| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5cbba927f2462f48012f683c923d53b3aa291c46.camel@linux.ibm.com>
Date: Thu, 27 Jul 2023 13:38:08 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Coiby Xu <coxu@...hat.com>, linux-integrity@...r.kernel.org
Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] ima: require signed IMA policy when UEFI secure boot
is enabled
On Wed, 2023-07-26 at 10:08 +0800, Coiby Xu wrote:
> With commit 099f26f22f58 ("integrity: machine keyring CA
> configuration"), users are able to add custom IMA CA keys via
> MOK. This allows users to sign their own IMA polices without
> recompiling the kernel. For the sake of security, mandate signed IMA
> policy when UEFI secure boot is enabled.
>
> Note this change may affect existing users/tests i.e users won't be able
> to load an unsigned IMA policy when the IMA architecture specific policy
> is configured and UEFI secure boot is enabled.
>
> Suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
> Signed-off-by: Coiby Xu <coxu@...hat.com>
> ---
> v2
> - improve commit message [Mimi]
> - explicitly mention the dependent commit
> - add a note that the change will affect user space
> - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code
> readability
Thank you for updating the commit message. The patch is now queued in
next-integrity-testing.
--
thanks,
Mimi
Powered by blists - more mailing lists