| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0c6442db-7e97-58dd-f39c-b22a37398715@linux.vnet.ibm.com>
Date: Thu, 28 Apr 2022 18:08:18 -0400
From: Nayna <nayna@...ux.vnet.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>
Cc: dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, zohar@...ux.ibm.com
Subject: Re: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB
is enabled
On 4/25/22 18:21, Eric Snowberg wrote:
> The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
> modes (log, fix, enforce) to be configured at boot time. When booting
> with Secure Boot enabled, all modes are ignored except enforce. To use
> log or fix, Secure Boot must be disabled.
>
> With a policy such as:
>
> appraise func=BPRM_CHECK appraise_type=imasig
>
> A user may just want to audit signature validation. Not all users
> are interested in full enforcement and find the audit log appropriate
> for their use case.
>
> Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
> to work when Secure Boot is enabled.
Tianocore(UEFI Reference Implementation) defines four secure boot modes,
one of which is Audit Mode. Refer to last few lines of Feature Summary
section in Readme.MD
(https://github.com/tianocore/edk2-staging/blob/Customized-Secure-Boot/Readme.MD#3-feature-summary).
Based on the reference, IMA appraise_mode="log" should probably work in
coordination with AuditMode.
Thanks & Regards,
- Nayna
Powered by blists - more mailing lists