Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode

From: Matthew Garrett <hidden>
Date: 2019-03-07 22:45:09
Also in: kexec, linux-efi, linux-security-module, lkml

Possibly related (same subject, not in this thread)

2019-03-07 · Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode · Matthew Garrett <hidden>
2018-11-19 · [PATCH 3/3] x86/ima: retry detecting secure boot mode · Mimi Zohar <zohar@linux.ibm.com>

On Thu, Mar 7, 2019 at 2:38 PM Justin Forbes [off-list ref] wrote:

On Thu, Mar 7, 2019 at 4:29 PM Matthew Garrett [off-list ref] wrote:

quoted

On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar [off-list ref] wrote:

quoted

The secure boot mode may not be detected on boot for some reason (eg.
buggy firmware).  This patch attempts one more time to detect the
secure boot mode.

Do we have cases where this has actually been seen? I'm not sure what
the circumstances are that would result in this behaviour.


We have never seen it in practice, though we only ever do anything with it with x86, so it is possible that some other platforms maybe?

I'm not sure that it buys us anything to check this in both the boot
stub and the running kernel. If a platform *is* giving us different
results, anything else relying on the information from the boot stub
is also going to be broken, so we should do this centrally rather than
in the IMA code.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help