Re: [PATCH v2] ima: defer arch_ima_get_secureboot() call to IMA init time
From: Ard Biesheuvel <ardb@kernel.org>
Date: 2020-10-13 17:01:25
Also in:
linux-efi, linux-integrity, linuxppc-dev
On Tue, 13 Oct 2020 at 18:46, Mimi Zohar [off-list ref] wrote:
[Cc'ing linuxppc-dev@lists.ozlabs.org] On Tue, 2020-10-13 at 10:18 +0200, Ard Biesheuvel wrote:quoted
Chester reports that it is necessary to introduce a new way to pass the EFI secure boot status between the EFI stub and the core kernel on ARM systems. The usual way of obtaining this information is by checking the SecureBoot and SetupMode EFI variables, but this can only be done after the EFI variable workqueue is created, which occurs in a subsys_initcall(), whereas arch_ima_get_secureboot() is called much earlier by the IMA framework. However, the IMA framework itself is started as a late_initcall, and the only reason the call to arch_ima_get_secureboot() occurs so early is because it happens in the context of a __setup() callback that parses the ima_appraise= command line parameter. So let's refactor this code a little bit, by using a core_param() callback to capture the command line argument, and deferring any reasoning based on its contents to the IMA init routine. Cc: Chester Lin <redacted> Cc: Mimi Zohar <zohar@linux.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Link: https://lore.kernel.org/linux-arm-kernel/20200904072905.25332-2-clin@suse.com/ (local) Signed-off-by: Ard Biesheuvel <ardb@kernel.org> --- v2: rebase onto series 'integrity: improve user feedback for invalid bootparams'Thanks, Ard. Based on my initial, limited testing on Power, it looks good, but I'm hesistant to include it in the integrity 5.10 pull request without it having been in linux-next and some additional testing. It's now queued in the next-integrity-testing branch awaiting some tags.
Thanks. No rush as far as I am concerned, although I suppose Chester may want to rebase his arm64 IMA enablement series on this. Suggestion: can we take the get_sb_mode() code from ima_arch.c in arch/x86, and generalize it for all EFI architectures? That way, we can enable 32-bit ARM and RISC-V seamlessly once someone gets around to enabling IMA on those platforms. In fact, get_sb_mode() itself should probably be factored out into a generic helper for use outside of IMA as well (Xen/x86 has code that does roughly the same already)