[PATCH v3 31/34] ima,evm: move initcalls to the LSM framework
Mimi Zohar
zohar at linux.ibm.com
Sun Sep 7 21:11:59 UTC 2025
On Fri, 2025-08-22 at 16:45 -0400, Paul Moore wrote:
> On Thu, Aug 14, 2025 at 6:55 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > mechanism. There was a minor challenge in this conversion that wasn't
> > seen when converting the other LSMs brought about by the resource
> > sharing between the two related, yes independent IMA and EVM LSMs.
> > This was resolved by registering the same initcalls for each LSM and
> > including code in each registered initcall to ensure it only executes
> > once during each boot.
> >
> > It is worth mentioning that this patch does not touch any of the
> > "platform certs" code that lives in the security/integrity/platform_certs
> > directory as the IMA/EVM maintainers have assured me that this code is
> > unrelated to IMA/EVM, despite the location, and will be moved to a more
> > relevant subsystem in the future.
The "unrelated to IMA/EVM" wording misses the point. An exception was made to
load the pre-boot keys onto the .platform keyring in order for IMA/EVM to verify
the kexec kernel image appended signature. This exception was subsequently
extended to verifying the pesigned kexec kernel image signature. (Other
subsystems are abusing the keys on the .platform keyring to verify other
signatures.)
Instead of saying "unrelated to IMA/EVM", how about saying something along the
lines of "IMA has a dependency on the platform and machine keyrings, but this
dependency isn't limited to IMA/EVM."
Paul, this patch set doesn't apply to cleanly to Linus's tree. What is the base
commit?
Mimi
More information about the Linux-security-module-archive
mailing list