| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3bc7c90c620d46378978f30e03cf8375dc0cbc42.camel@linux.ibm.com>
Date: Wed, 14 May 2025 17:36:19 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Thomas Weißschuh <linux@...ssschuh.net>
Cc: Masahiro Yamada <masahiroy@...nel.org>,
Nathan Chancellor
<nathan@...nel.org>, Arnd Bergmann <arnd@...db.de>,
Luis Chamberlain
<mcgrof@...nel.org>,
Petr Pavlu <petr.pavlu@...e.com>,
Sami Tolvanen
<samitolvanen@...gle.com>,
Daniel Gomez <da.gomez@...sung.com>, Paul Moore
<paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn"
<serge@...lyn.com>,
Jonathan Corbet <corbet@....net>,
Madhavan Srinivasan
<maddy@...ux.ibm.com>,
Michael Ellerman <mpe@...erman.id.au>,
Nicholas
Piggin <npiggin@...il.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Naveen N Rao <naveen@...nel.org>,
Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg
<eric.snowberg@...cle.com>,
Nicolas Schier <nicolas.schier@...ux.dev>,
Fabian Grünbichler <f.gruenbichler@...xmox.com>,
Arnout
Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>,
kpcyrd
<kpcyrd@...hlinux.org>, Christian Heusel <christian@...sel.eu>,
Câju Mihai-Drosi <mcaju95@...il.com>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arch@...r.kernel.org, linux-modules@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org
Subject: Re: [PATCH v3 2/9] ima: efi: Drop unnecessary check for
CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
On Wed, 2025-05-14 at 20:25 +0200, Thomas Weißschuh wrote:
> May 14, 2025 19:39:37 Mimi Zohar <zohar@...ux.ibm.com>:
>
> > On Wed, 2025-05-14 at 11:09 -0400, Mimi Zohar wrote:
> > > On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > > > When configuration settings are disabled the guarded functions are
> > > > defined as empty stubs, so the check is unnecessary.
> > > > The specific configuration option for set_module_sig_enforced() is
> > > > about to change and removing the checks avoids some later churn.
> > > >
> > > > Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
> > > >
> > > > ---
> > > > This patch is not strictly necessary right now, but makes looking for
> > > > usages of CONFIG_MODULE_SIG easier.
> > > > ---
> > > > security/integrity/ima/ima_efi.c | 6 ++----
> > > > 1 file changed, 2 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
> > > > index
> > > > 138029bfcce1e40ef37700c15e30909f6e9b4f2d..a35dd166ad47beb4a7d46cc3e8fc604f57e03ecb
> > > > 100644
> > > > --- a/security/integrity/ima/ima_efi.c
> > > > +++ b/security/integrity/ima/ima_efi.c
> > > > @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
> > > > const char * const *arch_get_ima_policy(void)
> > > > {
> > > > if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> > > > - if (IS_ENABLED(CONFIG_MODULE_SIG))
> > > > - set_module_sig_enforced();
> > > > - if (IS_ENABLED(CONFIG_KEXEC_SIG))
> > > > - set_kexec_sig_enforced();
> > > > + set_module_sig_enforced();
> > > > + set_kexec_sig_enforced();
> > > > return sb_arch_rules;
> > >
> > > Hi Thomas,
> > >
> > > I'm just getting to looking at this patch set. Sorry for the delay.
> > >
> > > Testing whether CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG are configured gives priority
> > > to them, rather than to the IMA support. Without any other changes, both signature
> > > verifications would be enforced. Is that the intention?
> >
> > Never mind, got it.
> >
> > Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
>
> Thanks for the review!
>
> Given that this series has no chance
> of getting into the next merge window,
> would it be possible to take the two IMA preparation patches
> through the IMA tree to have them out of the way?
I'm fine with picking up the two patches simply as code cleanup, meaning dropping the last
sentence of the patch description, after some testing.
Mimi
Powered by blists - more mailing lists