Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp4243392ybf; Tue, 3 Mar 2020 23:45:49 -0800 (PST) X-Google-Smtp-Source: ADFU+vvlUiaes2zf90n6vCPCYysZqPCW7eZhRzpUzAzfAAqamSdDATRqoKLNP42vF4+8bH6b89X/ X-Received: by 2002:a9d:dc1:: with SMTP id 59mr1376392ots.250.1583307949736; Tue, 03 Mar 2020 23:45:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583307949; cv=none; d=google.com; s=arc-20160816; b=vGN5Zb4Hiy/HQ//0ux+9YbyP7Y0Sp1peTVWmADvfCSYZR/JGvuVFuTCxauPyZKsvop QzFfDLcYB5+MyClz7qYyfBfdrPYGaYFVAiNbJ/5mRR71GGBpekUlkQC4FN9l+eeXylHF JYPR5Z2qWJhmxurjKvYtDo2WOM5ubFXWWDMefvw9oHop77lwUbEeACIcsUSjzZ7SnY6u MLGIGGYtnFIKyvUXAjgPhKpz6tEmEdGBjI/fHk4BjUROomJ9tewJe92OAV3dU8uPqEQc xLvYAd27fkPbNNIF1PV5jbEZODxjoku445sNv7QxDsa7lk5E/RWAQ9gas3RktbeqFkjY nNJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:dkim-signature; bh=MqRiLLYLv56/U1BWt6nRDfb+PDA6eOwRhsxeZb2Kkn4=; b=HeCj20plDw50KStAWXW77ct4LkvFclEPpw4zrX4gPtvYWLMhlohJBocOBLHFoqFwpC inU1Y9TgY03zqRhHklYVCvetJGUE4rq1QUUfsf36TjIAGOqgzgdUogUbKBCly74orVjW FsdxLKb7NqUlJDdVB9fDWCAQarA93D8pNgSVEcxH0Yt4Ek1zY6SxP3FBWhQb0uLbJ/44 1poRvfxPFpUYtUQDkq1XjRl8nWr1Ff4/65fIq0fnymI7IJ0ZF+VqwKLOfpgB253cWzyc xBYNPtWsuQLGv41gizuxJI05+Qr/9ametPGYbfe6PnAsAksdyx6B2VFaFETbPo6eWsZu xeOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FXwFo9Wt; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FXwFo9Wt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c189si668684oig.205.2020.03.03.23.45.37; Tue, 03 Mar 2020 23:45:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FXwFo9Wt; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FXwFo9Wt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728659AbgCDHoT (ORCPT + 99 others); Wed, 4 Mar 2020 02:44:19 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:56680 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728555AbgCDHoT (ORCPT ); Wed, 4 Mar 2020 02:44:19 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id B623A8EE11D; Tue, 3 Mar 2020 23:44:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1583307858; bh=8uR8mzo3ltrlZW4Iy67OY4i5Mkl1pL+LoHi/DArj9yI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=FXwFo9WtUBe1E+akI7D7r62eQ9xSh2tXEFTpGpR5Bg7OwBS7unm4lNRNING1j3Qgv aTwtlf82y3cSCjx68gpun+Bvzh6C6Dn+tQ3ITcfwd2pDzCWeNKYSd+Mf/5aWMtVZYn k+jzSV4zIshUwLhoXBLbA+jqN9EdOz2j5wwbPaes= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EY0tNWdSnX5c; Tue, 3 Mar 2020 23:44:18 -0800 (PST) Received: from jarvis.ext.hansenpartnership.com (jarvis.ext.hansenpartnership.com [153.66.160.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 00B778EE10C; Tue, 3 Mar 2020 23:44:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1583307858; bh=8uR8mzo3ltrlZW4Iy67OY4i5Mkl1pL+LoHi/DArj9yI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=FXwFo9WtUBe1E+akI7D7r62eQ9xSh2tXEFTpGpR5Bg7OwBS7unm4lNRNING1j3Qgv aTwtlf82y3cSCjx68gpun+Bvzh6C6Dn+tQ3ITcfwd2pDzCWeNKYSd+Mf/5aWMtVZYn k+jzSV4zIshUwLhoXBLbA+jqN9EdOz2j5wwbPaes= Message-ID: <1583307813.3907.4.camel@HansenPartnership.com> Subject: Re: [PATCH v2] ima: add a new CONFIG for loading arch-specific policies From: James Bottomley To: Nayna Jain , linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-efi@vger.kernel.org, linux-s390@vger.kernel.org Cc: Ard Biesheuvel , Philipp Rudo , Michael Ellerman , zohar@linux.ibm.com, linux-kernel@vger.kernel.org Date: Tue, 03 Mar 2020 23:43:33 -0800 In-Reply-To: <1583289211-5420-1-git-send-email-nayna@linux.ibm.com> References: <1583289211-5420-1-git-send-email-nayna@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2020-03-03 at 21:33 -0500, Nayna