[RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

Paul Moore paul at paul-moore.com
Mon Jul 21 21:59:15 UTC 2025 

On Fri, Jun 13, 2025 at 4:35 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Wed, 2025-06-11 at 16:27 -0400, Paul Moore wrote:
> > On Fri, May 30, 2025 at 6:04 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > > On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:
> > > > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > > > mechanism.  There were two challenges to doing this conversion: the
> > > > first simply being the number of initcalls across IMA and EVM, and the
> > > > second was the number of resources shared between the two related,
> > > > yet independent LSMs.
> > >
> > > There are a number of the initcalls under integrity/platform/, which load arch
> > > specific keys onto the platform and machine keyrings, which shouldn't be
> > > included in this patch.
> >
> > I don't want to assume too much from your reply, but if the cert/key
> > loading under integrity/platform shouldn't be subject to the LSM
> > initcall rework, that implies that the integrity/platform cert/key
> > loading is independent of IMA/EVM and should perhaps live somewhere
> > else, e.g. security/keys?
> >
> > Or am I misunderstanding something?
>
> When the .platform keyring was upstreamed it was upstreamed for a very specific
> purpose so that IMA could verify the kexec kernel image.  Afterwareds it was
> immediately used to verify the pesigned kexec image.  Now it is being (ab)used
> by other subsystems - ipe and dm-verity - and is being proposed by the "[PATCH
> RFC 0/1] module: Optionally use .platform keyring for signatures verification".
> From an integrity perspective this is definitely not a good idea.  The
> discussion, which I'm sure you're aware of, is here:
> https://lore.kernel.org/linux-integrity/20250602132535.897944-1-vkuznets@redhat.com/
>
> It does not make any sense to move the code for the platform and machine
> keyrings to security/keys.  If they need to move anywhere, it would be to the
> certs/ directory.

To bring some off-list discussions back on-list, and wrap up this
thread, Mimi has agreed to move the platform and machine keyring code
to the certs/ directory as they are no longer IMA/EVM-only keyrings.
I'll also be dropping them from the next revision of LSM
initialization rework patchset will be posted at some point this
evening (waiting on a testing refresh).

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list