Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4655597imb;
        Wed, 6 Mar 2019 19:57:27 -0800 (PST)
X-Google-Smtp-Source: APXvYqxrN5idID3hBXiyiN1T1hbGp3isUJoimJNal5l+wgs7d0XhBww6OBDnTELnMeRi69GOMh8+
X-Received: by 2002:a62:6d81:: with SMTP id i123mr10659340pfc.235.1551931046931;
        Wed, 06 Mar 2019 19:57:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551931046; cv=none;
        d=google.com; s=arc-20160816;
        b=P4RjODhZezjxnTkRztMoUH5bYp6hCuruXpiWc+A8k1CZqc6m8cySQzJ6U8iXIFkPJy
         SSIV1ZQrOMIQ58pMgsM/vkGbFSkwhQe+kgQ/TBhhPZChlbWyu1tlMQu8x3uo+VnO65tC
         S/uIf4qWeqAEmXUk81AoSRkSkv94GenTAlpOWjLMazTzHacVt9IDfnj+mxGeV41yDWCn
         bdXPohY3NyqZNMmnYkqaoS4N8mY4e3h8wzgpCaX3OE1JZUvUCsB9OoqJINMA0uRW9BGV
         4rjrueMAux+9ZGD+PW6b0S8ENqnGnMFdszD6qeijHcQht9Yy887zV+k1y7eP6Bq4abG9
         rN9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject;
        bh=l+pFtu3+YjTjTsyzIyvMU036OelXTzYL4zJh38Oiz+U=;
        b=R/d3NQVRafVV8rPFDaJHzRkD6XJTDKufQdT+0UIO5Zt9EkR8SdIflEKTrwC5QUSmft
         dpJq6aZ7R7J2i+reIWVz8qIgzjurThi9yCVOI8C+gqYfWTBMi2LsAiooCSiC5lnTWIeA
         2mbEZ/IxyzcyhqM9OnnaC4cxFr6OZ3ZqnIxTsghU4Xv1bt6yxLptgB9GlX2R+io9nrlR
         qKaivZwWt2qZ8wAUmW2nHiNe4bY3IND6WMDUig31/zOoYnKzl+2/ak9jtE9/1LrVDUyw
         31NdFs62fiBiQhX108asoBOQ+wVlaKtypGTJNZJR2vME4p8P5/1+19ErnhWY7/PSuXbQ
         WnGA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a13si3165212pls.101.2019.03.06.19.57.08;
        Wed, 06 Mar 2019 19:57:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726264AbfCGD4t (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 6 Mar 2019 22:56:49 -0500
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52698 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726128AbfCGD4t (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Mar 2019 22:56:49 -0500
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x273sqcM050824
        for <linux-kernel@vger.kernel.org>; Wed, 6 Mar 2019 22:56:48 -0500
Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2r2t3vungm-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 06 Mar 2019 22:56:48 -0500
Received: from localhost
        by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.ibm.com>;
        Thu, 7 Mar 2019 03:56:46 -0000
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Thu, 7 Mar 2019 03:56:43 -0000
Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x273ugpC54198484
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 7 Mar 2019 03:56:42 GMT
Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 2EE6A52057;
        Thu,  7 Mar 2019 03:56:42 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.93.211])
        by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 751FB52051;
        Thu,  7 Mar 2019 03:56:41 +0000 (GMT)
Subject: Re: [PULL REQUEST] Kernel lockdown patches for 5.2
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Matthew Garrett <matthewgarrett@google.com>, jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Date:   Wed, 06 Mar 2019 22:56:30 -0500
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
References: <20190306235913.6631-1-matthewgarrett@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 19030703-0012-0000-0000-000002FF91D8
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19030703-0013-0000-0000-000021369EBD
Message-Id: <1551930990.31706.279.camel@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-07_01:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1810050000 definitions=main-1903070026
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2019-03-06 at 15:58 -0800, Matthew Garrett wrote:

> 3) The integration with IMA has been dropped for now. IMA is in the
> process of adding support for architecture-specific policies that will
> interact correctly with the lockdown feature, and a followup patch will
> integrate that so we don't end up with an ordering dependency on the
> merge

The architecture specific policy is an attempt to coordinate between
the different signature verification methods (eg. PE and IMA kexec
kernel image signatures, appended and IMA kernel module signatures).
 The coordination between these signature verification methods is
independent of the "lockdown" feature.

To prevent requiring multiple signature verifications, an IMA policy
rule(s) is defined only if either KEXEC_VERIFY_SIG or MODULE_SIG is
not enabled.

The kexec and kernel modules patches in this patch set continues to
ignore IMA.  This patch set should up front either provide an
alternative solution to coordinate the different signature
verification methods or rely on the architecture specific policy for
that coordination.

Mimi