> On Apr 26, 2022, at 12:18 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Mon, 2022-04-25 at 18:21 -0400, Eric Snowberg wrote: >> The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise=" >> modes (log, fix, enforce) to be configured at boot time. When booting >> with Secure Boot enabled, all modes are ignored except enforce. To use >> log or fix, Secure Boot must be disabled. >> >> With a policy such as: >> >> appraise func=BPRM_CHECK appraise_type=imasig >> >> A user may just want to audit signature validation. Not all users >> are interested in full enforcement and find the audit log appropriate >> for their use case. >> >> Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise=" >> to work when Secure Boot is enabled. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > > Since the IMA architecture specific policy rules were first > upstreamed, either enabling IMA_APPRAISE_BOOTPARAM or IMA_ARCH_POLICY > was permitted, but not both. I don’t see code preventing this and just created a config with both of them enabled. Is this an assumption everyone is supposed to understand? > This Kconfig negates the assumptions on > which the CONFIG_IMA_ARCH_POLICY and the ima_appraise_signature() are > based without any indication of the ramifications. This impacts the > kexec file syscall lockdown LSM assumptions as well. I will fix this in the next round > A fuller, more complete explanation for needing "log" mode when secure > boot is enabled is required. and add a more thorough explanation. Thanks.
