On Tue, 2018-05-01 at 20:00 +0100, David Howells wrote: > Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > > > (a) seems unnecessary, and (b) isn't possible in most distributions > > (there's ongoing work in Debian, but it's not merged yet). I can see cases > > where you'd want to enforce this via IMA, but I don't think it's > > appropriate for all cases. Should the use of the IMA secure_boot policy be > > gated behind a config option? > > Quite probably. Mimi? a) Requiring two signatures was addressed by a patch titled "lockdown: fix coordination of kernel module signature verification" [1] b) With the coordination of the signature verification above, enabling either method or both methods, should work properly. There's been further discussions as to what should remain in the "lockdown" patch set. Based on the discussion here [2], it seems like "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down" will be removed. Instead of preventing the loading of a kernel image (kexec_load syscall) being dependent on the lockdown flag, it could be dependent on the kernel_read_file_id READING_KEXEC_IMAGE. A version of these patches was posted [3]. [1] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006456.html [2] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006419.html [3] http://kernsec.org/pipermail/linux-security-module-archive/2018-April/006443.html Mimi
