On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote:

On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar [off-list ref] wrote:

quoted

On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote:

quoted

On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar [off-list ref] wrote:

quoted

-       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
+       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+               if (IS_ENABLED(CONFIG_MODULE_SIG))
+                       set_module_sig_enforced();
                return sb_arch_rules;

Linus previously pushed back on having the lockdown features
automatically enabled on secure boot systems. Why are we doing the
same in IMA?

IMA-appraisal is extending the "secure boot" concept to the running
system.

Right, but how is this different to what Linus was objecting to?

Both Andy Lutomirski and Linus objected to limiting the "lockdown"
patch set to secure boot enabled systems.

Mimi