From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
Nayna Jain <nayna@linux.ibm.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-efi <linux-efi@vger.kernel.org>,
linux-s390 <linux-s390@vger.kernel.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Philipp Rudo <prudo@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: add a new CONFIG for loading arch-specific policies
Date: Mon, 2 Mar 2020 22:21:05 +0100 [thread overview]
Message-ID: <20200302212105.GH4035@osiris> (raw)
In-Reply-To: <1583161018.8544.96.camel@linux.ibm.com>
On Mon, Mar 02, 2020 at 09:56:58AM -0500, Mimi Zohar wrote:
> On Mon, 2020-03-02 at 15:52 +0100, Ard Biesheuvel wrote:
> > On Mon, 2 Mar 2020 at 15:48, Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > index beea77046f9b..cafa66313fe2 100644
> > > > --- a/arch/x86/Kconfig
> > > > +++ b/arch/x86/Kconfig
> > > > @@ -230,6 +230,7 @@ config X86
> > > > select VIRT_TO_BUS
> > > > select X86_FEATURE_NAMES if PROC_FS
> > > > select PROC_PID_ARCH_STATUS if PROC_FS
> > > > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
> > >
> > > Not everyone is interested in enabling IMA or requiring IMA runtime
> > > policies. With this patch, enabling IMA_ARCH_POLICY is therefore
> > > still left up to the person building the kernel. As a result, I'm
> > > seeing the following warning, which is kind of cool.
> > >
> > > WARNING: unmet direct dependencies detected for
> > > IMA_SECURE_AND_OR_TRUSTED_BOOT
> > > Depends on [n]: INTEGRITY [=y] && IMA [=y] && IMA_ARCH_POLICY [=n]
> > > Selected by [y]:
> > > - X86 [=y] && EFI [=y]
> > >
> > > Ard, Michael, Martin, just making sure this type of warning is
> > > acceptable before upstreaming this patch. I would appreciate your
> > > tags.
> > >
> >
> > Ehm, no, warnings like these are not really acceptable. It means there
> > is an inconsistency in the way the Kconfig dependencies are defined.
> >
> > Does this help:
> >
> > select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI && IMA_ARCH_POLICY
> >
> > ?
>
> Yes, that's fine for x86. Michael, Martin, do you want something
> similar or would you prefer actually selecting IMA_ARCH_POLICY?
For s390 something like
select IMA_SECURE_AND_OR_TRUSTED_BOOT if IMA_ARCH_POLICY
should be fine.
Thanks,
Heiko
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
Nayna Jain <nayna@linux.ibm.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-efi <linux-efi@vger.kernel.org>,
linux-s390 <linux-s390@vger.kernel.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Philipp Rudo <prudo@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: add a new CONFIG for loading arch-specific policies
Date: Mon, 2 Mar 2020 22:21:05 +0100 [thread overview]
Message-ID: <20200302212105.GH4035@osiris> (raw)
In-Reply-To: <1583161018.8544.96.camel@linux.ibm.com>
On Mon, Mar 02, 2020 at 09:56:58AM -0500, Mimi Zohar wrote:
> On Mon, 2020-03-02 at 15:52 +0100, Ard Biesheuvel wrote:
> > On Mon, 2 Mar 2020 at 15:48, Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > index beea77046f9b..cafa66313fe2 100644
> > > > --- a/arch/x86/Kconfig
> > > > +++ b/arch/x86/Kconfig
> > > > @@ -230,6 +230,7 @@ config X86
> > > > select VIRT_TO_BUS
> > > > select X86_FEATURE_NAMES if PROC_FS
> > > > select PROC_PID_ARCH_STATUS if PROC_FS
> > > > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
> > >
> > > Not everyone is interested in enabling IMA or requiring IMA runtime
> > > policies. With this patch, enabling IMA_ARCH_POLICY is therefore
> > > still left up to the person building the kernel. As a result, I'm
> > > seeing the following warning, which is kind of cool.
> > >
> > > WARNING: unmet direct dependencies detected for
> > > IMA_SECURE_AND_OR_TRUSTED_BOOT
> > > Depends on [n]: INTEGRITY [=y] && IMA [=y] && IMA_ARCH_POLICY [=n]
> > > Selected by [y]:
> > > - X86 [=y] && EFI [=y]
> > >
> > > Ard, Michael, Martin, just making sure this type of warning is
> > > acceptable before upstreaming this patch. I would appreciate your
> > > tags.
