From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jessica Yu <jeyu@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
David Howells <dhowells@redhat.com>,
Seth Forshee <seth.forshee@canonical.com>,
"Bruno E . O . Meneguele" <bmeneg@redhat.com>
Subject: Re: [PATCH v2] x86/ima: require signed kernel modules
Date: Thu, 07 Mar 2019 17:41:38 -0500 [thread overview]
Message-ID: <1551998498.31706.458.camel@linux.ibm.com> (raw)
In-Reply-To: <CACdnJuus7zZWDfJHu+nckn+t-FkRerh7vzX2eh=1nGsbX=kbgw@mail.gmail.com>
On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote:
> On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:
> > > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
> > > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > > + if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > > + set_module_sig_enforced();
> > > > return sb_arch_rules;
> > >
> > > Linus previously pushed back on having the lockdown features
> > > automatically enabled on secure boot systems. Why are we doing the
> > > same in IMA?
> >
> > IMA-appraisal is extending the "secure boot" concept to the running
> > system.
>
> Right, but how is this different to what Linus was objecting to?
Both Andy Lutomirski and Linus objected to limiting the "lockdown"
patch set to secure boot enabled systems.
Mimi
next prev parent reply other threads:[~2019-03-07 22:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 12:17 [PATCH v2] x86/ima: require signed kernel modules Mimi Zohar
2019-02-14 17:58 ` Luis Chamberlain
2019-02-14 18:47 ` Mimi Zohar
2019-03-07 22:27 ` Matthew Garrett
2019-03-07 22:34 ` Mimi Zohar
2019-03-07 22:36 ` Matthew Garrett
2019-03-07 22:41 ` Mimi Zohar [this message]
2019-03-07 22:45 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1551998498.31706.458.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bmeneg@redhat.com \
--cc=dhowells@redhat.com \
--cc=jeyu@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mjg59@google.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).