All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 0/3] integrity: build scripts changes
@ 2014-09-03  7:29 Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 1/3] integrity: move asymmetric keys config option Dmitry Kasatkin
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03  7:29 UTC (permalink / raw)
  To: zohar, linux-ima-devel, linux-security-module
  Cc: linux-kernel, dmitry.kasatkin, Dmitry Kasatkin

Hi,

These patches introduce few changes to integrity subsystem build scripts.
Patch descriptions provide detailed explanations.

Changes in v2:
- use 'menu' instead of 'menuconfig' to keep integrity as security option

- Dmitry

Dmitry Kasatkin (3):
  integrity: move asymmetric keys config option
  integrity: move integrity subsystem options to a separate menu
  integrity: make all integrity components as integrity module

 security/integrity/Kconfig     | 38 ++++++++++++++++++++++++--------------
 security/integrity/Makefile    |  6 +++---
 security/integrity/evm/Kconfig |  9 +--------
 security/integrity/ima/Kconfig |  3 +--
 4 files changed, 29 insertions(+), 27 deletions(-)

-- 
1.9.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2 1/3] integrity: move asymmetric keys config option
  2014-09-03  7:29 [PATCH v2 0/3] integrity: build scripts changes Dmitry Kasatkin
@ 2014-09-03  7:29 ` Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 3/3] integrity: make all integrity components as integrity module Dmitry Kasatkin
  2 siblings, 0 replies; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03  7:29 UTC (permalink / raw)
  To: zohar, linux-ima-devel, linux-security-module
  Cc: linux-kernel, dmitry.kasatkin, Dmitry Kasatkin

For better visual appearance it is better to co-locate
asymmetric key option together with signature support.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 security/integrity/Kconfig | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 245c6d9..f79d853 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -17,6 +17,18 @@ config INTEGRITY_SIGNATURE
 	  This is useful for evm and module keyrings, when keys are
 	  usually only added from initramfs.
 
+config INTEGRITY_ASYMMETRIC_KEYS
+	boolean "Enable asymmetric keys support"
+	depends on INTEGRITY_SIGNATURE
+	default n
+        select ASYMMETRIC_KEY_TYPE
+        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+        select PUBLIC_KEY_ALGO_RSA
+        select X509_CERTIFICATE_PARSER
+	help
+	  This option enables digital signature verification using
+	  asymmetric keys.
+
 config INTEGRITY_AUDIT
 	bool "Enables integrity auditing support "
 	depends on INTEGRITY && AUDIT
@@ -32,17 +44,5 @@ config INTEGRITY_AUDIT
 	  be enabled by specifying 'integrity_audit=1' on the kernel
 	  command line.
 
-config INTEGRITY_ASYMMETRIC_KEYS
-	boolean "Enable asymmetric keys support"
-	depends on INTEGRITY_SIGNATURE
-	default n
-        select ASYMMETRIC_KEY_TYPE
-        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
-        select PUBLIC_KEY_ALGO_RSA
-        select X509_CERTIFICATE_PARSER
-	help
-	  This option enables digital signature verification using
-	  asymmetric keys.
-
 source security/integrity/ima/Kconfig
 source security/integrity/evm/Kconfig
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu
  2014-09-03  7:29 [PATCH v2 0/3] integrity: build scripts changes Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 1/3] integrity: move asymmetric keys config option Dmitry Kasatkin
@ 2014-09-03  7:29 ` Dmitry Kasatkin
  2014-09-03 12:35   ` Mimi Zohar
  2014-09-03  7:29 ` [PATCH v2 3/3] integrity: make all integrity components as integrity module Dmitry Kasatkin
  2 siblings, 1 reply; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03  7:29 UTC (permalink / raw)
  To: zohar, linux-ima-devel, linux-security-module
  Cc: linux-kernel, dmitry.kasatkin, Dmitry Kasatkin

Integrity subsystem got lots of options and takes more than half
of security menu.

This patch moves integrity subsystem options to a separate menu.
It does not affect existing configuration. Re-configuration is
not needed.

Changes in v2:
- previous patch moved integrity out of the 'security' menu.
  This version keeps integrity as a security option (Mimi).

