On Wed, 2022-02-16 at 15:48 -0500, Stefan Berger wrote: > On 2/16/22 11:39, Mimi Zohar wrote: > > On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote > > > > Let's update the patch description providing a bit more background > > info: > > > > The archictecture specific policy rules, currently defined for EFI and > > powerpc, require the kexec kernel image and kernel modules to be > > validly signed and measured, based on the system's secure boot and/or > > trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled. > > > >> Move the arch_policy_entry pointer into ima_namespace. > > Perhaps include something about namespaces being allowed or not allowed > > to kexec a new kernel or load kernel modules. > > Namespaces are not allowed to kexec but special-casing the init_ima_ns > in the code to handle namespaces differently makes it much harder to > read the code. I would avoid special-casing init_ima_ns as much as > possible and therefore I have moved the arch_policy_entry into the > ima_namespace. Please include this in the patch description, but re-write the last line in the 3rd person, like: To avoid special-casing init_ima_ns, as much as possible, move the arch_policy_entry into the ima_namespace. thanks, Mimi