| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200730200436.GY4181@sequoia>
Date: Thu, 30 Jul 2020 15:04:36 -0500
From: Tyler Hicks <tyhicks@...ux.microsoft.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Cc: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
casey@...aufler-ca.com, sashal@...nel.org, jmorris@...ei.org,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 4/4] IMA: Handle early boot data measurement
On 2020-07-30 11:02:50, Lakshmi Ramasubramanian wrote:
> On 7/29/20 8:47 PM, Lakshmi Ramasubramanian wrote:
>
> Hi Tyler,
>
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index 080c53545ff0..86cba844f73c 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -322,10 +322,9 @@ config IMA_MEASURE_ASYMMETRIC_KEYS
> > depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
> > default y
> > -config IMA_QUEUE_EARLY_BOOT_KEYS
> > +config IMA_QUEUE_EARLY_BOOT_DATA
> > bool
> > - depends on IMA_MEASURE_ASYMMETRIC_KEYS
> > - depends on SYSTEM_TRUSTED_KEYRING
> > + depends on SECURITY || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING)
> > default y
> Similar to the change you'd suggested for validating LSM_STATE and
> LSM_POLICY func, I think IMA_QUEUE_EARLY_BOOT_DATA config should be enabled
> for SECURITY_SELINUX.
>
> depends on SECURITY_SELINUX ||
> (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING)
>
> And, when more security modules are added update this CONFIG as appropriate.
>
> Does that sound okay?
Yes, I think so.
Tyler
>
> -lakshmi
Powered by blists - more mailing lists