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 security/integrity/Kconfig     | 14 ++++++++++++--
 security/integrity/evm/Kconfig |  9 +--------
 security/integrity/ima/Kconfig |  3 +--
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index f79d853..a734a83 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -1,7 +1,13 @@
 #
 config INTEGRITY
-	def_bool y
-	depends on IMA || EVM
+	bool "Integrity subsystem support"
+	depends on SECURITY
+	default y
+
+if INTEGRITY
+
+menu "Options"
+
 
 config INTEGRITY_SIGNATURE
 	boolean "Digital signature verification using multiple keyrings"
@@ -46,3 +52,7 @@ config INTEGRITY_AUDIT
 
 source security/integrity/ima/Kconfig
 source security/integrity/evm/Kconfig
+
+endmenu
+
+endif   # if INTEGRITY
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d606f3d..df20a2f 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -1,6 +1,6 @@
 config EVM
 	boolean "EVM support"
-	depends on SECURITY
+	depends on INTEGRITY
 	select KEYS
 	select ENCRYPTED_KEYS
 	select CRYPTO_HMAC
@@ -12,10 +12,6 @@ config EVM
 
 	  If you are unsure how to answer this question, answer N.
 
-if EVM
-
-menu "EVM options"
-
 config EVM_ATTR_FSUUID
 	bool "FSUUID (version 2)"
 	default y
@@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS
 	  additional info to the calculation, requires existing EVM
 	  labeled file systems to be relabeled.
 
-endmenu
-
-endif
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 08758fb..2477d1e 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -2,8 +2,7 @@
 #
 config IMA
 	bool "Integrity Measurement Architecture(IMA)"
-	depends on SECURITY
-	select INTEGRITY
+	depends on INTEGRITY
 	select SECURITYFS
 	select CRYPTO
 	select CRYPTO_HMAC
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH v2 3/3] integrity: make all integrity components as integrity module
  2014-09-03  7:29 [PATCH v2 0/3] integrity: build scripts changes Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 1/3] integrity: move asymmetric keys config option Dmitry Kasatkin
  2014-09-03  7:29 ` [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
@ 2014-09-03  7:29 ` Dmitry Kasatkin
  2 siblings, 0 replies; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03  7:29 UTC (permalink / raw)
  To: zohar, linux-ima-devel, linux-security-module
  Cc: linux-kernel, dmitry.kasatkin, Dmitry Kasatkin

Kernel print macros use KBUILD_MODNAME, which is initialized
to module name. Current Makefile puts every file to its own
module. So pr_xxx messages prefixed with file name instead of
module. This patch makes all as a 'integrity' module the same
way as it is done in evm/Makefile and ima/Makefile.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 security/integrity/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index 0793f48..8d1f4bf 100644
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -3,11 +3,11 @@
 #
 
 obj-$(CONFIG_INTEGRITY) += integrity.o
-obj-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
-obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
-obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
 
 integrity-y := iint.o
+integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
+integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
+integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
 
 subdir-$(CONFIG_IMA)			+= ima
 obj-$(CONFIG_IMA)			+= ima/
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu
  2014-09-03  7:29 ` [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
@ 2014-09-03 12:35   ` Mimi Zohar
  2014-09-03 12:55     ` Dmitry Kasatkin
  2014-09-03 13:42     ` Dmitry Kasatkin
  0 siblings, 2 replies; 8+ messages in thread
From: Mimi Zohar @ 2014-09-03 12:35 UTC (permalink / raw)
  To: Dmitry Kasatkin
  Cc: linux-ima-devel, linux-security-module, linux-kernel, dmitry.kasatkin

On Wed, 2014-09-03 at 10:29 +0300, Dmitry Kasatkin wrote: 
> Integrity subsystem got lots of options and takes more than half
> of security menu.
> 
> This patch moves integrity subsystem options to a separate menu.
> It does not affect existing configuration. Re-configuration is
> not needed.
> 
> Changes in v2:
> - previous patch moved integrity out of the 'security' menu.
>   This version keeps integrity as a security option (Mimi).
> 
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
> ---
>  security/integrity/Kconfig     | 14 ++++++++++++--
>  security/integrity/evm/Kconfig |  9 +--------
>  security/integrity/ima/Kconfig |  3 +--
>  3 files changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index f79d853..a734a83 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -1,7 +1,13 @@
>  #
>  config INTEGRITY
> -	def_bool y
> -	depends on IMA || EVM
> +	bool "Integrity subsystem support"
> +	depends on SECURITY
> +	default y
> +
> +if INTEGRITY
> +
> +menu "Options"
> +

Instead of moving everything to a separate menu, I would leave the
ability to enable/disable IMA and EVM on the security page, but move
their options to separate pages.  So unless someone wants to change the
default options, they're hidden.

