[PULL REQUEST] Kernel lockdown patches for 5.2
Mimi Zohar
zohar at linux.ibm.com
Thu Mar 7 03:56:30 UTC 2019
On Wed, 2019-03-06 at 15:58 -0800, Matthew Garrett wrote:
> 3) The integration with IMA has been dropped for now. IMA is in the
> process of adding support for architecture-specific policies that will
> interact correctly with the lockdown feature, and a followup patch will
> integrate that so we don't end up with an ordering dependency on the
> merge
The architecture specific policy is an attempt to coordinate between
the different signature verification methods (eg. PE and IMA kexec
kernel image signatures, appended and IMA kernel module signatures).
The coordination between these signature verification methods is
independent of the "lockdown" feature.
To prevent requiring multiple signature verifications, an IMA policy
rule(s) is defined only if either KEXEC_VERIFY_SIG or MODULE_SIG is
not enabled.
The kexec and kernel modules patches in this patch set continues to
ignore IMA. This patch set should up front either provide an
alternative solution to coordinate the different signature
verification methods or rely on the architecture specific policy for
that coordination.
Mimi
More information about the Linux-security-module-archive
mailing list