lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMj1kXFXNo1-pMbo-VZrjQ3TYe1tufebrLr_avL12A0nHMSGnA@mail.gmail.com>
Date: Fri, 16 Jan 2026 10:41:48 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Coiby Xu <coxu@...hat.com>
Cc: linux-integrity@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>, 
	Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...weicloud.com>, 
	Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, 
	Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, 
	Nicholas Piggin <npiggin@...il.com>, "Christophe Leroy (CS GROUP)" <chleroy@...nel.org>, 
	Vasily Gorbik <gor@...ux.ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, 
	Christian Borntraeger <borntraeger@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, 
	"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Roberto Sassu <roberto.sassu@...wei.com>, 
	Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>, 
	Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, 
	"Serge E. Hallyn" <serge@...lyn.com>, Jarkko Sakkinen <jarkko@...nel.org>, 
	"moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" <linux-arm-kernel@...ts.infradead.org>, 
	open list <linux-kernel@...r.kernel.org>, 
	"open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" <linuxppc-dev@...ts.ozlabs.org>, 
	"open list:S390 ARCHITECTURE" <linux-s390@...r.kernel.org>, 
	"open list:EXTENSIBLE FIRMWARE INTERFACE (EFI)" <linux-efi@...r.kernel.org>, 
	"open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, 
	"open list:KEYS/KEYRINGS_INTEGRITY" <keyrings@...r.kernel.org>
Subject: Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide

On Thu, 15 Jan 2026 at 01:43, Coiby Xu <coxu@...hat.com> wrote:
>
> EVM and other LSMs need the ability to query the secure boot status of
> the system, without directly calling the IMA arch_ima_get_secureboot
> function. Refactor the secure boot status check into a general,
> integrity-wide function named arch_integrity_get_secureboot.
>
> Define a new Kconfig option CONFIG_INTEGRITY_SECURE_BOOT, which is
> automatically configured by the supported architectures. The existing
> IMA_SECURE_AND_OR_TRUSTED_BOOT Kconfig loads the architecture specific
> IMA policy based on the refactored secure boot status code.
>
> Reported-and-suggested-by: Mimi Zohar <zohar@...ux.ibm.com>
> Suggested-by: Roberto Sassu <roberto.sassu@...weicloud.com>
> Signed-off-by: Coiby Xu <coxu@...hat.com>
> ---
>  arch/arm64/Kconfig                            |  1 +
>  arch/powerpc/Kconfig                          |  1 +
>  arch/powerpc/kernel/Makefile                  |  2 +-
>  arch/powerpc/kernel/ima_arch.c                |  5 --
>  arch/powerpc/kernel/integrity_sb_arch.c       | 13 +++++
>  arch/s390/Kconfig                             |  1 +
>  arch/s390/kernel/Makefile                     |  1 +
>  arch/s390/kernel/ima_arch.c                   |  6 --
>  arch/s390/kernel/integrity_sb_arch.c          |  9 +++
>  arch/x86/Kconfig                              |  1 +
>  arch/x86/include/asm/efi.h                    |  4 +-
>  arch/x86/platform/efi/efi.c                   |  2 +-
>  include/linux/ima.h                           |  7 +--
>  include/linux/integrity.h                     |  8 +++
>  security/integrity/Kconfig                    |  6 ++
>  security/integrity/Makefile                   |  3 +
>  security/integrity/efi_secureboot.c           | 56 +++++++++++++++++++
>  security/integrity/ima/ima_appraise.c         |  2 +-
>  security/integrity/ima/ima_efi.c              | 47 +---------------
>  security/integrity/ima/ima_main.c             |  4 +-
>  security/integrity/platform_certs/load_uefi.c |  2 +-
>  21 files changed, 111 insertions(+), 70 deletions(-)
>  create mode 100644 arch/powerpc/kernel/integrity_sb_arch.c
>  create mode 100644 arch/s390/kernel/integrity_sb_arch.c
>  create mode 100644 security/integrity/efi_secureboot.c
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 93173f0a09c7..4c265b7386bb 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -2427,6 +2427,7 @@ config EFI
>         select EFI_STUB
>         select EFI_GENERIC_STUB
>         imply IMA_SECURE_AND_OR_TRUSTED_BOOT
> +       imply INTEGRITY_SECURE_BOOT

This allows both to be en/disabled individually, which I don't think
is what we want. It also results in more churn across the
arch-specific Kconfigs than needed.

Wouldn't it be better if IMA_SECURE_AND_OR_TRUSTED_BOOT 'select'ed
INTEGRITY_SECURE_BOOT in its Kconfig definition?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