| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1551998498.31706.458.camel@linux.ibm.com>
Date: Thu, 07 Mar 2019 17:41:38 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Matthew Garrett <mjg59@...gle.com>
Cc: linux-integrity <linux-integrity@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Jessica Yu <jeyu@...nel.org>,
Luis Chamberlain <mcgrof@...nel.org>,
David Howells <dhowells@...hat.com>,
Seth Forshee <seth.forshee@...onical.com>,
"Bruno E . O . Meneguele" <bmeneg@...hat.com>
Subject: Re: [PATCH v2] x86/ima: require signed kernel modules
On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote:
> On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> >
> > On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:
> > > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> > > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
> > > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > > + if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > > + set_module_sig_enforced();
> > > > return sb_arch_rules;
> > >
> > > Linus previously pushed back on having the lockdown features
> > > automatically enabled on secure boot systems. Why are we doing the
> > > same in IMA?
> >
> > IMA-appraisal is extending the "secure boot" concept to the running
> > system.
>
> Right, but how is this different to what Linus was objecting to?
Both Andy Lutomirski and Linus objected to limiting the "lockdown"
patch set to secure boot enabled systems.
Mimi
Powered by blists - more mailing lists