From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: ltp@lists.linux.it, linux-integrity@vger.kernel.org,
selinux@vger.kernel.org, Cyril Hrubis <chrubis@suse.cz>,
Coiby Xu <coxu@redhat.com>, Li Wang <liwang@redhat.com>
Subject: Re: [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed
Date: Tue, 16 Sep 2025 18:41:02 +0200 [thread overview]
Message-ID: <20250916164102.GA284778@pevik> (raw)
In-Reply-To: <b8723148a39083cab0b43f9c7fa5ce18d696f99d.camel@linux.ibm.com>
Hi Mimi,
[ Cc Li, although I have no idea if Fedora even runs LTP IMA tests ]
> On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote:
> > Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot.
> > Skip testing in that case.
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b
> > This fixes errors:
> > ima_policy 2 TINFO: verify that policy file is not opened concurrently and able to loaded multiple times
> > ima_policy 2 TFAIL: problem loading or extending policy (may require policy to be signed)
> > https://openqa.suse.de/tests/18723792#step/ima_conditionals/6
> > ima_conditionals 1 TINFO: verify measuring user files when requested via uid
> > echo: write error: Permission denied
> > ima_conditionals 1 TBROK: echo measure uid=65534 > /sys/kernel/security/ima/policy failed
> > Ideally there would be test which check that unsigned policy cannot be
> > written.
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> Thanks, Petr.
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Thanks for your review, merged!
> At some point, consider adding support for signing policy rules, if the
> private/public keypair is provided.
I'm not against it, but I'm not sure if I find time for this (as usual patches
are welcome). If I understand the docs [1] [2] it depends on
CONFIG_SYSTEM_TRUSTED_KEYS, right?
Fedora builds with CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem", but ship config
with CONFIG_SYSTEM_TRUSTED_KEYS="" ("We are resetting this value to facilitate
local builds" - makes perfectly sense), other distros (at least openSUSE
Tumbleweed and Debian) build with CONFIG_SYSTEM_TRUSTED_KEYS="".
I doubt that Fedora private key will be exposed for testing. Therefore this
feature is IMHO useful for mainline testing, but not for distro testing, right?
But again, I'm not against merging the patch (if anybody is willing to implement
it).
Kind regards,
Petr
[1] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#build-kernel-with-ima-ca-key-on-keyring
[2] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate
> Mimi
next prev parent reply other threads:[~2025-09-16 16:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-12 7:32 [PATCH 0/2] LTP IMA pre-release fixes Petr Vorel
2025-09-12 7:32 ` [PATCH 1/2] ima_policy.sh: Optimize check for policy writable Petr Vorel
2025-09-12 13:18 ` Mimi Zohar
2025-09-15 8:10 ` [LTP] " Avinesh Kumar
2025-09-15 11:55 ` Cyril Hrubis
2025-09-12 7:32 ` [PATCH 2/2] ima_{conditionals,policy}: Handle policy required to be signed Petr Vorel
2025-09-12 13:23 ` Mimi Zohar
2025-09-16 16:41 ` Petr Vorel [this message]
2025-09-15 12:12 ` Cyril Hrubis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250916164102.GA284778@pevik \
--to=pvorel@suse.cz \
--cc=chrubis@suse.cz \
--cc=coxu@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=liwang@redhat.com \
--cc=ltp@lists.linux.it \
--cc=selinux@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).