> > >
> >
> > Ehm, no, warnings like these are not really acceptable. It means there
> > is an inconsistency in the way the Kconfig dependencies are defined.
> >
> > Does this help:
> >
> > select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI && IMA_ARCH_POLICY
> >
> > ?
>
> Yes, that's fine for x86. �Michael, Martin, do you want something
> similar or would you prefer actually selecting IMA_ARCH_POLICY?
For s390 something like
select IMA_SECURE_AND_OR_TRUSTED_BOOT if IMA_ARCH_POLICY
should be fine.
Thanks,
Heiko
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-s390 <linux-s390@vger.kernel.org>,
linux-efi <linux-efi@vger.kernel.org>,
Nayna Jain <nayna@linux.ibm.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Philipp Rudo <prudo@linux.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH] ima: add a new CONFIG for loading arch-specific policies
Date: Mon, 2 Mar 2020 22:21:05 +0100 [thread overview]
Message-ID: <20200302212105.GH4035@osiris> (raw)
In-Reply-To: <1583161018.8544.96.camel@linux.ibm.com>
On Mon, Mar 02, 2020 at 09:56:58AM -0500, Mimi Zohar wrote:
> On Mon, 2020-03-02 at 15:52 +0100, Ard Biesheuvel wrote:
> > On Mon, 2 Mar 2020 at 15:48, Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > > > index beea77046f9b..cafa66313fe2 100644
> > > > --- a/arch/x86/Kconfig
> > > > +++ b/arch/x86/Kconfig
> > > > @@ -230,6 +230,7 @@ config X86
> > > > select VIRT_TO_BUS
> > > > select X86_FEATURE_NAMES if PROC_FS
> > > > select PROC_PID_ARCH_STATUS if PROC_FS
> > > > + select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI
> > >
> > > Not everyone is interested in enabling IMA or requiring IMA runtime
> > > policies. With this patch, enabling IMA_ARCH_POLICY is therefore
> > > still left up to the person building the kernel. As a result, I'm
> > > seeing the following warning, which is kind of cool.
> > >
> > > WARNING: unmet direct dependencies detected for
> > > IMA_SECURE_AND_OR_TRUSTED_BOOT
> > > Depends on [n]: INTEGRITY [=y] && IMA [=y] && IMA_ARCH_POLICY [=n]
> > > Selected by [y]:
> > > - X86 [=y] && EFI [=y]
> > >
> > > Ard, Michael, Martin, just making sure this type of warning is
> > > acceptable before upstreaming this patch. I would appreciate your
> > > tags.
> > >
> >
> > Ehm, no, warnings like these are not really acceptable. It means there
> > is an inconsistency in the way the Kconfig dependencies are defined.
> >
> > Does this help:
> >
> > select IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI && IMA_ARCH_POLICY
> >
> > ?
>
> Yes, that's fine for x86. Michael, Martin, do you want something
> similar or would you prefer actually selecting IMA_ARCH_POLICY?
For s390 something like
select IMA_SECURE_AND_OR_TRUSTED_BOOT if IMA_ARCH_POLICY
should be fine.
Thanks,
Heiko
next prev parent reply other threads:[~2020-03-02 21:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-26 19:10 [PATCH] ima: add a new CONFIG for loading arch-specific policies Nayna Jain
2020-02-26 19:10 ` Nayna Jain
2020-02-26 19:21 ` Lakshmi Ramasubramanian
2020-02-26 19:21 ` Lakshmi Ramasubramanian
2020-02-26 20:36 ` Mimi Zohar
2020-02-26 20:36 ` Mimi Zohar
2020-02-27 19:38 ` Mimi Zohar
2020-02-27 19:38 ` Mimi Zohar
2020-03-02 14:48 ` Mimi Zohar
2020-03-02 14:48 ` Mimi Zohar
2020-03-02 14:52 ` Ard Biesheuvel
2020-03-02 14:52 ` Ard Biesheuvel
2020-03-02 14:56 ` Mimi Zohar
2020-03-02 14:56 ` Mimi Zohar
2020-03-02 21:21 ` Heiko Carstens [this message]
2020-03-02 21:21 ` Heiko Carstens
2020-03-02 21:21 ` Heiko Carstens
2020-03-02 23:23 ` Michael Ellerman
2020-03-02 23:23 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200302212105.GH4035@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=ardb@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=prudo@linux.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.