Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5535272imb; Thu, 7 Mar 2019 18:45:38 -0800 (PST) X-Google-Smtp-Source: APXvYqzyaa4NfRizyjov+eEDxx2Rc2TUGyqbg0gfD4P2z9McSJl+k1JcIN8a0MTAYpOZNAiLgWiR X-Received: by 2002:a65:50cc:: with SMTP id s12mr14356348pgp.130.1552013138231; Thu, 07 Mar 2019 18:45:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552013138; cv=none; d=google.com; s=arc-20160816; b=QvkOt30LG9Jlm4zRklMdcMLy6arilV5mJLBnJ7X8IkxG939ou5cZJyn+sitqn3qSgo hlQqI08zN/ioOyEbFIeFutAVo5VFgkqeTloaKkcpXdtoUQ8RVXsYxZraiveytoM1HFAf 3VWj1fP7ZWoZAd2YsUJoh2A6Zv0sWnncOeBKef0Qy+IdvuzAuabMB8RA7/ZDwCDyc3nX cJKP26qFiIWt0dgUq4nZSOPMNrAENq/Elo96/BUVa2Cawho5EcN+/z+1mr1ISRx0Dgnq kS4bKAdpEZZsab9PGwg78xz8i8z5UBqTTrM8WAhhdp27iWrau2+YGVvrMIcbxuTBXYaB ujNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=NMEopl5omohC1E2lK5bKfa3BYuV4DXwB9jJvLZ8Hk9g=; b=WFZcdUgVsxmsJn94FFjjM69KiJXnAWsRN219M9yPQMjdkeKQvvAdFBTnl+1qbxor1p EMNJyCPrVKMz7pSgipeBYqT4L1uCjaRxZpVLoUPnz+DcHL/mB2GUBiS2K4ns1s54kRN6 hW2ku1U3IJVbkYAKaUMtENnQGno99zfQ8NAWXALRVR2xyUBKlZlKUZ8DJoGuIs+3MSg9 VZOpQVU4LvHWl+fekQyh/Jz/uB9MckSuXW5CNNF1zqMhm6cFvToqDPO0HFYpni6KZNcJ d+Hc0LsAbvbbeqJblrH7S7OHguqdlPQ/BP+fIntDEcdi9FAMs8BAyfGZUhnqARPlow3P vJWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b6si5712941pfj.211.2019.03.07.18.45.20; Thu, 07 Mar 2019 18:45:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726358AbfCHCo6 (ORCPT + 99 others); Thu, 7 Mar 2019 21:44:58 -0500 Received: from mx1.redhat.com ([209.132.183.28]:53342 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726242AbfCHCo6 (ORCPT ); Thu, 7 Mar 2019 21:44:58 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DC1F730832CB; Fri, 8 Mar 2019 02:44:57 +0000 (UTC) Received: from dhcp-128-65.nay.redhat.com (ovpn-12-140.pek2.redhat.com [10.72.12.140]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9559E19C66; Fri, 8 Mar 2019 02:44:54 +0000 (UTC) Date: Fri, 8 Mar 2019 10:44:50 +0800 From: Dave Young To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org, David Howells , Eric Biederman Subject: Re: [PATCH 2/3] scripts/ima: define a set of common functions Message-ID: <20190308024450.GC7223@dhcp-128-65.nay.redhat.com> References: <1548960936-7800-1-git-send-email-zohar@linux.ibm.com> <1548960936-7800-3-git-send-email-zohar@linux.ibm.com> <20190228134146.GA7528@dhcp-128-65.nay.redhat.com> <1551366343.10911.173.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1551366343.10911.173.camel@linux.ibm.com> User-Agent: Mutt/1.9.5 (2018-04-13) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 08 Mar 2019 02:44:58 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/28/19 at 10:05am, Mimi Zohar wrote: > Hi Dave, > > On Thu, 2019-02-28 at 21:41 +0800, Dave Young wrote: > > Hi Mimi, > > > > Sorry for jumping in late, just noticed this kexec selftests, I think we > > also need a kexec load test not only for ima, but for general kexec > > The IMA kselftest tests are for the coordination between the different > methods of verifying file signatures. ?In particular, for the kexec > kernel image and kernel module signatures. > > The initial IMA kselftest just verifies that in an environment > requiring signed kexec kernel images, the kexec_load syscall fails.? > > This week I posted additional IMA kselftests[1][2], including one for > the kexec_file_load syscall. ?I would really appreciate these > kselftests being reviewed/acked. > > Mimi > > [1] Subject: [PATCH v2 0/5] selftests/ima: add kexec and kernel module tests > [2] Patches available from the "next-queued-testing" branch > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/ > Hi Mimi, Still did not get change to have a look at V2, but seems you missed the last chunk of comments about the secure boot mode in previous reply? I just copy it hear: ''' Do you want to get the Secureboot status here? I got some advice from Peter Jones previously, thus we have below in our kdump scripts: https://src.fedoraproject.org/cgit/rpms/kexec-tools.git/tree/kdump-lib.sh See the function is_secure_boot_enforced(), probably you can refer to that function and check setup mode as well. ''' Thanks Dave