK relies on secure boot.
The downstream code likes this:
/* the MOK and MOKx can not be trusted when secure boot is disabled */
- if (!efi_enabled(EFI_SECURE_BOOT))
+ if (!arch_ima_get_secureboot())
return 0;
The old EFI_SECURE_BOOT bit can only be available on x86_64, so I switch
the code to to arch_ima_get_secureboot() for cross-architectures and sync
with upstream api.
The load_uefi.c depends on CONFIG_INTEGRITY but not CONFIG_IMA. So
load_uefi.c still be built when CONFIG_INTEGRITY=y and CONFIG_IMA=n.
Then "implicit declaration of function 'arch_ima_get_secureboot'" is
happened.
Thanks a lot!
Joey Lee
next prev parent reply other threads:[~2021-12-15 16:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-13 16:11 [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co Takashi Iwai
2021-12-14 15:31 ` Mimi Zohar
2021-12-14 15:58 ` Takashi Iwai
2021-12-15 16:03 ` joeyli [this message]
2021-12-15 18:16 ` Mimi Zohar
2021-12-16 4:32 ` joeyli
2021-12-16 13:22 ` Mimi Zohar
2021-12-18 2:27 ` joeyli
2021-12-22 17:10 ` Mimi Zohar
2021-12-22 19:15 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211215160345.GF3786@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.