From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode Date: Thu, 07 Mar 2019 17:48:17 -0500 Message-ID: <1551998897.31706.461.camel@linux.ibm.com> References: <1542657371-7019-1-git-send-email-zohar@linux.ibm.com> <1542657371-7019-4-git-send-email-zohar@linux.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Matthew Garrett , Justin Forbes Cc: linux-integrity , LSM List , linux-efi , Linux Kernel Mailing List , David Howells , Seth Forshee , kexec@lists.infradead.org, Nayna Jain List-Id: linux-efi@vger.kernel.org On Thu, 2019-03-07 at 14:44 -0800, Matthew Garrett wrote: > On Thu, Mar 7, 2019 at 2:38 PM Justin Forbes wrote: > > On Thu, Mar 7, 2019 at 4:29 PM Matthew Garrett wrote: > >> > >> On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar wrote: > >> > > >> > The secure boot mode may not be detected on boot for some reason (eg. > >> > buggy firmware). This patch attempts one more time to detect the > >> > secure boot mode. > >> > >> Do we have cases where this has actually been seen? I'm not sure what > >> the circumstances are that would result in this behaviour. > > > > > > We have never seen it in practice, though we only ever do anything with it with x86, so it is possible that some other platforms maybe? > > I'm not sure that it buys us anything to check this in both the boot > stub and the running kernel. If a platform *is* giving us different > results, anything else relying on the information from the boot stub > is also going to be broken, so we should do this centrally rather than > in the IMA code. I added this last attempt because I'm seeing this on my laptop, with some older, buggy firmware. Mimi