| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1558387212.4039.77.camel@linux.ibm.com>
Date: Mon, 20 May 2019 17:20:12 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>,
dmitry.kasatkin@...wei.com, mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org, linux-doc@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, silviu.vlasceanu@...wei.com,
stable@...r.kernel.org
Subject: Re: [PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 52e6fbb042cc..80e1c233656b 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1588,6 +1588,9 @@
> Format: { "off" | "enforce" | "fix" | "log" }
> default: "enforce"
>
> + ima_appraise_req_evm
> + [IMA] require EVM for appraisal with file digests.
As much as possible we want to limit the number of new boot command
line options as possible. Is there a reason for not extending
"ima_appraise=" with "require-evm" or "enforce-evm"?
Mimi
> +
> ima_appraise_tcb [IMA] Deprecated. Use ima_policy= instead.
> The builtin appraise policy appraises all files
> owned by uid=0.
Powered by blists - more mailing lists