On Thu, Feb 8, 2024 at 3:06 AM Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > On Wed, 2024-02-07 at 22:18 -0500, Paul Moore wrote: ... > > I had some pretty minor comments but I think the only thing I saw that > > I think needs a change/addition is a comment in the Makefile regarding > > the IMA/EVM ordering; take a look and let me know what you think. > > Oh, I remember well, it is there but difficult to spot... > > --- a/security/integrity/Makefile > +++ b/security/integrity/Makefile > @@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o > integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ > platform_certs/load_powerpc.o \ > platform_certs/keyring_handler.o > +# The relative order of the 'ima' and 'evm' LSMs depends on the order below. > obj-$(CONFIG_IMA) += ima/ > obj-$(CONFIG_EVM) += evm/ Great, thanks for that. Not sure how I missed that ... ? > > Once you add a Makefile commane and we sort out the IMA/EVM approval > > process I think we're good to get this into linux-next. A while back > > Mimi and I had a chat offline and if I recall everything correctly she > > preferred that I take this patchset via the LSM tree. I don't have a > > problem with that, and to be honest I would probably prefer > > that too, but I wanted to check with everyone that is still the case. > > Just in case, I've added my ACKs/reviews to this patchset in case this > > needs to be merged via the integrity tree. > > Ok, given that there is the comment in the Makefile, the last thing to > do from your side is to remove the vague comment in the file_release > patch. > > Other than that, I think Mimi wanted to give a last look. If that is > ok, then the patches should be ready for your repo and linux-next. If Mimi is okay with the patchset as-is, and both of you would prefer this to in via the LSM tree, don't worry about the file_release comment, I'll just remove that when merging. -- paul-moore.com
