Re: [PATCH v2] ima: defer arch_ima_get_secureboot() call to IMA init time

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2020-10-13 at 18:59 +0200, Ard Biesheuvel wrote:
> Suggestion: can we take the get_sb_mode() code from ima_arch.c in
> arch/x86, and generalize it for all EFI architectures? That way, we
> can enable 32-bit ARM and RISC-V seamlessly once someone gets around
> to enabling IMA on those platforms. In fact, get_sb_mode() itself
> should probably be factored out into a generic helper for use outside
> of IMA as well (Xen/x86 has code that does roughly the same already)

On Power, there are three different policies - secure, trusted, and
secure & trusted boot policy rules.  Based on whether secure or trusted
boot is enabled, the appropriate policy is enabled.  On x86, if
secure_boot is enabled (and CONFIG_IMA_ARCH_POLICY is enabled) both the
secure and trusted boot rules are defined.  Is this design fine enough
granularity or should should there be a get_trustedboot_mode() function
as well?

Agreed, the code should not be duplicated across arch's.  As for making
get_sb_mode() generic, not dependent on IMA, where would it reside? 
Would this be in EFI?

thanks,

Mimi




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux