On Fri, 2017-11-10 at 14:31 +0000, David Howells wrote: > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > This initially enforces kernel modules, firmware, the kernel kexec > > image, and the IMA policy itself are signed. > > "Initially" meaning that this can be changed? No, I was intending to allow the meaning of the "secure_boot" policy to change over time. There's already support for the initramfs to be signed. With Thiago Baurmann's "Appended signatures support for IMA appraisal", which is initially meant for the kexec'ed kernel image, the initramfs can be signed with an appended signature as well. Once IMA support for appended signatures is upstreamed, we could extend the "secure_boot" policy to require the initramfs to be signed as well. Mimi
