On Thu, Sep 05, 2013 at 11:06:10AM -0400, Eric Paris wrote: > On Wed, 2013-09-04 at 21:37 -0400, Josh Boyer wrote: > > > > +config BINFMT_ELF_SIG > > > + bool "ELF binary signature verification" > > > + depends on BINFMT_ELF > > > + select INTEGRITY > > > + select INTEGRITY_SIGNATURE > > > + select INTEGRITY_ASYMMETRIC_KEYS > > > + select IMA > > > + select IMA_APPRAISE > > > + select SYSTEM_TRUSTED_KEYRING > > > + default n > > > + ---help--- > > > + Check ELF binary signature verfication. > > > > Please don't do this. Yes, it's technically viable to select all the > > things you need, but this turns on entire subsystems we don't have > > enabled. In months when the maintainers have long forgotten about > > this, we have to go figure out what turned on INTEGRITY and IMA > > because they aren't explicitly set in the config-* fragments. It's > > really frustrating. > > And it's just plain wrong. CONFIG_IMA requires CONFIG_TCG_TPM. But > select is not recursive. So can end up with a config where IMA is on, > but TPM is off... I fail to understand that why it is wrong. - If select is not recursive, then it is limitation of select. Either it needs to be fixed or as a workaround one can put explicit select for nested dependencies here. Also for my usage I don't need TPM. Other IMA uses might need it but atleast I don't need it. So it should be fine if TPM is not compiled in. In fact in last fedora release TPM was explicitly disabled because otherwise due to buggy TPM, fedora failed to boot on some machine. So it seems to be only a good thing that we can use binary elf signature without having to enable TPM support. Thanks Vivek _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
