On 2/16/22 15:56, Mimi Zohar wrote:
On Wed, 2022-02-16 at 15:48 -0500, Stefan Berger wrote:
On 2/16/22 11:39, Mimi Zohar wrote:
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote
Let's update the patch description providing a bit more background
info:
The archictecture specific policy rules, currently defined for EFI and
powerpc, require the kexec kernel image and kernel modules to be
validly signed and measured, based on the system's secure boot and/or
trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
Move the arch_policy_entry pointer into ima_namespace.
Perhaps include something about namespaces being allowed or not allowed
to kexec a new kernel or load kernel modules.
Namespaces are not allowed to kexec but special-casing the init_ima_ns
in the code to handle namespaces differently makes it much harder to
read the code. I would avoid special-casing init_ima_ns as much as
possible and therefore I have moved the arch_policy_entry into the
ima_namespace.
Please include this in the patch description, but re-write the last
line in the 3rd person, like:
To avoid special-casing init_ima_ns, as much as possible, move the
arch_policy_entry into the ima_namespace.
I took the paragraph on the background as well as this sentence.
thanks,
Mimi