Jain wrote: > Every time a new architecture defines the IMA architecture specific > functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the > IMA > include file needs to be updated. To avoid this "noise", this patch > defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_BOOT option, > allowing > the different architectures to select it. > > Suggested-by: Linus Torvalds > Signed-off-by: Nayna Jain > Cc: Ard Biesheuvel > Cc: Philipp Rudo > Cc: Michael Ellerman > --- > v2: > * Fixed the issue identified by Mimi. Thanks Mimi, Ard, Heiko and > Michael for > discussing the fix. > > arch/powerpc/Kconfig | 1 + > arch/s390/Kconfig | 1 + > arch/x86/Kconfig | 1 + > include/linux/ima.h | 3 +-- > security/integrity/ima/Kconfig | 9 +++++++++ > 5 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index 497b7d0b2d7e..a5cfde432983 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -979,6 +979,7 @@ config PPC_SECURE_BOOT > bool > depends on PPC_POWERNV > depends on IMA_ARCH_POLICY > + select IMA_SECURE_AND_OR_TRUSTED_BOOT > help > Systems with firmware secure boot enabled need to define > security > policies to extend secure boot to the OS. This config > allows a user > diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig > index 8abe77536d9d..4a502fbcb800 100644 > --- a/arch/s390/Kconfig > +++ b/arch/s390/Kconfig > @@ -195,6 +195,7 @@ config S390 > select ARCH_HAS_FORCE_DMA_UNENCRYPTED > select SWIOTLB > select GENERIC_ALLOCATOR > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if IMA_ARCH_POLICY > > > config SCHED_OMIT_FRAME_POINTER > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index beea77046f9b..7f5bfaf0cbd2 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -230,6 +230,7 @@ config X86 > select VIRT_TO_BUS > select X86_FEATURE_NAMES if PROC_FS > select PROC_PID_ARCH_STATUS if PROC_FS > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI && > IMA_ARCH_POLICY > > config INSTRUCTION_DECODER > def_bool y > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 1659217e9b60..aefe758f4466 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -30,8 +30,7 @@ extern void ima_kexec_cmdline(const void *buf, int > size); > extern void ima_add_kexec_buffer(struct kimage *image); > #endif > > -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || > defined(CONFIG_S390) \ > - || defined(CONFIG_PPC_SECURE_BOOT) > +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT > extern bool arch_ima_get_secureboot(void); > extern const char * const *arch_get_ima_policy(void); > #else > diff --git a/security/integrity/ima/Kconfig > b/security/integrity/ima/Kconfig > index 3f3ee4e2eb0d..d17972aa413a 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -327,3 +327,12 @@ config IMA_QUEUE_EARLY_BOOT_KEYS > depends on IMA_MEASURE_ASYMMETRIC_KEYS > depends on SYSTEM_TRUSTED_KEYRING > default y > + > +config IMA_SECURE_AND_OR_TRUSTED_BOOT > + bool > + depends on IMA > + depends on IMA_ARCH_POLICY > + default n You can't do this: a symbol designed to be selected can't depend on other symbols because Kconfig doesn't see the dependencies during select. We even have a doc for this now: Documentation/kbuild/Kconfig.select-break The only way to get this to work would be to have the long name symbol select both IMA and IMA_ARCH_POLICY, which doesn't seem to be what you want either. Looking at what you're trying to do, I think making the symbol independent of IMA and IMA_ARCH_POLICY is the correct thing, then enforce the dependencies inside the outer #ifdef, but I haven't looked deeply at the code. James