[PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled

Mimi Zohar zohar at linux.ibm.com
Thu Jul 27 17:38:08 UTC 2023


On Wed, 2023-07-26 at 10:08 +0800, Coiby Xu wrote:
> With commit 099f26f22f58 ("integrity: machine keyring CA
> configuration"), users are able to add custom IMA CA keys via
> MOK.  This allows users to sign their own IMA polices without
> recompiling the kernel. For the sake of security, mandate signed IMA
> policy when UEFI secure boot is enabled.
> 
> Note this change may affect existing users/tests i.e users won't be able
> to load an unsigned IMA policy when the IMA architecture specific policy
> is configured and UEFI secure boot is enabled.
> 
> Suggested-by: Mimi Zohar <zohar at linux.ibm.com>
> Signed-off-by: Coiby Xu <coxu at redhat.com>
> ---
> v2
>  - improve commit message [Mimi]
>   - explicitly mention the dependent commit
>   - add a note that the change will affect user space
>  - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code
>    readability

Thank you for updating the commit message.  The patch is now queued in
next-integrity-testing.

-- 
thanks,

Mimi



More information about the Linux-security-module-archive mailing list