lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <48f22e9a-7212-49f1-8989-128bbc2d6d32@linux.ibm.com>
Date: Fri, 1 Aug 2025 10:34:40 -0400
From: Nayna Jain <nayna@...ux.ibm.com>
To: GONG Ruiqi <gongruiqi1@...wei.com>, Mimi Zohar <zohar@...ux.ibm.com>,
        Roberto Sassu <roberto.sassu@...wei.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        Madhavan Srinivasan <maddy@...ux.ibm.com>,
        Michael Ellerman <mpe@...erman.id.au>,
        Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>,
        Christophe Leroy <christophe.leroy@...roup.eu>,
        Nicholas Piggin <npiggin@...il.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>, "Lee, Chun-Yi" <jlee@...e.com>,
        linuxppc-dev@...ts.ozlabs.org, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, linux-integrity@...r.kernel.org,
        keyrings@...r.kernel.org, Lu Jialin <lujialin4@...wei.com>
Subject: Re: [PATCH v2] integrity: Extract secure boot enquiry function out of
 IMA


On 7/28/25 8:17 AM, GONG Ruiqi wrote:
> On 7/26/2025 2:29 AM, Nayna Jain wrote:
>> On 7/17/25 8:29 AM, GONG Ruiqi wrote:
>>> On 7/8/2025 4:35 AM, Nayna Jain wrote:
>>>> On 7/2/25 10:07 PM, GONG Ruiqi wrote:
>>>>> ...
>>> Yes, IMA_ARCH_POLICY was not set. The testing was conducted on
>>> openEuler[1], a Linux distro mainly for arm64 & x86, and the kernel was
>>> compiled based on its own openeuler_defconfig[2], which set
>>> IMA_ARCH_POLICY to N.
>> Thanks Ruiqi for the response.
>>
>> It seems the main cause of the problem was that IMA_ARCH_POLICY config
>> wasn't enabled; and it sounds like you don't need IMA arch policies but
>> you do need the arch specific function to get the secure boot status.
>>
>> In that case, removing IMA_SECURE_AND_OR_TRUSTED_BOOT config dependency
>> on IMA_ARCH_POLICY config and updating the corresponding help is all
>> that is needed.
> I think it doesn't solve the real problems, which are: 1. the implicit
> dependency of LOAD_UEFI_KEYS to IMA_SECURE_AND_OR_TRUSTED_BOOT, which
> surprises people, and 2. what arch_ima_get_secureboot() does is
> essentially a stand-alone function and it's not necessarily be a part of
> IMA, but it's still controlled by IMA_SECURE_AND_OR_TRUSTED_BOOT.
>
> I agree that adjusting Kconfig could be simpler, but breaking
> IMA_SECURE_AND_OR_TRUSTED_BOOT's dependency to IMA_ARCH_POLICY doesn't
> help on both. If that's gonna be the way we will take, what I would
> propose is to let LOAD_UEFI_KEYS select IMA_SECURE_AND_OR_TRUSTED_BOOT,
> which states the dependency explicitly so at least solves the problem 1.

Hi Ruiqi,

IMA_SECURE_AND_OR_TRUSTED_BOOT is already enabled by different 
architectures. Having LOAD_UEFI_KEYS select it would help only if 
IMA_ARCH_POLICY is also selected.

Thanks & Regards,

    - Nayna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