On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote: > This patch updates the arch specific policies for PowernV systems > to add check against blacklisted binary hashes before doing the > verification. This sentence explains how you're doing something. A simple tweak in the wording provides the motivation. ^to make sure that the binary hash is not blacklisted. > > Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > arch/powerpc/kernel/ima_arch.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > index 88bfe4a1a9a5..4fa41537b846 100644 > --- a/arch/powerpc/kernel/ima_arch.c > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -25,9 +25,9 @@ bool arch_ima_get_secureboot(void) > static const char *const arch_rules[] = { > "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > "measure func=MODULE_CHECK template=ima-modsig", > - "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", > #if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) > - "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > + "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", > #endif > NULL > };