Re: [RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework
From: Paul Moore <paul@paul-moore.com>
Date: 2025-07-21 21:59:28
Also in:
linux-integrity, selinux
On Fri, Jun 13, 2025 at 4:35 PM Mimi Zohar [off-list ref] wrote:
On Wed, 2025-06-11 at 16:27 -0400, Paul Moore wrote:quoted
On Fri, May 30, 2025 at 6:04 PM Mimi Zohar [off-list ref] wrote:quoted
On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:quoted
This patch converts IMA and EVM to use the LSM frameworks's initcall mechanism. There were two challenges to doing this conversion: the first simply being the number of initcalls across IMA and EVM, and the second was the number of resources shared between the two related, yet independent LSMs.There are a number of the initcalls under integrity/platform/, which load arch specific keys onto the platform and machine keyrings, which shouldn't be included in this patch.I don't want to assume too much from your reply, but if the cert/key loading under integrity/platform shouldn't be subject to the LSM initcall rework, that implies that the integrity/platform cert/key loading is independent of IMA/EVM and should perhaps live somewhere else, e.g. security/keys? Or am I misunderstanding something?When the .platform keyring was upstreamed it was upstreamed for a very specific purpose so that IMA could verify the kexec kernel image. Afterwareds it was immediately used to verify the pesigned kexec image. Now it is being (ab)used by other subsystems - ipe and dm-verity - and is being proposed by the "[PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification". From an integrity perspective this is definitely not a good idea. The discussion, which I'm sure you're aware of, is here: https://lore.kernel.org/linux-integrity/20250602132535.897944-1-vkuznets@redhat.com/ (local) It does not make any sense to move the code for the platform and machine keyrings to security/keys. If they need to move anywhere, it would be to the certs/ directory.
To bring some off-list discussions back on-list, and wrap up this thread, Mimi has agreed to move the platform and machine keyring code to the certs/ directory as they are no longer IMA/EVM-only keyrings. I'll also be dropping them from the next revision of LSM initialization rework patchset will be posted at some point this evening (waiting on a testing refresh). -- paul-moore.com