Received: by 2002:ab2:788f:0:b0:1ee:8f2e:70ae with SMTP id b15csp270618lqi; Wed, 6 Mar 2024 17:21:52 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVwaFny5M1mnhmE9I3eERIqckitKWWlui9tkQu2Yu0YoMNhTeyJWkzoG5jCOuBx9gPzZLhKZpBOnWOO5ZPg1xYpqqID6jUZ7AyYR5FroQ== X-Google-Smtp-Source: AGHT+IFqI9ipVyhqtKaEfEca+9dzkiin8AernQhTC1Ar463Eolx+err6satPo0nQBOS2JBY2Welv X-Received: by 2002:a17:906:3954:b0:a43:eeec:57b1 with SMTP id g20-20020a170906395400b00a43eeec57b1mr10886713eje.34.1709774512244; Wed, 06 Mar 2024 17:21:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709774512; cv=pass; d=google.com; s=arc-20160816; b=xa7ip1dVQmveVjrjhirQ3rYGR/Kd+DvFmudk69DG8YKNI7vAhjr9PS0gPFTD0XfYez 5IhByVSOXXfxRS6j5iiKh/eRX/j9beAjCmS/YtzPGpbpxlYHorlth2nk/jIt83nzJ1DD mTVowETfuLlqyH25KdGNL5NMmU5jvUx6dd5s2uW0127CsVxOqDjd9MGJd+FQ1fALSTh9 zVpPHYizRYdmx9MqQ7FiyKWiZoY1Cz6juSCTtU9LyUIXNxAbTmMnWMIZ+WttyddxnB9Z kNiMe0Bqeqw1DYRfECxxJSc4+3MhzzUTiLaC2BER0unMJczXd41PMafWjfGq2Et/W61Z C89Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=DjyHBAlETyyG4Qr9GeB7lOlryT9zi8nmLMiWMox5uDQ=; fh=jOvyFL1SyF2G5GqTMIosMsWLViVzK8Iu0Q1VEIo6JUU=; b=YeH/YikV4jO2Kq1BBuS12b81K4/m3nBfkZq0DKT41PPNzslzOH+80pSLCwngOGEFO8 t8aW+6DNGuGEwGfzDOsKg+2Z4WoyvvaDJfj4Y3knEOiegMjjdRVHj2kbm0DDccTEIGHt 4iqjT0uNitPkEsygdJ+d7/MVob6Xtyxgpd593Lr5fG7XeVCEneIzO7mL5WsRapxTzzBI +RxPhfv50cCvCKxCY3kU2bId4c8WZyAXkWcQkwAGGRLsF+/3IP4ArFEFTo3hdnOeAN6b SXyk+oLkuLXKjdaSfQLT5SekcjO0wM/Ummdd9b/MeUqmYeWi7CPuUcsw1EjXZEQp72iI 92MQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=lyaXguPs; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-94766-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-94766-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id gr16-20020a170906e2d000b00a44367957f2si6311723ejb.844.2024.03.06.17.21.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Mar 2024 17:21:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-94766-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=lyaXguPs; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-94766-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-94766-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D8ED21F25F3A for ; Thu, 7 Mar 2024 00:05:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BED101879; Thu, 7 Mar 2024 00:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="lyaXguPs" Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5AE9195; Thu, 7 Mar 2024 00:05:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709769933; cv=none; b=HmuhsL9xNQ2ovOJGzrRE0DNt2Z8I+IqcVmSotoJmuiPndXPJEcT9rUlkNdb6kIPGvPBEoAmqEmiEGQPjY2NcHTaa53YDONB/nwIP8EdkptJp0JZ5D6BiFVODkolHH9Gv3YyayN6VLNjCcGRWPhDwarNTwGM8y1dTbmiviWQ/wBQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709769933; c=relaxed/simple; bh=TJ8+IzB+9C90XJ+2dzw39zog9VyaMRkZYRKOTYYvkKY=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=sO6QaXp0/9nI5i0dPBloELeqcb7hw4MgUqUGB6cVCJ5uEuDJ7MyIjh1UohvsI6L6iKvIvZofRBD3eKLMyHJwiEQyOQTD8sg7Ilzqtpetoyfv8NjmfBJj17OGqtPqs+ADH6LItiywElHuGBnIdD3VYSL7Y2qPhC4lfeUQtHUn68E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=lyaXguPs; arc=none smtp.client-ip=198.137.202.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Content-ID:Content-Description; bh=DjyHBAlETyyG4Qr9GeB7lOlryT9zi8nmLMiWMox5uDQ=; b=lyaXguPsLdj8TZ3Ge2MrUqrwX9 uAWMOQwzGqHTksc6F2yTd06wApmkllMcydlx7jdDm+VgzEeqzd6Yl+4hmgzoIrGWXK39lcXyZDC8m RMcURacG5kWTjEX/C0L3t42mMzuJ1pGKGv/fiSBZgCI143zdmjn/jVWtIGEEkFNkSzHhTlHAIRmhF 991xnFaoZ+7kjBxq4zrUbHHU2fbZokIzdGZjN/UMjqtgRXOAiV1G4zk4tbQI3dqRW3g2MnPmdxH6Y gratT+c5yFRb+ik6xBN/5buFp/UyQ6RI49ZasE4mRJAs0SfUl+CWAoLBu1rdcZK0CZyoXyqXhZasb fEzA3ulA==; Received: from [50.53.50.0] (helo=[192.168.254.15]) by bombadil.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux)) id 1ri1GJ-00000002LTs-0N9L; Thu, 07 Mar 2024 00:05:27 +0000 Message-ID: Date: Wed, 6 Mar 2024 16:05:23 -0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH v14 17/19] scripts: add boot policy generation program Content-Language: en-US To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers References: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> <1709768084-22539-18-git-send-email-wufan@linux.microsoft.com> From: Randy Dunlap In-Reply-To: <1709768084-22539-18-git-send-email-wufan@linux.microsoft.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 3/6/24 15:34, Fan Wu wrote: > if SECURITY_IPE > +config IPE_BOOT_POLICY > + string "Integrity policy to apply on system startup" > + help > + This option specifies a filepath to a IPE policy that is compiled an IPE > + into the kernel. This policy will be enforced until a policy update > + is deployed via the $securityfs/ipe/policies/$policy_name/active > + interface. -- #Randy