| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ea3bba66-9b21-b842-990b-2bf1e4ac2179@linux.microsoft.com>
Date: Thu, 30 Jul 2020 11:02:50 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
casey@...aufler-ca.com
Cc: tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 4/4] IMA: Handle early boot data measurement
On 7/29/20 8:47 PM, Lakshmi Ramasubramanian wrote:
Hi Tyler,
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 080c53545ff0..86cba844f73c 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -322,10 +322,9 @@ config IMA_MEASURE_ASYMMETRIC_KEYS
> depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
> default y
>
> -config IMA_QUEUE_EARLY_BOOT_KEYS
> +config IMA_QUEUE_EARLY_BOOT_DATA
> bool
> - depends on IMA_MEASURE_ASYMMETRIC_KEYS
> - depends on SYSTEM_TRUSTED_KEYRING
> + depends on SECURITY || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING)
> default y
>
Similar to the change you'd suggested for validating LSM_STATE and
LSM_POLICY func, I think IMA_QUEUE_EARLY_BOOT_DATA config should be
enabled for SECURITY_SELINUX.
depends on SECURITY_SELINUX ||
(IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING)
And, when more security modules are added update this CONFIG as appropriate.
Does that sound okay?
-lakshmi
Powered by blists - more mailing lists