[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bf435ffa5d176213acabb8c576c159d2cbd4d395.camel@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:39:39 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Stefan Berger <stefanb@...ux.ibm.com>,
linux-integrity@...r.kernel.org
Cc: serge@...lyn.com, christian.brauner@...ntu.com,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote
Let's update the patch description providing a bit more background
info:
The archictecture specific policy rules, currently defined for EFI and
powerpc, require the kexec kernel image and kernel modules to be
validly signed and measured, based on the system's secure boot and/or
trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
> Move the arch_policy_entry pointer into ima_namespace.
Perhaps include something about namespaces being allowed or not allowed
to kexec a new kernel or load kernel modules.
thanks,
Mimi
>
> When freeing the memory set the pointer to NULL.
>
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> Acked-by: Christian Brauner <brauner@...nel.org>
> Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Powered by blists - more mailing lists