| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s5hpmpz9o08.wl-tiwai@suse.de>
Date: Tue, 14 Dec 2021 16:58:47 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Takashi Iwai <tiwai@...e.de>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
Joey Lee <jlee@...e.com>
Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co
On Tue, 14 Dec 2021 16:31:21 +0100,
Mimi Zohar wrote:
>
> Hi Takashi,
>
> On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:
> > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
> > defined only when CONFIG_IMA is set, and this makes the code calling
> > those functions without CONFIG_IMA failing. Although there is no such
> > in-tree users, but the out-of-tree users already hit it.
> >
> > Move the declaration and the dummy definition of those functions
> > outside ifdef-CONFIG_IMA block for fixing the undefined symbols.
> >
> > Signed-off-by: Takashi Iwai <tiwai@...e.de>
>
> Before lockdown was upstreamed, we made sure that IMA and lockdown
> could co-exist. This patch makes the stub functions available even
> when IMA is not configured. Do the remaining downstream patches
> require IMA to be disabled or can IMA co-exist?
I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's
used in a part of MODSIGN stuff in SUSE kernels, and it's calling
unconditionally this function for checking whether the system is with
the Secure Boot or not.
thanks,
Takashi
Powered by blists - more mailing lists