[PATCH v3 31/34] ima,evm: move initcalls to the LSM framework
Paul Moore
paul at paul-moore.com
Thu Sep 11 19:30:45 UTC 2025
On Mon, Sep 8, 2025 at 6:34 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Sun, 2025-09-07 at 21:05 -0400, Paul Moore wrote:
> > > The "unrelated to IMA/EVM" wording misses the point. An exception was made to
> > > load the pre-boot keys onto the .platform keyring in order for IMA/EVM to verify
> > > the kexec kernel image appended signature. This exception was subsequently
> > > extended to verifying the pesigned kexec kernel image signature. (Other
> > > subsystems are abusing the keys on the .platform keyring to verify other
> > > signatures.)
> > >
> > > Instead of saying "unrelated to IMA/EVM", how about saying something along the
> > > lines of "IMA has a dependency on the platform and machine keyrings, but this
> > > dependency isn't limited to IMA/EVM."
> > >
> > > Paul, this patch set doesn't apply to cleanly to Linus's tree. What is the base
> > > commit?
> >
> > It would have been based on the lsm/dev branch since the LSM tree is
> > the target, however, given the scope of the patchset and the fact that
> > it has been several weeks since it was originally posted, I wouldn't
> > be surprised it if needs some fuzzing when applied on top of lsm/dev
> > too.
>
> Thanks, Paul. I was able to apply the patches and run some regression tests.
Mimi, I know you already tagged Roberto's patch with a 'Reviewed-by'
tag, but I wanted to follow up and see if you were comfortable
converting that into an ACK, or if you wanted more time to review
Roberto's patch? No wrong answers, just trying to understand where
you are at with this patch.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list