On Wed, 4 Nov 2020 at 20:03, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote: > > On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > > > Hi Ard, Chester, > > > > > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote: > > > > This is a follow-up to Chester's series [0] to enable IMA to the secure > > > > boot state of arm64 platforms, which is EFI based. > > > > > > > > This v4 implements the changes I suggested to Chester, in particular: > > > > - disregard MokSbState when factoring out secure boot mode discovery > > > > - turn the x86 IMA arch code into shared code for all architectures. > > > > > > > > This reduces the final patch to a one liner enabling a Kconfig option > > > > for arm64 when EFI is enabled. > > > > > > > > Build tested only. > > > > > > Thank you! This patch set is now queued in the linux-integrity next- > > > integrity-testing branch. > > > > > > > I don't mind per se, but this touches a number of different trees, > > including x86 and arm64, and nobody has acked it yet. > > > > As far as the EFI tree is concerned, it looks like I should be able to > > avoid any conflicts with other stuff that is in flight, and if not, we > > can always use your branch up until the last patch in this serires as > > a shared tag (assuming you won't rebase it). > > The next-integrity-testing branch is just a place holder waiting for > additional tags. I've reviewed and tested the patch set on x86. Based > on the secure boot status and how the kernel is configured, the > appropriate policy rules are enabled. Similarly the IMA appraise mode > (ima_appraise=) is working properly. I have not tested on arm64. > > I do not have a problem with this patch set being upstream via EFI. > Ah right. That is probably better, as EFI goes via the x86 tree, and I work closely with the arm64 maintainers on other things as well. Please let me know once you are ready to ack this from IMA pov, and I will carry it further.