lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 Jan 2022 14:42:14 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Christian Brauner <brauner@...nel.org>,
        Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     linux-integrity@...r.kernel.org, serge@...lyn.com,
        christian.brauner@...ntu.com, containers@...ts.linux.dev,
        dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
        krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
        mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
        puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
        linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v9 06/23] ima: Move arch_policy_entry into ima_namespace

On Wed, 2022-01-26 at 10:11 +0100, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:28PM -0500, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@...ux.ibm.com>
> > 
> > Move the arch_policy_entry pointer into ima_namespace.
> > 
> > When freeing the memory set the pointer to NULL.
> > 
> > Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> > ---
> 
> Only relevant for the initial imans (for now) since it is derived from a
> boot parameter. Maybe mention this in the commit message.

Enabling architecture specific policy rules is based on
CONFIG_IMA_ARCH_POLICY.  As the name implies, each architecture is free
to define their own policy rules.  For example on x86, based on the
secure boot mode both measurement and signature verification rules are
defined for the kexec kernel image and kernel modules. Similarly on
powerpc, different measurement and signature verification rules for the
kexec kernel image and kernel modules are defined based on whether
trusted boot, secure boot, or both are enabled [2].

As neither kexec nor loading kernel modules are applicable, the
architecture policy rules are limited to initial imans.

[1] security/integrity/ima/ima_efi.c 
[2] arch/powerpc/kernel/ima_arch.c

> 
> Move into struct ima_namespace looks good,
> Acked-by: Christian Brauner <brauner@...nel.org>

Thanks, Christian.

Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