There are Kconfig examples for enabling the option in the parent
directory and clicking on the option brings up a separate menu (eg. NET,
WIRELESS).

>  config INTEGRITY_SIGNATURE
>  	boolean "Digital signature verification using multiple keyrings"
> @@ -46,3 +52,7 @@ config INTEGRITY_AUDIT
> 
>  source security/integrity/ima/Kconfig
>  source security/integrity/evm/Kconfig
> +
> +endmenu
> +
> +endif   # if INTEGRITY
> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
> index d606f3d..df20a2f 100644
> --- a/security/integrity/evm/Kconfig
> +++ b/security/integrity/evm/Kconfig
> @@ -1,6 +1,6 @@
>  config EVM
>  	boolean "EVM support"
> -	depends on SECURITY
> +	depends on INTEGRITY

By adding the "if INTEGRITY",  the "depends on INTEGRITY" is redundant.
Please remove the depends here and in the other places.

Mimi

>  	select KEYS
>  	select ENCRYPTED_KEYS
>  	select CRYPTO_HMAC
> @@ -12,10 +12,6 @@ config EVM
> 
>  	  If you are unsure how to answer this question, answer N.
> 
> -if EVM
> -
> -menu "EVM options"
> -
>  config EVM_ATTR_FSUUID
>  	bool "FSUUID (version 2)"
>  	default y
> @@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS
>  	  additional info to the calculation, requires existing EVM
>  	  labeled file systems to be relabeled.
> 
> -endmenu
> -
> -endif
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 08758fb..2477d1e 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -2,8 +2,7 @@
>  #
>  config IMA
>  	bool "Integrity Measurement Architecture(IMA)"
> -	depends on SECURITY
> -	select INTEGRITY
> +	depends on INTEGRITY
>  	select SECURITYFS
>  	select CRYPTO
>  	select CRYPTO_HMAC



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu
  2014-09-03 12:35   ` Mimi Zohar
@ 2014-09-03 12:55     ` Dmitry Kasatkin
  2014-09-03 19:47       ` Mimi Zohar
  2014-09-03 13:42     ` Dmitry Kasatkin
  1 sibling, 1 reply; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03 12:55 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: linux-ima-devel, linux-security-module, linux-kernel, dmitry.kasatkin


On 03/09/14 15:35, Mimi Zohar wrote:
> On Wed, 2014-09-03 at 10:29 +0300, Dmitry Kasatkin wrote: 
>> Integrity subsystem got lots of options and takes more than half
>> of security menu.
>>
>> This patch moves integrity subsystem options to a separate menu.
>> It does not affect existing configuration. Re-configuration is
>> not needed.
>>
>> Changes in v2:
>> - previous patch moved integrity out of the 'security' menu.
>>   This version keeps integrity as a security option (Mimi).
>>
>> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
>> ---
>>  security/integrity/Kconfig     | 14 ++++++++++++--
>>  security/integrity/evm/Kconfig |  9 +--------
>>  security/integrity/ima/Kconfig |  3 +--
>>  3 files changed, 14 insertions(+), 12 deletions(-)
>>
>> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
>> index f79d853..a734a83 100644
>> --- a/security/integrity/Kconfig
>> +++ b/security/integrity/Kconfig
>> @@ -1,7 +1,13 @@
>>  #
>>  config INTEGRITY
>> -	def_bool y
>> -	depends on IMA || EVM
>> +	bool "Integrity subsystem support"
>> +	depends on SECURITY
>> +	default y
>> +
>> +if INTEGRITY
>> +
>> +menu "Options"
>> +
> Instead of moving everything to a separate menu, I would leave the
> ability to enable/disable IMA and EVM on the security page, but move
> their options to separate pages.  So unless someone wants to change the
> default options, they're hidden.
>
> There are Kconfig examples for enabling the option in the parent
> directory and clicking on the option brings up a separate menu (eg. NET,
> WIRELESS).

Hi,

I posted this patch already 3 times before. This is 4th time.

In last post you answered:

"Agreed, but this patch moves integrity out of the 'security' menu.  The
following keeps integrity as a security option."

Now you tell me this?

