[PATCH v4 0/3] wire up IMA secure boot for arm64
Ard Biesheuvel
ardb at kernel.org
Wed Nov 4 14:12:33 EST 2020
On Wed, 4 Nov 2020 at 20:03, Mimi Zohar <zohar at linux.ibm.com> wrote:
>
> On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote:
> > On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar at linux.ibm.com> wrote:
> > >
> > > Hi Ard, Chester,
> > >
> > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> > > > This is a follow-up to Chester's series [0] to enable IMA to the secure
> > > > boot state of arm64 platforms, which is EFI based.
> > > >
> > > > This v4 implements the changes I suggested to Chester, in particular:
> > > > - disregard MokSbState when factoring out secure boot mode discovery
> > > > - turn the x86 IMA arch code into shared code for all architectures.
> > > >
> > > > This reduces the final patch to a one liner enabling a Kconfig option
> > > > for arm64 when EFI is enabled.
> > > >
> > > > Build tested only.
> > >
> > > Thank you! This patch set is now queued in the linux-integrity next-
> > > integrity-testing branch.
> > >
> >
> > I don't mind per se, but this touches a number of different trees,
> > including x86 and arm64, and nobody has acked it yet.
> >
> > As far as the EFI tree is concerned, it looks like I should be able to
> > avoid any conflicts with other stuff that is in flight, and if not, we
> > can always use your branch up until the last patch in this serires as
> > a shared tag (assuming you won't rebase it).
>
> The next-integrity-testing branch is just a place holder waiting for
> additional tags. I've reviewed and tested the patch set on x86. Based
> on the secure boot status and how the kernel is configured, the
> appropriate policy rules are enabled. Similarly the IMA appraise mode
> (ima_appraise=) is working properly. I have not tested on arm64.
>
> I do not have a problem with this patch set being upstream via EFI.
>
Ah right. That is probably better, as EFI goes via the x86 tree, and I
work closely with the arm64 maintainers on other things as well.
Please let me know once you are ready to ack this from IMA pov, and I
will carry it further.
More information about the linux-arm-kernel
mailing list