| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aXQN-ZNhT5olbf6X@Rk> Date: Sat, 24 Jan 2026 08:18:46 +0800 From: Coiby Xu <coxu@...hat.com> To: Ard Biesheuvel <ardb@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com> Cc: Dave Hansen <dave.hansen@...el.com>, linux-integrity@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...weicloud.com>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, "Christophe Leroy (CS GROUP)" <chleroy@...nel.org>, Vasily Gorbik <gor@...ux.ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jarkko Sakkinen <jarkko@...nel.org>, "moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" <linux-arm-kernel@...ts.infradead.org>, open list <linux-kernel@...r.kernel.org>, "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" <linuxppc-dev@...ts.ozlabs.org>, "open list:S390 ARCHITECTURE" <linux-s390@...r.kernel.org>, "open list:EXTENSIBLE FIRMWARE INTERFACE (EFI)" <linux-efi@...r.kernel.org>, "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, "open list:KEYS/KEYRINGS_INTEGRITY" <keyrings@...r.kernel.org> Subject: Re: [PATCH 1/3] integrity: Make arch_ima_get_secureboot integrity-wide On Wed, Jan 21, 2026 at 05:25:39PM +0100, Ard Biesheuvel wrote: >On Wed, 21 Jan 2026 at 16:41, Mimi Zohar <zohar@...ux.ibm.com> wrote: >> >> On Mon, 2026-01-19 at 12:04 +0800, Coiby Xu wrote: >> >> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig >> > index 976e75f9b9ba..5dce572192d6 100644 >> > --- a/security/integrity/ima/Kconfig >> > +++ b/security/integrity/ima/Kconfig >> > @@ -311,6 +311,7 @@ config IMA_QUEUE_EARLY_BOOT_KEYS >> > config IMA_SECURE_AND_OR_TRUSTED_BOOT >> > bool >> > depends on IMA_ARCH_POLICY >> > + depends on INTEGRITY_SECURE_BOOT >> > >> > >> > Another idea is make a tree-wide arch_get_secureboot i.e. to move >> > current arch_ima_get_secureboot code to arch-specific secure boot >> > implementation. By this way, there will no need for a new Kconfig option >> > INTEGRITY_SECURE_BOOT. But I'm not sure if there is any unforeseen >> > concern. >> >> Originally basing IMA policy on the secure boot mode was an exception. As long >> as making it public isn't an issue any longer, this sounds to me. Ard, Dave, do >> you have any issues with replacing arch_ima_get_secureboot() with >> arch_get_secureboot()? > >I don't see an issue with that. If there is a legitimate need to >determine this even if IMA is not enabled, then this makes sense. Thanks for the confirmation! Here's the updated patch https://github.com/coiby/linux/commit/c222c1d08d90ef1ec85ef81ece90afc9efde7937.patch If there is no objection, I'll send v2. -- Best regards, Coiby
Powered by blists - more mailing lists