- Dmitry

>>  config INTEGRITY_SIGNATURE
>>  	boolean "Digital signature verification using multiple keyrings"
>> @@ -46,3 +52,7 @@ config INTEGRITY_AUDIT
>>
>>  source security/integrity/ima/Kconfig
>>  source security/integrity/evm/Kconfig
>> +
>> +endmenu
>> +
>> +endif   # if INTEGRITY
>> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
>> index d606f3d..df20a2f 100644
>> --- a/security/integrity/evm/Kconfig
>> +++ b/security/integrity/evm/Kconfig
>> @@ -1,6 +1,6 @@
>>  config EVM
>>  	boolean "EVM support"
>> -	depends on SECURITY
>> +	depends on INTEGRITY
> By adding the "if INTEGRITY",  the "depends on INTEGRITY" is redundant.
> Please remove the depends here and in the other places.
>
> Mimi
>
>>  	select KEYS
>>  	select ENCRYPTED_KEYS
>>  	select CRYPTO_HMAC
>> @@ -12,10 +12,6 @@ config EVM
>>
>>  	  If you are unsure how to answer this question, answer N.
>>
>> -if EVM
>> -
>> -menu "EVM options"
>> -
>>  config EVM_ATTR_FSUUID
>>  	bool "FSUUID (version 2)"
>>  	default y
>> @@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS
>>  	  additional info to the calculation, requires existing EVM
>>  	  labeled file systems to be relabeled.
>>
>> -endmenu
>> -
>> -endif
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index 08758fb..2477d1e 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -2,8 +2,7 @@
>>  #
>>  config IMA
>>  	bool "Integrity Measurement Architecture(IMA)"
>> -	depends on SECURITY
>> -	select INTEGRITY
>> +	depends on INTEGRITY
>>  	select SECURITYFS
>>  	select CRYPTO
>>  	select CRYPTO_HMAC
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu
  2014-09-03 12:35   ` Mimi Zohar
  2014-09-03 12:55     ` Dmitry Kasatkin
@ 2014-09-03 13:42     ` Dmitry Kasatkin
  1 sibling, 0 replies; 8+ messages in thread
From: Dmitry Kasatkin @ 2014-09-03 13:42 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: linux-ima-devel, linux-security-module, linux-kernel, dmitry.kasatkin

On 03/09/14 15:35, Mimi Zohar wrote:
> On Wed, 2014-09-03 at 10:29 +0300, Dmitry Kasatkin wrote: 
>> Integrity subsystem got lots of options and takes more than half
>> of security menu.
>>
>> This patch moves integrity subsystem options to a separate menu.
>> It does not affect existing configuration. Re-configuration is
>> not needed.
>>
>> Changes in v2:
>> - previous patch moved integrity out of the 'security' menu.
>>   This version keeps integrity as a security option (Mimi).
>>
>> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
>> ---
>>  security/integrity/Kconfig     | 14 ++++++++++++--
>>  security/integrity/evm/Kconfig |  9 +--------
>>  security/integrity/ima/Kconfig |  3 +--
>>  3 files changed, 14 insertions(+), 12 deletions(-)
>>
>> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
>> index f79d853..a734a83 100644
>> --- a/security/integrity/Kconfig
>> +++ b/security/integrity/Kconfig
>> @@ -1,7 +1,13 @@
>>  #
>>  config INTEGRITY
>> -	def_bool y
>> -	depends on IMA || EVM
>> +	bool "Integrity subsystem support"
>> +	depends on SECURITY
>> +	default y
>> +
>> +if INTEGRITY
>> +
>> +menu "Options"
>> +
> Instead of moving everything to a separate menu, I would leave the
> ability to enable/disable IMA and EVM on the security page, but move
> their options to separate pages.  So unless someone wants to change the
> default options, they're hidden.
>
> There are Kconfig examples for enabling the option in the parent
> directory and clicking on the option brings up a separate menu (eg. NET,
> WIRELESS).

Actually it is better to have as separate menu, because there are
integrity level specific options there as auditing or digital
signatures. It is nice to have them all in one place.

>>  config INTEGRITY_SIGNATURE
>>  	boolean "Digital signature verification using multiple keyrings"
>> @@ -46,3 +52,7 @@ config INTEGRITY_AUDIT
>>
>>  source security/integrity/ima/Kconfig
>>  source security/integrity/evm/Kconfig
>> +
>> +endmenu
>> +
>> +endif   # if INTEGRITY
>> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
>> index d606f3d..df20a2f 100644
>> --- a/security/integrity/evm/Kconfig
>> +++ b/security/integrity/evm/Kconfig
>> @@ -1,6 +1,6 @@
>>  config EVM
>>  	boolean "EVM support"
>> -	depends on SECURITY
>> +	depends on INTEGRITY
> By adding the "if INTEGRITY",  the "depends on INTEGRITY" is redundant.
> Please remove the depends here and in the other places.

