From: Mimi Zohar <zohar@linux.ibm.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: "Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Petr Pavlu" <petr.pavlu@suse.com>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Daniel Gomez" <da.gomez@samsung.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Naveen N Rao" <naveen@kernel.org>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Nicolas Schier" <nicolas.schier@linux.dev>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
Date: Wed, 14 May 2025 17:36:19 -0400 [thread overview]
Message-ID: <3bc7c90c620d46378978f30e03cf8375dc0cbc42.camel@linux.ibm.com> (raw)
In-Reply-To: <17aaa56b-5ee7-4a7f-a3c1-206e2114645d@weissschuh.net>
On Wed, 2025-05-14 at 20:25 +0200, Thomas Weißschuh wrote:
> May 14, 2025 19:39:37 Mimi Zohar <zohar@linux.ibm.com>:
>
> > On Wed, 2025-05-14 at 11:09 -0400, Mimi Zohar wrote:
> > > On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > > > When configuration settings are disabled the guarded functions are
> > > > defined as empty stubs, so the check is unnecessary.
> > > > The specific configuration option for set_module_sig_enforced() is
> > > > about to change and removing the checks avoids some later churn.
> > > >
> > > > Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
> > > >
> > > > ---
> > > > This patch is not strictly necessary right now, but makes looking for
> > > > usages of CONFIG_MODULE_SIG easier.
> > > > ---
> > > > security/integrity/ima/ima_efi.c | 6 ++----
> > > > 1 file changed, 2 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> > > > index
> > > > 138029bfcce1e40ef37700c15e30909f6e9b4f2d..a35dd166ad47beb4a7d46cc3e8fc604f57e03ecb
> > > > 100644
> > > > --- a/security/integrity/ima/ima_efi.c
> > > > +++ b/security/integrity/ima/ima_efi.c
> > > > @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
> > > > const char * const *arch_get_ima_policy(void)
> > > > {
> > > > if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > > - if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > > - set_module_sig_enforced();
> > > > - if (IS_ENABLED(CONFIG_KEXEC_SIG))
> > > > - set_kexec_sig_enforced();
> > > > + set_module_sig_enforced();
> > > > + set_kexec_sig_enforced();
> > > > return sb_arch_rules;
> > >
> > > Hi Thomas,
> > >
> > > I'm just getting to looking at this patch set. Sorry for the delay.
> > >
> > > Testing whether CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG are configured gives priority
> > > to them, rather than to the IMA support. Without any other changes, both signature
> > > verifications would be enforced. Is that the intention?
> >
> > Never mind, got it.
> >
> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Thanks for the review!
>
> Given that this series has no chance
> of getting into the next merge window,
> would it be possible to take the two IMA preparation patches
> through the IMA tree to have them out of the way?
I'm fine with picking up the two patches simply as code cleanup, meaning dropping the last
sentence of the patch description, after some testing.
Mimi
next prev parent reply other threads:[~2025-05-14 21:37 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 13:04 [PATCH v3 0/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Thomas Weißschuh
2025-05-14 17:37 ` Mimi Zohar
2025-04-29 13:04 ` [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Thomas Weißschuh
2025-05-14 15:09 ` Mimi Zohar
2025-05-14 17:37 ` Mimi Zohar
2025-05-14 18:25 ` Thomas Weißschuh
2025-05-14 21:36 ` Mimi Zohar [this message]
2025-04-29 13:04 ` [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 6/9] module: Move integrity checks into dedicated function Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 7/9] module: Move lockdown check into generic module loader Thomas Weißschuh
2025-04-29 13:04 ` [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2025-04-29 23:30 ` Paul Moore
2025-04-29 13:04 ` [PATCH v3 9/9] module: Introduce hash-based integrity checking Thomas Weißschuh
2025-04-29 14:05 ` [PATCH v3 0/9] " James Bottomley
2025-05-02 6:53 ` Thomas Weißschuh
2025-05-02 13:30 ` James Bottomley
2025-05-02 23:43 ` kpcyrd
2025-05-06 13:21 ` James Bottomley
2025-05-03 8:19 ` Arnout Engelen
2025-05-06 13:24 ` James Bottomley
2025-05-07 7:47 ` Arnout Engelen
2025-05-07 16:41 ` James Bottomley
2025-05-08 7:57 ` Fabian Grünbichler
2025-05-16 18:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3bc7c90c620d46378978f30e03cf8375dc0cbc42.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=christian@heusel.eu \
--cc=christophe.leroy@csgroup.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@samsung.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=masahiroy@kernel.org \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).