Message ID | 20201102223800.12181-1-ardb@kernel.org (mailing list archive) |
---|---|
Headers | show |
Series | wire up IMA secure boot for arm64 | expand |
Hi Ard, Chester, On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote: > This is a follow-up to Chester's series [0] to enable IMA to the secure > boot state of arm64 platforms, which is EFI based. > > This v4 implements the changes I suggested to Chester, in particular: > - disregard MokSbState when factoring out secure boot mode discovery > - turn the x86 IMA arch code into shared code for all architectures. > > This reduces the final patch to a one liner enabling a Kconfig option > for arm64 when EFI is enabled. > > Build tested only. Thank you! This patch set is now queued in the linux-integrity next- integrity-testing branch. Mimi
On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Ard, Chester, > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote: > > This is a follow-up to Chester's series [0] to enable IMA to the secure > > boot state of arm64 platforms, which is EFI based. > > > > This v4 implements the changes I suggested to Chester, in particular: > > - disregard MokSbState when factoring out secure boot mode discovery > > - turn the x86 IMA arch code into shared code for all architectures. > > > > This reduces the final patch to a one liner enabling a Kconfig option > > for arm64 when EFI is enabled. > > > > Build tested only. > > Thank you! This patch set is now queued in the linux-integrity next- > integrity-testing branch. > I don't mind per se, but this touches a number of different trees, including x86 and arm64, and nobody has acked it yet. As far as the EFI tree is concerned, it looks like I should be able to avoid any conflicts with other stuff that is in flight, and if not, we can always use your branch up until the last patch in this serires as a shared tag (assuming you won't rebase it).
On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote: > On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > Hi Ard, Chester, > > > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote: > > > This is a follow-up to Chester's series [0] to enable IMA to the secure > > > boot state of arm64 platforms, which is EFI based. > > > > > > This v4 implements the changes I suggested to Chester, in particular: > > > - disregard MokSbState when factoring out secure boot mode discovery > > > - turn the x86 IMA arch code into shared code for all architectures. > > > > > > This reduces the final patch to a one liner enabling a Kconfig option > > > for arm64 when EFI is enabled. > > > > > > Build tested only. > > > > Thank you! This patch set is now queued in the linux-integrity next- > > integrity-testing branch. > > > > I don't mind per se, but this touches a number of different trees, > including x86 and arm64, and nobody has acked it yet. > > As far as the EFI tree is concerned, it looks like I should be able to > avoid any conflicts with other stuff that is in flight, and if not, we > can always use your branch up until the last patch in this serires as > a shared tag (assuming you won't rebase it). The next-integrity-testing branch is just a place holder waiting for additional tags. I've reviewed and tested the patch set on x86. Based on the secure boot status and how the kernel is configured, the appropriate policy rules are enabled. Similarly the IMA appraise mode (ima_appraise=) is working properly. I have not tested on arm64. I do not have a problem with this patch set being upstream via EFI. thanks, Mimi
On Wed, 4 Nov 2020 at 20:03, Mimi Zohar <zohar@linux.ibm.com> wrote: > > On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote: > > On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > > > Hi Ard, Chester, > > > > > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote: > > > > This is a follow-up to Chester's series [0] to enable IMA to the secure > > > > boot state of arm64 platforms, which is EFI based. > > > > > > > > This v4 implements the changes I suggested to Chester, in particular: > > > > - disregard MokSbState when factoring out secure boot mode discovery > > > > - turn the x86 IMA arch code into shared code for all architectures. > > > > > > > > This reduces the final patch to a one liner enabling a Kconfig option > > > > for arm64 when EFI is enabled. > > > > > > > > Build tested only. > > > > > > Thank you! This patch set is now queued in the linux-integrity next- > > > integrity-testing branch. > > > > > > > I don't mind per se, but this touches a number of different trees, > > including x86 and arm64, and nobody has acked it yet. > > > > As far as the EFI tree is concerned, it looks like I should be able to > > avoid any conflicts with other stuff that is in flight, and if not, we > > can always use your branch up until the last patch in this serires as > > a shared tag (assuming you won't rebase it). > > The next-integrity-testing branch is just a place holder waiting for > additional tags. I've reviewed and tested the patch set on x86. Based > on the secure boot status and how the kernel is configured, the > appropriate policy rules are enabled. Similarly the IMA appraise mode > (ima_appraise=) is working properly. I have not tested on arm64. > > I do not have a problem with this patch set being upstream via EFI. > Ah right. That is probably better, as EFI goes via the x86 tree, and I work closely with the arm64 maintainers on other things as well. Please let me know once you are ready to ack this from IMA pov, and I will carry it further.
On Wed, 2020-11-04 at 20:12 +0100, Ard Biesheuvel wrote: > > I do not have a problem with this patch set being upstream via EFI. > > > > Ah right. That is probably better, as EFI goes via the x86 tree, and I > work closely with the arm64 maintainers on other things as well. > > Please let me know once you are ready to ack this from IMA pov, and I > will carry it further. thanks, Acked-by: Mimi Zohar <zohar@linux.ibm.com>
On Wed, 4 Nov 2020 at 20:55, Mimi Zohar <zohar@linux.ibm.com> wrote: > > On Wed, 2020-11-04 at 20:12 +0100, Ard Biesheuvel wrote: > > > > I do not have a problem with this patch set being upstream via EFI. > > > > > > > Ah right. That is probably better, as EFI goes via the x86 tree, and I > > work closely with the arm64 maintainers on other things as well. > > > > Please let me know once you are ready to ack this from IMA pov, and I > > will carry it further. > > thanks, > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > Thanks Mimi