On Thu, Mar 1, 2018 at 3:06 AM David Howells <dhowells@xxxxxxxxxx> wrote: > - Requring IMA to use secure boot rules On systems that have IMA enabled, this appears to enforce a policy that requires that IMA signatures be present for kexec and modules. Distributions are already shipping signed modules and kernel images, so this policy appears to enforce that (a) they be signed twice, and (b) distributions have a mechanism for shipping extended attributes in packages (a) seems unnecessary, and (b) isn't possible in most distributions (there's ongoing work in Debian, but it's not merged yet). I can see cases where you'd want to enforce this via IMA, but I don't think it's appropriate for all cases. Should the use of the IMA secure_boot policy be gated behind a config option?
