lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8bfa859ed3a4f1cf0db0ab64d8c1c3b24684582a.camel@linux.ibm.com>
Date: Fri, 16 Jan 2026 08:11:14 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Ard Biesheuvel <ardb@...nel.org>, Coiby Xu <coxu@...hat.com>
Cc: linux-integrity@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>,
        Roberto Sassu <roberto.sassu@...weicloud.com>,
        Catalin Marinas
 <catalin.marinas@....com>,
        Will Deacon	 <will@...nel.org>,
        Madhavan
 Srinivasan <maddy@...ux.ibm.com>,
        Michael Ellerman	 <mpe@...erman.id.au>,
        Nicholas Piggin <npiggin@...il.com>,
        "Christophe Leroy (CS GROUP)"
 <chleroy@...nel.org>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev	
 <agordeev@...ux.ibm.com>,
        Christian Borntraeger
 <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Thomas
 Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
        Borislav
 Petkov	 <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"	 <x86@...nel.org>,
        "H.
 Peter Anvin" <hpa@...or.com>,
        Roberto Sassu	 <roberto.sassu@...wei.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Eric Snowberg
 <eric.snowberg@...cle.com>,
        Paul Moore <paul@...l-moore.com>, James Morris
 <jmorris@...ei.org>,
        "Serge E. Hallyn"	 <serge@...lyn.com>,
        Jarkko
 Sakkinen <jarkko@...nel.org>,
        "moderated list:ARM64 PORT (AARCH64
 ARCHITECTURE)"	 <linux-arm-kernel@...ts.infradead.org>,
        open list
 <linux-kernel@...r.kernel.org>,
        "open list:LINUX FOR POWERPC (32-BIT AND
 64-BIT)"	 <linuxppc-dev@...ts.ozlabs.org>,
        "open list:S390 ARCHITECTURE"	
 <linux-s390@...r.kernel.org>,
        "open list:EXTENSIBLE FIRMWARE INTERFACE
 (EFI)"	 <linux-efi@...r.kernel.org>,
        "open list:SECURITY SUBSYSTEM"	
 <linux-security-module@...r.kernel.org>,
        "open
 list:KEYS/KEYRINGS_INTEGRITY"	 <keyrings@...r.kernel.org>
Subject: Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot
 integrity-wide

On Fri, 2026-01-16 at 10:41 +0100, Ard Biesheuvel wrote:
> On Thu, 15 Jan 2026 at 01:43, Coiby Xu <coxu@...hat.com> wrote:
> > 
> > EVM and other LSMs need the ability to query the secure boot status of
> > the system, without directly calling the IMA arch_ima_get_secureboot
> > function. Refactor the secure boot status check into a general,
> > integrity-wide function named arch_integrity_get_secureboot.
> > 
> > Define a new Kconfig option CONFIG_INTEGRITY_SECURE_BOOT, which is
> > automatically configured by the supported architectures. The existing
> > IMA_SECURE_AND_OR_TRUSTED_BOOT Kconfig loads the architecture specific
> > IMA policy based on the refactored secure boot status code.
> > 
> > Reported-and-suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
> > Suggested-by: Roberto Sassu <roberto.sassu@...weicloud.com>
> > Signed-off-by: Coiby Xu <coxu@...hat.com>
> > ---
> >  arch/arm64/Kconfig                            |  1 +
> >  arch/powerpc/Kconfig                          |  1 +
> >  arch/powerpc/kernel/Makefile                  |  2 +-
> >  arch/powerpc/kernel/ima_arch.c                |  5 --
> >  arch/powerpc/kernel/integrity_sb_arch.c       | 13 +++++
> >  arch/s390/Kconfig                             |  1 +
> >  arch/s390/kernel/Makefile                     |  1 +
> >  arch/s390/kernel/ima_arch.c                   |  6 --
> >  arch/s390/kernel/integrity_sb_arch.c          |  9 +++
> >  arch/x86/Kconfig                              |  1 +
> >  arch/x86/include/asm/efi.h                    |  4 +-
> >  arch/x86/platform/efi/efi.c                   |  2 +-
> >  include/linux/ima.h                           |  7 +--
> >  include/linux/integrity.h                     |  8 +++
> >  security/integrity/Kconfig                    |  6 ++
> >  security/integrity/Makefile                   |  3 +
> >  security/integrity/efi_secureboot.c           | 56 +++++++++++++++++++
> >  security/integrity/ima/ima_appraise.c         |  2 +-
> >  security/integrity/ima/ima_efi.c              | 47 +---------------
> >  security/integrity/ima/ima_main.c             |  4 +-
> >  security/integrity/platform_certs/load_uefi.c |  2 +-
> >  21 files changed, 111 insertions(+), 70 deletions(-)
> >  create mode 100644 arch/powerpc/kernel/integrity_sb_arch.c
> >  create mode 100644 arch/s390/kernel/integrity_sb_arch.c
> >  create mode 100644 security/integrity/efi_secureboot.c
> > 
> > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> > index 93173f0a09c7..4c265b7386bb 100644
> > --- a/arch/arm64/Kconfig
> > +++ b/arch/arm64/Kconfig
> > @@ -2427,6 +2427,7 @@ config EFI
> >         select EFI_STUB
> >         select EFI_GENERIC_STUB
> >         imply IMA_SECURE_AND_OR_TRUSTED_BOOT
> > +       imply INTEGRITY_SECURE_BOOT
> 
> This allows both to be en/disabled individually, which I don't think
> is what we want. It also results in more churn across the
> arch-specific Kconfigs than needed.
> 
> Wouldn't it be better if IMA_SECURE_AND_OR_TRUSTED_BOOT 'select'ed
> INTEGRITY_SECURE_BOOT in its Kconfig definition?

As much as possible, EVM (and other LSMs) shouldn't be dependent on another LSM,
in this case IMA, being configured.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