On Thu, 2019-03-07 at 14:27 -0800, Matthew Garrett wrote: > On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { > > + if (IS_ENABLED(CONFIG_MODULE_SIG)) > > + set_module_sig_enforced(); > > return sb_arch_rules; > > Linus previously pushed back on having the lockdown features > automatically enabled on secure boot systems. Why are we doing the > same in IMA? IMA-appraisal is extending the "secure boot" concept to the running system. Mimi