Thread (126 messages) 126 messages, 8 authors, 2025-07-21

Re: [RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

From: Paul Moore <paul@paul-moore.com>
Date: 2025-07-21 21:59:28
Also in: linux-integrity, selinux

On Fri, Jun 13, 2025 at 4:35 PM Mimi Zohar [off-list ref] wrote:
On Wed, 2025-06-11 at 16:27 -0400, Paul Moore wrote:
quoted
On Fri, May 30, 2025 at 6:04 PM Mimi Zohar [off-list ref] wrote:
quoted
On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:
quoted
This patch converts IMA and EVM to use the LSM frameworks's initcall
mechanism.  There were two challenges to doing this conversion: the
first simply being the number of initcalls across IMA and EVM, and the
second was the number of resources shared between the two related,
yet independent LSMs.
There are a number of the initcalls under integrity/platform/, which load arch
specific keys onto the platform and machine keyrings, which shouldn't be
included in this patch.
I don't want to assume too much from your reply, but if the cert/key
loading under integrity/platform shouldn't be subject to the LSM
initcall rework, that implies that the integrity/platform cert/key
loading is independent of IMA/EVM and should perhaps live somewhere
else, e.g. security/keys?

Or am I misunderstanding something?
When the .platform keyring was upstreamed it was upstreamed for a very specific
purpose so that IMA could verify the kexec kernel image.  Afterwareds it was
immediately used to verify the pesigned kexec image.  Now it is being (ab)used
by other subsystems - ipe and dm-verity - and is being proposed by the "[PATCH
RFC 0/1] module: Optionally use .platform keyring for signatures verification".
From an integrity perspective this is definitely not a good idea.  The
discussion, which I'm sure you're aware of, is here:
https://lore.kernel.org/linux-integrity/20250602132535.897944-1-vkuznets@redhat.com/ (local)

It does not make any sense to move the code for the platform and machine
keyrings to security/keys.  If they need to move anywhere, it would be to the
certs/ directory.
To bring some off-list discussions back on-list, and wrap up this
thread, Mimi has agreed to move the platform and machine keyring code
to the certs/ directory as they are no longer IMA/EVM-only keyrings.
I'll also be dropping them from the next revision of LSM
initialization rework patchset will be posted at some point this
evening (waiting on a testing refresh).

-- 
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help