Hi Scott, On Fri, 2020-06-05 at 15:59 -0700, Scott Branden wrote: > > @@ -648,6 +667,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum ima_hooks func; > u32 secid; > > + if (!file && read_id == READING_FIRMWARE_PARTIAL_READ) > + return 0; The file should be measured on the pre security hook, not here on the post security hook. Here, whether "file" is defined or not, is irrelevant. The test should just check "read_id". Have you tested measuring the firmware by booting a system with "ima_policy=tcb" specified on the boot command line and compared the measurement entry in the IMA measurement list with the file hash (eg. sha1sum, sha256sum)? Mimi > + > if (!file && read_id == READING_FIRMWARE) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > (ima_appraise & IMA_APPRAISE_ENFORCE)) {