[PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled
Mimi Zohar
zohar at linux.ibm.com
Thu Jul 27 17:38:08 UTC 2023
On Wed, 2023-07-26 at 10:08 +0800, Coiby Xu wrote:
> With commit 099f26f22f58 ("integrity: machine keyring CA
> configuration"), users are able to add custom IMA CA keys via
> MOK. This allows users to sign their own IMA polices without
> recompiling the kernel. For the sake of security, mandate signed IMA
> policy when UEFI secure boot is enabled.
>
> Note this change may affect existing users/tests i.e users won't be able
> to load an unsigned IMA policy when the IMA architecture specific policy
> is configured and UEFI secure boot is enabled.
>
> Suggested-by: Mimi Zohar <zohar at linux.ibm.com>
> Signed-off-by: Coiby Xu <coxu at redhat.com>
> ---
> v2
> - improve commit message [Mimi]
> - explicitly mention the dependent commit
> - add a note that the change will affect user space
> - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code
> readability
Thank you for updating the commit message. The patch is now queued in
next-integrity-testing.
--
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list