Inter-revision diff: patch 2

Comparing v3 (message) to v7 (message) 

--- v3
+++ v7
@@ -1,40 +1,43 @@
-Public keys do not need to be appraised by IMA as the restriction on the
-IMA/EVM keyrings ensures that a key can be loaded only if it is signed with
-a key in the primary or secondary keyring.
+The public builtin keys do not need to be appraised by IMA as the
+restriction on the IMA/EVM trusted keyrings ensures that a key can be
+loaded only if it is signed with a key on the builtin or secondary
+keyrings.
 
 However, when evm_load_x509() is called, appraisal is already enabled and
 a valid IMA signature must be added to the EVM key to pass verification.
 
-Since the restriction is applied on both IMA and EVM keyrings, it is safe
-to disable appraisal also when the EVM key is loaded. This patch calls
-evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined.
+Since the restriction is applied on both IMA and EVM trusted keyrings, it
+is safe to disable appraisal also when the EVM key is loaded. This patch
+calls evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is
+enabled, which crosses the normal IMA and EVM boundary.
 
 Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
 Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
 ---
- security/integrity/iint.c         | 2 ++
+ security/integrity/iint.c         | 4 +++-
  security/integrity/ima/ima_init.c | 4 ++++
- 2 files changed, 6 insertions(+)
+ 2 files changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/security/integrity/iint.c b/security/integrity/iint.c
-index 1d20003243c3..7d08c31c612f 100644
+index fca8a9409e4a..8638976f7990 100644
 --- a/security/integrity/iint.c
 +++ b/security/integrity/iint.c
-@@ -200,7 +200,9 @@ int integrity_kernel_read(struct file *file, loff_t offset,
+@@ -208,7 +208,9 @@ int integrity_kernel_read(struct file *file, loff_t offset,
  void __init integrity_load_keys(void)
  {
  	ima_load_x509();
-+#ifndef CONFIG_IMA_LOAD_X509
- 	evm_load_x509();
-+#endif
+-	evm_load_x509();
++
++	if (!IS_ENABLED(CONFIG_IMA_LOAD_X509))
++		evm_load_x509();
  }
  
  static int __init integrity_fs_init(void)
 diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
-index 4902fe7bd570..9d29a1680da8 100644
+index 6e8742916d1d..5076a7d9d23e 100644
 --- a/security/integrity/ima/ima_init.c
 +++ b/security/integrity/ima/ima_init.c
-@@ -106,6 +106,10 @@ void __init ima_load_x509(void)
+@@ -108,6 +108,10 @@ void __init ima_load_x509(void)
  
  	ima_policy_flag &= ~unset_flags;
  	integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
@@ -46,5 +49,5 @@
  }
  #endif
 -- 
-2.27.GIT
+2.25.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help