Re: [PATCH v2] x86/ima: require signed kernel modules

[PATCH v2] x86/ima: require signed kernel modules · Mimi Zohar <zohar@linux.ibm.com> · 2019-02-13
Re: [PATCH v2] x86/ima: require signed kernel modules · Luis Chamberlain <mcgrof@kernel.org> · 2019-02-14
Re: [PATCH v2] x86/ima: require signed kernel modules · Mimi Zohar <zohar@linux.ibm.com> · 2019-02-14
Re: [PATCH v2] x86/ima: require signed kernel modules · Matthew Garrett <hidden> · 2019-03-07
Re: [PATCH v2] x86/ima: require signed kernel modules · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-07
Re: [PATCH v2] x86/ima: require signed kernel modules · Matthew Garrett <hidden> · 2019-03-07
Re: [PATCH v2] x86/ima: require signed kernel modules · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-07
Re: [PATCH v2] x86/ima: require signed kernel modules · Matthew Garrett <hidden> · 2019-03-07

From: Matthew Garrett <hidden>
Date: 2019-03-07 22:36:38
Also in: linux-integrity, lkml

On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar [off-list ref] wrote:

On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:

quoted

On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar [off-list ref] wrote:

quoted

-       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
+       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+               if (IS_ENABLED(CONFIG_MODULE_SIG))
+                       set_module_sig_enforced();
                return sb_arch_rules;

Linus previously pushed back on having the lockdown features
automatically enabled on secure boot systems. Why are we doing the
same in IMA?

IMA-appraisal is extending the "secure boot" concept to the running
system.

Right, but how is this different to what Linus was objecting to?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help