Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1213082iob;
        Thu, 28 Apr 2022 23:29:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy783qp8BuRXXQ7hMAuyNr0Z/VCbfCR13gRb1ptQTksGe6OyuWjumykmHciVsL+RdXIy/qM
X-Received: by 2002:a2e:a903:0:b0:24f:21ab:cf45 with SMTP id j3-20020a2ea903000000b0024f21abcf45mr10949478ljq.459.1651213783824;
        Thu, 28 Apr 2022 23:29:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651213783; cv=none;
        d=google.com; s=arc-20160816;
        b=YZNWDpHFUdcyW2s36JbS7FsAXbuG0qnFRD1kIBP+oWeFVdwZAp+bDB3CWtnTxjdo+6
         GHEcyoVLUoZct5iBkkwbwM8UvVQUVRHdf2ImjbbCk6F7jWTxJO/GAJsSFbrgEIqR5y0i
         izlkqRl+fOb0ARt5Hq7YEfUou/KYIrl9WM8gtukLNcC/SnSsqpUyLz0nwJdtEuUGGKAI
         SXevCgruIPkwcJ1oGOI7VKeXmxa31fScM7WQCDSHkEsFmNd667P3uZTFDUpYVZ3ouCRj
         m0wFkSNsbrLsXU6ECZB/Ccuii/UnFCGtlpe7G6ppMrkV4NvSOxov6eBXVFiO6RZcMJwJ
         aSmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :in-reply-to:from:references:cc:to:content-language:subject
         :user-agent:date:message-id:dkim-signature;
        bh=kCWBkV9EBURXMYT9kDz54RHvpVE/FsInuBtEK/b+Bg4=;
        b=XG0ahJmmFHibxExQi6iZ9U5hs3ZuaEVa4J2biK7r1oitR2LNLVE1zqDTDNt2bASy/F
         I2xbb8hYwAClClev9ZqmJpJ83tV/a0tJRevAIK+rAp11dhpBocDSXk1AXQbFad9T3VoH
         2L4f48TIPMaY2YEVSgz0a8VUJ45c1HY/a8gvvyOxNvOA+m2lRM9cpE64nrLppaA9Nziv
         prtl6QtszjtIeVLhzj1Vx4J31hNB8J5DggAZX/bp3UXZuGlpMc11QKvNPOpK4G9OLsuC
         GTAss5AqxksrqNSTX0dmFqSVpDypMv4CqyMuNnoO9s/4fOEX/QWOTPSzs1oUh4l71ib8
         WnEA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=CzK9bOB6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d24-20020a2e3318000000b0024952f7bba5si5930918ljc.256.2022.04.28.23.29.16;
        Thu, 28 Apr 2022 23:29:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=CzK9bOB6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1352779AbiD1WL6 (ORCPT <rfc822;andreykovskii@gmail.com>
        + 99 others); Thu, 28 Apr 2022 18:11:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39424 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1347530AbiD1WL5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Apr 2022 18:11:57 -0400
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D72ABCB5E;
        Thu, 28 Apr 2022 15:08:39 -0700 (PDT)
Received: from pps.filterd (m0098404.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23SKf2bt003777;
        Thu, 28 Apr 2022 22:08:23 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date :
 subject : to : cc : references : from : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=pp1;
 bh=kCWBkV9EBURXMYT9kDz54RHvpVE/FsInuBtEK/b+Bg4=;
 b=CzK9bOB6HYT2CMnz65Rmgq5Ex9Ni07yj09ysM8kdMosoxiTsBYwyRjkPIgbGx0Jyv36I
 yeF5/Sv2YVbZBnc992PsKUkkMzAhbjES3qxr2DcsC38DtVZZ1HikWS1TLNhYvxG7QoBx
 ROb7kN04jkLsB/J81wiuFuJ6vJOea/SoR/koeZnu6GYLZE+CXaBfJ+8vFdnnBZWvyWOQ
 00niJ4yiDXztcyNSfLiyemnaqHk+k4Z8f+BX9cIU50NiuLX7EO3LLaU6QzfazUQcYLwB
 NgcFOfeTWeTRLYrZ2jsGYVUc5vMoMYQFah/LvAolXSDtV1kQlIcGCGOaSV2JDCddiPrR 0Q== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3fqt9dwp3e-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 28 Apr 2022 22:08:22 +0000
Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1])
        by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 23SLn3eF005352;
        Thu, 28 Apr 2022 22:08:21 GMT
Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3fqt9dwp3a-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 28 Apr 2022 22:08:21 +0000
Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1])
        by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 23SLgXlH032529;
        Thu, 28 Apr 2022 22:08:20 GMT
Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14])
        by ppma04dal.us.ibm.com with ESMTP id 3fm93aq30c-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Thu, 28 Apr 2022 22:08:20 +0000
Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232])
        by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 23SM8Jj436438418
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Thu, 28 Apr 2022 22:08:19 GMT
Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id BA3E26E054;
        Thu, 28 Apr 2022 22:08:19 +0000 (GMT)
Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 3A7106E04E;
        Thu, 28 Apr 2022 22:08:19 +0000 (GMT)
Received: from [9.211.77.121] (unknown [9.211.77.121])
        by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP;
        Thu, 28 Apr 2022 22:08:19 +0000 (GMT)
Message-ID: <0c6442db-7e97-58dd-f39c-b22a37398715@linux.vnet.ibm.com>
Date:   Thu, 28 Apr 2022 18:08:18 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.0
Subject: Re: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB
 is enabled
Content-Language: en-US
To:     Eric Snowberg <eric.snowberg@oracle.com>
Cc:     dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, zohar@linux.ibm.com
References: <20220425222120.1998888-1-eric.snowberg@oracle.com>
From:   Nayna <nayna@linux.vnet.ibm.com>
In-Reply-To: <20220425222120.1998888-1-eric.snowberg@oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: rimEikXrGxHYx5taUsRDOxhOxtqdH1iw
X-Proofpoint-ORIG-GUID: mAlKens8YqIG3yS2DPKRj9XhK_OYTk1h
Content-Transfer-Encoding: 8bit
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514
 definitions=2022-04-28_05,2022-04-28_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0
 mlxscore=0 suspectscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999
 adultscore=0 lowpriorityscore=0 impostorscore=0 clxscore=1011 bulkscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000
 definitions=main-2204280129
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 4/25/22 18:21, Eric Snowberg wrote:
> The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
> modes (log, fix, enforce) to be configured at boot time.  When booting
> with Secure Boot enabled, all modes are ignored except enforce.  To use
> log or fix, Secure Boot must be disabled.
>
> With a policy such as:
>
> appraise func=BPRM_CHECK appraise_type=imasig
>
> A user may just want to audit signature validation. Not all users
> are interested in full enforcement and find the audit log appropriate
> for their use case.
>
> Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
> to work when Secure Boot is enabled.

Tianocore(UEFI Reference Implementation) defines four secure boot modes, 
one of which is Audit Mode. Refer to last few lines of Feature Summary 
section in Readme.MD 
(https://github.com/tianocore/edk2-staging/blob/Customized-Secure-Boot/Readme.MD#3-feature-summary). 
Based on the reference, IMA appraise_mode="log" should probably work in 
coordination with AuditMode.

Thanks & Regards,

     - Nayna