| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <edeb23e7884e94006d560898b7f9d2dd257a275e.camel@linux.ibm.com>
Date: Wed, 14 May 2025 13:37:51 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Thomas Weißschuh <linux@...ssschuh.net>,
Masahiro
Yamada <masahiroy@...nel.org>,
Nathan Chancellor <nathan@...nel.org>, Arnd
Bergmann <arnd@...db.de>,
Luis Chamberlain <mcgrof@...nel.org>,
Petr Pavlu
<petr.pavlu@...e.com>,
Sami Tolvanen <samitolvanen@...gle.com>,
Daniel
Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>,
James
Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Jonathan
Corbet <corbet@....net>,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
Michael
Ellerman <mpe@...erman.id.au>,
Nicholas Piggin <npiggin@...il.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Naveen N Rao
<naveen@...nel.org>,
Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry
Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg
<eric.snowberg@...cle.com>,
Nicolas Schier <nicolas.schier@...ux.dev>
Cc: Fabian Grünbichler <f.gruenbichler@...xmox.com>,
Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>,
kpcyrd <kpcyrd@...hlinux.org>, Christian Heusel <christian@...sel.eu>,
Câju Mihai-Drosi <mcaju95@...il.com>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-modules@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for
CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
On Wed, 2025-05-14 at 11:09 -0400, Mimi Zohar wrote:
> On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > When configuration settings are disabled the guarded functions are
> > defined as empty stubs, so the check is unnecessary.
> > The specific configuration option for set_module_sig_enforced() is
> > about to change and removing the checks avoids some later churn.
> >
> > Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
> >
> > ---
> > This patch is not strictly necessary right now, but makes looking for
> > usages of CONFIG_MODULE_SIG easier.
> > ---
> > security/integrity/ima/ima_efi.c | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> > index
> > 138029bfcce1e40ef37700c15e30909f6e9b4f2d..a35dd166ad47beb4a7d46cc3e8fc604f57e03ecb
> > 100644
> > --- a/security/integrity/ima/ima_efi.c
> > +++ b/security/integrity/ima/ima_efi.c
> > @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
> > const char * const *arch_get_ima_policy(void)
> > {
> > if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > - if (IS_ENABLED(CONFIG_MODULE_SIG))
> > - set_module_sig_enforced();
> > - if (IS_ENABLED(CONFIG_KEXEC_SIG))
> > - set_kexec_sig_enforced();
> > + set_module_sig_enforced();
> > + set_kexec_sig_enforced();
> > return sb_arch_rules;
>
> Hi Thomas,
>
> I'm just getting to looking at this patch set. Sorry for the delay.
>
> Testing whether CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG are configured gives priority
> to them, rather than to the IMA support. Without any other changes, both signature
> verifications would be enforced. Is that the intention?
Never mind, got it.
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Powered by blists - more mailing lists