| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMj1kXHsJNZoUEnbD1y=v4Ftuv9d2c08VckRV7ru4k4P83vZbQ@mail.gmail.com> Date: Fri, 16 Jan 2026 14:18:48 +0100 From: Ard Biesheuvel <ardb@...nel.org> To: Mimi Zohar <zohar@...ux.ibm.com> Cc: Coiby Xu <coxu@...hat.com>, linux-integrity@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...weicloud.com>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, "Christophe Leroy (CS GROUP)" <chleroy@...nel.org>, Vasily Gorbik <gor@...ux.ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jarkko Sakkinen <jarkko@...nel.org>, "moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" <linux-arm-kernel@...ts.infradead.org>, open list <linux-kernel@...r.kernel.org>, "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" <linuxppc-dev@...ts.ozlabs.org>, "open list:S390 ARCHITECTURE" <linux-s390@...r.kernel.org>, "open list:EXTENSIBLE FIRMWARE INTERFACE (EFI)" <linux-efi@...r.kernel.org>, "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, "open list:KEYS/KEYRINGS_INTEGRITY" <keyrings@...r.kernel.org> Subject: Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide On Fri, 16 Jan 2026 at 14:11, Mimi Zohar <zohar@...ux.ibm.com> wrote: > > On Fri, 2026-01-16 at 10:41 +0100, Ard Biesheuvel wrote: > > On Thu, 15 Jan 2026 at 01:43, Coiby Xu <coxu@...hat.com> wrote: > > > > > > EVM and other LSMs need the ability to query the secure boot status of > > > the system, without directly calling the IMA arch_ima_get_secureboot > > > function. Refactor the secure boot status check into a general, > > > integrity-wide function named arch_integrity_get_secureboot. > > > > > > Define a new Kconfig option CONFIG_INTEGRITY_SECURE_BOOT, which is > > > automatically configured by the supported architectures. The existing > > > IMA_SECURE_AND_OR_TRUSTED_BOOT Kconfig loads the architecture specific > > > IMA policy based on the refactored secure boot status code. > > > > > > Reported-and-suggested-by: Mimi Zohar <zohar@...ux.ibm.com> > > > Suggested-by: Roberto Sassu <roberto.sassu@...weicloud.com> > > > Signed-off-by: Coiby Xu <coxu@...hat.com> > > > --- > > > arch/arm64/Kconfig | 1 + > > > arch/powerpc/Kconfig | 1 + > > > arch/powerpc/kernel/Makefile | 2 +- > > > arch/powerpc/kernel/ima_arch.c | 5 -- > > > arch/powerpc/kernel/integrity_sb_arch.c | 13 +++++ > > > arch/s390/Kconfig | 1 + > > > arch/s390/kernel/Makefile | 1 + > > > arch/s390/kernel/ima_arch.c | 6 -- > > > arch/s390/kernel/integrity_sb_arch.c | 9 +++ > > > arch/x86/Kconfig | 1 + > > > arch/x86/include/asm/efi.h | 4 +- > > > arch/x86/platform/efi/efi.c | 2 +- > > > include/linux/ima.h | 7 +-- > > > include/linux/integrity.h | 8 +++ > > > security/integrity/Kconfig | 6 ++ > > > security/integrity/Makefile | 3 + > > > security/integrity/efi_secureboot.c | 56 +++++++++++++++++++ > > > security/integrity/ima/ima_appraise.c | 2 +- > > > security/integrity/ima/ima_efi.c | 47 +--------------- > > > security/integrity/ima/ima_main.c | 4 +- > > > security/integrity/platform_certs/load_uefi.c | 2 +- > > > 21 files changed, 111 insertions(+), 70 deletions(-) > > > create mode 100644 arch/powerpc/kernel/integrity_sb_arch.c > > > create mode 100644 arch/s390/kernel/integrity_sb_arch.c > > > create mode 100644 security/integrity/efi_secureboot.c > > > > > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > > > index 93173f0a09c7..4c265b7386bb 100644 > > > --- a/arch/arm64/Kconfig > > > +++ b/arch/arm64/Kconfig > > > @@ -2427,6 +2427,7 @@ config EFI > > > select EFI_STUB > > > select EFI_GENERIC_STUB > > > imply IMA_SECURE_AND_OR_TRUSTED_BOOT > > > + imply INTEGRITY_SECURE_BOOT > > > > This allows both to be en/disabled individually, which I don't think > > is what we want. It also results in more churn across the > > arch-specific Kconfigs than needed. > > > > Wouldn't it be better if IMA_SECURE_AND_OR_TRUSTED_BOOT 'select'ed > > INTEGRITY_SECURE_BOOT in its Kconfig definition? > > As much as possible, EVM (and other LSMs) shouldn't be dependent on another LSM, > in this case IMA, being configured. Sure, but that is not my point. This arrangement allows for IMA_SECURE_AND_OR_TRUSTED_BOOT to be enabled without INTEGRITY_SECURE_BOOT, resulting in the stub implementation of arch_integrity_get_secureboot() being used, which always returns false.
Powered by blists - more mailing lists