| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1551930990.31706.279.camel@linux.ibm.com>
Date: Wed, 06 Mar 2019 22:56:30 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Matthew Garrett <matthewgarrett@...gle.com>, jmorris@...ei.org
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dhowells@...hat.com
Subject: Re: [PULL REQUEST] Kernel lockdown patches for 5.2
On Wed, 2019-03-06 at 15:58 -0800, Matthew Garrett wrote:
> 3) The integration with IMA has been dropped for now. IMA is in the
> process of adding support for architecture-specific policies that will
> interact correctly with the lockdown feature, and a followup patch will
> integrate that so we don't end up with an ordering dependency on the
> merge
The architecture specific policy is an attempt to coordinate between
the different signature verification methods (eg. PE and IMA kexec
kernel image signatures, appended and IMA kernel module signatures).
The coordination between these signature verification methods is
independent of the "lockdown" feature.
To prevent requiring multiple signature verifications, an IMA policy
rule(s) is defined only if either KEXEC_VERIFY_SIG or MODULE_SIG is
not enabled.
The kexec and kernel modules patches in this patch set continues to
ignore IMA. This patch set should up front either provide an
alternative solution to coordinate the different signature
verification methods or rely on the architecture specific policy for
that coordination.
Mimi
Powered by blists - more mailing lists