Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5388409imb; Thu, 7 Mar 2019 14:37:41 -0800 (PST) X-Google-Smtp-Source: APXvYqzzwydSHnddOPO8ns+XqRcm9ABGxh4jwhyM8gxfluK1uKOjQ+LRdwLx7wStzj8SwEWsTKxS X-Received: by 2002:a17:902:7203:: with SMTP id ba3mr11038535plb.168.1551998261410; Thu, 07 Mar 2019 14:37:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551998261; cv=none; d=google.com; s=arc-20160816; b=XL1HV5M/X28ytbxX3LXqHdo/P9ib3KGGdfzrTQJCOkMy6UKmhDk1uFrI1PUd93Hgpf mvM37esPQ4pSGs5I1lHwASPvceNGOuXMJc8IAPw+ii0sDDxzOagK05OhZtAQEhZfE8/g mxzOulIJ3KX13UELanH130GcQlhxLb3i5Gq/kVoIapiOR0jN/Eu6AR06xnuPZROUdu74 pOtkfXE9edMqbf96RDzxB+N7x62lPaTxdT5aQQS2mHuQkibavYWCMC2u8Q2jehLDCsRn as5doXdF10rVxeuCk/oCF1BxxK5j3Ki4wDGr4rkVpVpcwG1sBVj6yJsiTecjYMTUmONH Lg0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=X6nxDQFHxpNbXFm8Y/cwjnATm2ycJfRd0D5pP1bP8Ik=; b=JABlCN/X0FttkE0pP7+YCffqD2GJEpb7/1HK+SxHDKv6nL5uSS6gSIe5zoqN1BPTs2 dPd+4J6Q6txgaNnkI/ytfvTOPFfbq6U3aOi8CVvZUo39lQzgi0VaH8Oh9dmGMUMx7HXB 834hkQ2xNrHK5W0qFwmdgmrYgsxbfA9hehwJyVKb6RD7ZWuS6jvxvnMHjgWfeZMG9jhZ VrveOkGXlX5HBJ1szX0ZrfNRR7IUeTxz2VxGjUzCl/6wNNbhNEqIetppJPDflEhd1y10 81RPFBT9NX9jUHRZb49jIslDQjiLVqKfTFhxYXj1a1IdD9FB30PHJ9kdUrIMZ9YV9915 NBbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lvKjlozg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si5449401plb.200.2019.03.07.14.37.25; Thu, 07 Mar 2019 14:37:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lvKjlozg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726305AbfCGWgh (ORCPT + 99 others); Thu, 7 Mar 2019 17:36:37 -0500 Received: from mail-it1-f193.google.com ([209.85.166.193]:51117 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726259AbfCGWgh (ORCPT ); Thu, 7 Mar 2019 17:36:37 -0500 Received: by mail-it1-f193.google.com with SMTP id m137so18020301ita.0 for ; Thu, 07 Mar 2019 14:36:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X6nxDQFHxpNbXFm8Y/cwjnATm2ycJfRd0D5pP1bP8Ik=; b=lvKjlozgztXmnRsOTijdJgw971xlH1PYGmJYZdddS/5B8hoFTm+9gYfR0mYekhva6P 4Q2pXrUvJBmgoENAeT1PI69iDN14W1flh9EjYUNF9Uh0Yu3wsIrGlL0hUfrvo4LN3Wkw otGJW/APungtXa6SZSLW7ZmCEoZiVfCTtz2tWEMYmQ4iGp/5OGNDNOPN3ErUv5/+2UzN MGZE1Q3KuhyEYHeApjm4Yaia3nHC+RCt/aFBILA87Eaamzp7yOu69YoLkcFLxOHtDZKR Dt1AnXS6PdExhMe2M/MpYGGuaGmE1TXjhOJWOmIs0crp6sv7XHv9f+upS5vnSLPCynzS uKqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X6nxDQFHxpNbXFm8Y/cwjnATm2ycJfRd0D5pP1bP8Ik=; b=dSiSay1/FmLQGLxg3ufVMH3VT3XI7E06gEosiM7VX6hRnp/bRj2aS5cqJRC/KxhsIh 7pZsGbRZiJyUnOzltyQ3VNranxzJUgcIZ3CZVInjamSWPBIMARBDJ2frYh9Jum2oMEl/ c5l+EaSuLg2Xu5AsakOiGU0nZRnzkNwNXCoRr1cJmoe9z8SNsZY/l/qRNziGNzqaQfhj 8JRNLb3rbCD/enh2OJdEd0TRXfjiXNZ5SW30kpWCSEZO7UEyhYLWwpiDjzcoR+4uPYms mXme1JdOPUGPsbaVF/QsTRi6tv9MHCGdwDpOakGZr6RWIlqcdBnIK1jfFSjMBySfzjmM 0I9w== X-Gm-Message-State: APjAAAUZnSMKcuUYZ0/JbQNm7Op4jZtBgYsrj1zIFF8dsR+9ffJM6f6O cyBBCjrDWha+jU6UEZPvaUylRb5Jw4IX6bwQP++ZvQQLS68= X-Received: by 2002:a24:2c48:: with SMTP id i69mr7060219iti.161.1551998195904; Thu, 07 Mar 2019 14:36:35 -0800 (PST) MIME-Version: 1.0 References: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com> <1551998075.31706.455.camel@linux.ibm.com> In-Reply-To: <1551998075.31706.455.camel@linux.ibm.com> From: Matthew Garrett Date: Thu, 7 Mar 2019 14:36:25 -0800 Message-ID: Subject: Re: [PATCH v2] x86/ima: require signed kernel modules To: Mimi Zohar Cc: linux-integrity , LSM List , Linux Kernel Mailing List , Jessica Yu , Luis Chamberlain , David Howells , Seth Forshee , "Bruno E . O . Meneguele" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 7, 2019 at 2:34 PM Mimi Zohar wrote: > > On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote: > > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar wrote: > > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > > > + if (IS_ENABLED(CONFIG_MODULE_SIG)) > > > + set_module_sig_enforced(); > > > return sb_arch_rules; > > > > Linus previously pushed back on having the lockdown features > > automatically enabled on secure boot systems. Why are we doing the > > same in IMA? > > IMA-appraisal is extending the "secure boot" concept to the running > system. Right, but how is this different to what Linus was objecting to?