Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp2131029ybg; Thu, 30 Jul 2020 11:05:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOOfnRfT18OAfwzszDDhg8l/5cjuUXSjYKo8wtXNrpAQt+v4K0yg+uGWaHNb+Fjtvf+0TM X-Received: by 2002:a05:6402:22c2:: with SMTP id dm2mr203039edb.182.1596132307982; Thu, 30 Jul 2020 11:05:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596132307; cv=none; d=google.com; s=arc-20160816; b=Vh+Up9lEwx5E/dpEfVqgO+pt2/31EFEL4HYblZNFnha915FnRF9aaG8O2IMWpcUdvw g0zFQYOQCCsDhf4QqKmedz6gjptS8qnJhH5LIn3D0EYDnjP8G7Knneh83bfOrpDMolgr 1QqQdXDKbO3zyr9FULW2Wi9IxL33mb/x6iZ3OdvXXgzG0v8RiFuz9uoYkyIKx3cKlhiV E7FskoxNKe9+r9/odXOgWC3h4W+tsYjpjiReokFjHjJmeTg2Jz9O6ophtkBFqLhnQLjw p6+adItbQlmZL19lkVW46+vlocEWJVCoA528YWz4VZ2/KlS3pF7SpeQcqtc+XNhzHxnQ ppYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:dkim-signature:dkim-filter; bh=Lq00ap7Yu8hoUdPCLVlYdZakWLvY3wTeBBusKqVGKL4=; b=p0Rv8kWZNWHA6/T3ni6hUQAD0kASeczqpRJAxcLrEt5o10is/CxQRXvf/8uCulrYo1 Wvwt5Lx5DVMQRzgBdk9aJcQEm4A7pkde7bzgJfbNfh4SOCtszwiGBEVgGLhJF0VBs9JA xRGqXx0RRpV73KL9XJYc/iW+/dzDAR0tpg2h4OfjXxNix3r0A36680exhsoIxsQ1nQoY vGdIq8LLJ1ik3SzItqpybAc+97g6BHu6uPc3ezwK0qYpwUi8IEGXC86qefxlVXT0IMr3 v9pa1plAjSCKkRtVg6P+vQuxG2ZZYnp3obvN+12cF2ZRQ/LBRfMHnWzqtFZhyqBgmotg gGhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ZjcMZbIw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h9si3756666ejy.326.2020.07.30.11.04.45; Thu, 30 Jul 2020 11:05:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ZjcMZbIw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730389AbgG3SCx (ORCPT + 99 others); Thu, 30 Jul 2020 14:02:53 -0400 Received: from linux.microsoft.com ([13.77.154.182]:35040 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730363AbgG3SCw (ORCPT ); Thu, 30 Jul 2020 14:02:52 -0400 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 508FA20B4908; Thu, 30 Jul 2020 11:02:51 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 508FA20B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596132171; bh=Lq00ap7Yu8hoUdPCLVlYdZakWLvY3wTeBBusKqVGKL4=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From; b=ZjcMZbIwR/fP3byLrxge5Ao5e6GNyOxy0eX1JNinRJb1DKlygk8vEypRNhuOT3BA8 QBSKgVbqSbcijtYHbivDb7NzWH29EtNUIPqz4nmIPjJgvbngaWRjLUKQCQD6CokjSB FA2pANqUEaaDk+qglmoS3yYd6EEKu0thLoDca/n8= Subject: Re: [PATCH v5 4/4] IMA: Handle early boot data measurement From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200730034724.3298-1-nramas@linux.microsoft.com> <20200730034724.3298-5-nramas@linux.microsoft.com> Message-ID: Date: Thu, 30 Jul 2020 11:02:50 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200730034724.3298-5-nramas@linux.microsoft.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/29/20 8:47 PM, Lakshmi Ramasubramanian wrote: Hi Tyler, > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index 080c53545ff0..86cba844f73c 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -322,10 +322,9 @@ config IMA_MEASURE_ASYMMETRIC_KEYS > depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y > default y > > -config IMA_QUEUE_EARLY_BOOT_KEYS > +config IMA_QUEUE_EARLY_BOOT_DATA > bool > - depends on IMA_MEASURE_ASYMMETRIC_KEYS > - depends on SYSTEM_TRUSTED_KEYRING > + depends on SECURITY || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING) > default y > Similar to the change you'd suggested for validating LSM_STATE and LSM_POLICY func, I think IMA_QUEUE_EARLY_BOOT_DATA config should be enabled for SECURITY_SELINUX. depends on SECURITY_SELINUX || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING) And, when more security modules are added update this CONFIG as appropriate. Does that sound okay? -lakshmi