From: Mimi Zohar <zohar@linux.ibm.com>
To: GONG Ruiqi <gongruiqi1@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Nicholas Piggin <npiggin@gmail.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
"Lee, Chun-Yi" <jlee@suse.com>,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
linux-s390@vger.kernel.org, linux-integrity@vger.kernel.org,
keyrings@vger.kernel.org, Lu Jialin <lujialin4@huawei.com>,
Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH v2] integrity: Extract secure boot enquiry function out of IMA
Date: Wed, 02 Jul 2025 21:38:39 -0400 [thread overview]
Message-ID: <eb91dcf034db28e457a4482faa397dd7632f00fd.camel@linux.ibm.com> (raw)
In-Reply-To: <20250628063251.321370-1-gongruiqi1@huawei.com>
[CC: Nayna Jain]
On Sat, 2025-06-28 at 14:32 +0800, GONG Ruiqi wrote:
> Commit 92ad19559ea9 ("integrity: Do not load MOK and MOKx when secure
> boot be disabled") utilizes arch_ima_get_secureboot() to perform a
> secure boot status check before loading the Machine Owner Key (MOK).
> However, only when CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y can this
> function be functional, while this config has nothing to do with secure
> boot or MOK loading.
>
> Given that arch_ima_get_secureboot() is just a helper to retrieve info
> about secure boot via EFI and doesn't necessarily be a part of IMA,
> rename it to arch_integrity_get_secureboot(), decouple its functionality
> from IMA and extract it to be a integrity subsystem helper, so that both
> certificate loading and IMA can make use of it.
>
> Compile-tested on powerpc, s390 and x86, with CONFIG_IMA_ARCH_POLICY=n
> and =y based on defconfig and allmodconfig.
>
> Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>
The original reason for querying the secure boot status of the system was in
order to differentiate IMA policies. Subsequently, the secure boot check was
also added to safely allow loading of the certificates stored in MOK. So loading
IMA policies and the MOK certificates ARE dependent on the secure boot mode.
What is your real motivation for moving the secure boot checking out of IMA?
FYI, there are a number of problems with the patch itself. From a very high
level:
- The EFI secure boot check is co-located with loading the architecture specific
policies. By co-locating the secure boot check with loading the architecture
specific IMA policies, there aren't any ifdef's in C code. Please refer to the
"conditional compilation" section in the kernel coding-style documentation on
avoiding ifdef's in C code.
- Each architecture has it's own method of detecting secure boot. Originally the
x86 code was in arch/x86, but to prevent code duplication it was moved to IMA.
The new file should at least be named efi_secureboot.c.
- The patch title should be about moving and renaming the secure boot check.
The patch description should include a valid reason for the change.
Mimi & Nayna
next prev parent reply other threads:[~2025-07-03 1:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-28 6:32 [PATCH v2] integrity: Extract secure boot enquiry function out of IMA GONG Ruiqi
2025-06-30 3:48 ` kernel test robot
2025-07-03 1:38 ` Mimi Zohar [this message]
2025-07-03 2:07 ` GONG Ruiqi
2025-07-03 3:35 ` Mimi Zohar
2025-07-03 5:19 ` GONG Ruiqi
2025-07-07 20:35 ` Nayna Jain
2025-07-17 12:29 ` GONG Ruiqi
2025-07-25 18:29 ` Nayna Jain
2025-07-28 12:17 ` GONG Ruiqi
2025-08-01 14:34 ` Nayna Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb91dcf034db28e457a4482faa397dd7632f00fd.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gongruiqi1@huawei.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=jarkko@kernel.org \
--cc=jlee@suse.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lujialin4@huawei.com \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=roberto.sassu@huawei.com \
--cc=svens@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).