On Tue, Jul 21, 2020 at 01:26:16PM -0400, Mimi Zohar wrote:
On Mon, 2020-07-20 at 12:38 -0300, Bruno Meneguele wrote:
On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote:
On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote:
On 7/13/20 12:48 PM, Bruno Meneguele wrote:
The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" modes - log, fix, enforce - at run time, but not when IMA architecture specific policies are enabled. This prevents properly labeling the filesystem on systems where secure boot is supported, but not enabled on the platform. Only when secure boot is actually enabled should these IMA appraise modes be disabled.
This patch removes the compile time dependency and makes it a runtime decision, based on the secure boot state of that platform.
Test results as follows:
-> x86-64 with secure boot enabled
[ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option
Is it common to have two colons in the same line? Is the colon being used as a delimiter when parsing the kernel logs? Should the second colon be replaced with a hyphen? (No need to repost. I'll fix it up.)
AFAICS it has been used without any limitations, e.g:
PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484873504 ns microcode: CPU0: patch_level=0x08701013 Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 ...
I'd say we're fine using it.
Ok. FYI, it's now in next-integrity.
Mimi
Thanks Mimi.