[PATCH v3 31/34] ima,evm: move initcalls to the LSM framework
Paul Moore
paul at paul-moore.com
Fri Sep 12 18:34:50 UTC 2025
On Fri, Sep 12, 2025 at 12:38 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Thu, 2025-09-11 at 15:30 -0400, Paul Moore wrote:
> > On Mon, Sep 8, 2025 at 6:34 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > > On Sun, 2025-09-07 at 21:05 -0400, Paul Moore wrote:
> > > > > The "unrelated to IMA/EVM" wording misses the point. An exception was made to
> > > > > load the pre-boot keys onto the .platform keyring in order for IMA/EVM to verify
> > > > > the kexec kernel image appended signature. This exception was subsequently
> > > > > extended to verifying the pesigned kexec kernel image signature. (Other
> > > > > subsystems are abusing the keys on the .platform keyring to verify other
> > > > > signatures.)
> > > > >
> > > > > Instead of saying "unrelated to IMA/EVM", how about saying something along the
> > > > > lines of "IMA has a dependency on the platform and machine keyrings, but this
> > > > > dependency isn't limited to IMA/EVM."
> > > > >
> > > > > Paul, this patch set doesn't apply to cleanly to Linus's tree. What is the base
> > > > > commit?
> > > >
> > > > It would have been based on the lsm/dev branch since the LSM tree is
> > > > the target, however, given the scope of the patchset and the fact that
> > > > it has been several weeks since it was originally posted, I wouldn't
> > > > be surprised it if needs some fuzzing when applied on top of lsm/dev
> > > > too.
> > >
> > > Thanks, Paul. I was able to apply the patches and run some regression tests.
> >
> > Mimi, I know you already tagged Roberto's patch with a 'Reviewed-by'
> > tag, but I wanted to follow up and see if you were comfortable
> > converting that into an ACK, or if you wanted more time to review
> > Roberto's patch? No wrong answers, just trying to understand where
> > you are at with this patch.
>
> Please don't convert the Reviewed-by tag quite yet to an Ack. I'd really like
> to review the entire patch set and do some additional testing.
Yep, no problem, I was waiting on your reply to repost. I have
limited network connectivity for the next several days, so depending
on how things go I may not be able to get a new revision until next
week sometime.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list