Will do.

- Dmitry
> Mimi
>
>>  	select KEYS
>>  	select ENCRYPTED_KEYS
>>  	select CRYPTO_HMAC
>> @@ -12,10 +12,6 @@ config EVM
>>
>>  	  If you are unsure how to answer this question, answer N.
>>
>> -if EVM
>> -
>> -menu "EVM options"
>> -
>>  config EVM_ATTR_FSUUID
>>  	bool "FSUUID (version 2)"
>>  	default y
>> @@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS
>>  	  additional info to the calculation, requires existing EVM
>>  	  labeled file systems to be relabeled.
>>
>> -endmenu
>> -
>> -endif
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index 08758fb..2477d1e 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -2,8 +2,7 @@
>>  #
>>  config IMA
>>  	bool "Integrity Measurement Architecture(IMA)"
>> -	depends on SECURITY
>> -	select INTEGRITY
>> +	depends on INTEGRITY
>>  	select SECURITYFS
>>  	select CRYPTO
>>  	select CRYPTO_HMAC
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu
  2014-09-03 12:55     ` Dmitry Kasatkin
@ 2014-09-03 19:47       ` Mimi Zohar
  0 siblings, 0 replies; 8+ messages in thread
From: Mimi Zohar @ 2014-09-03 19:47 UTC (permalink / raw)
  To: Dmitry Kasatkin
  Cc: linux-ima-devel, linux-security-module, linux-kernel, dmitry.kasatkin

On Wed, 2014-09-03 at 15:55 +0300, Dmitry Kasatkin wrote: 
> On 03/09/14 15:35, Mimi Zohar wrote:
> > On Wed, 2014-09-03 at 10:29 +0300, Dmitry Kasatkin wrote: 
> >> Integrity subsystem got lots of options and takes more than half
> >> of security menu.
> >>
> >> This patch moves integrity subsystem options to a separate menu.
> >> It does not affect existing configuration. Re-configuration is
> >> not needed.
> >>
> >> Changes in v2:
> >> - previous patch moved integrity out of the 'security' menu.
> >>   This version keeps integrity as a security option (Mimi).
> >>
> >> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
> >> ---
> >>  security/integrity/Kconfig     | 14 ++++++++++++--
> >>  security/integrity/evm/Kconfig |  9 +--------
> >>  security/integrity/ima/Kconfig |  3 +--
> >>  3 files changed, 14 insertions(+), 12 deletions(-)
> >>
> >> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> >> index f79d853..a734a83 100644
> >> --- a/security/integrity/Kconfig
> >> +++ b/security/integrity/Kconfig
> >> @@ -1,7 +1,13 @@
> >>  #
> >>  config INTEGRITY
> >> -	def_bool y
> >> -	depends on IMA || EVM
> >> +	bool "Integrity subsystem support"
> >> +	depends on SECURITY
> >> +	default y
> >> +
> >> +if INTEGRITY
> >> +
> >> +menu "Options"
> >> +
> > Instead of moving everything to a separate menu, I would leave the
> > ability to enable/disable IMA and EVM on the security page, but move
> > their options to separate pages.  So unless someone wants to change the
> > default options, they're hidden.
> >
> > There are Kconfig examples for enabling the option in the parent
> > directory and clicking on the option brings up a separate menu (eg. NET,
> > WIRELESS).
> 
> Hi,
> 
> I posted this patch already 3 times before. This is 4th time.
> 
> In last post you answered:
> 
> "Agreed, but this patch moves integrity out of the 'security' menu.  The
> following keeps integrity as a security option."
> 
> Now you tell me this?

The current change just doesn't look right.

[] Integrity subsystem support
   [] Options

I should be able to just click on "Integrity subsystem support", not the
"Options", to bring up the integrity menu.  Unfortunately, "menuconfig"
moves the integrity option out of the security menu.

Bringing everything under INTEGRITY is fine.  All of the other security
subsystems are listed in the security menu.  I really don't see a
problem with leaving integrity there too.  For now, lets just drop the
"Options" menu.

Mimi

> 
> - Dmitry
> 
> >>  config INTEGRITY_SIGNATURE
> >>  	boolean "Digital signature verification using multiple keyrings"
> >> @@ -46,3 +52,7 @@ config INTEGRITY_AUDIT
> >>
> >>  source security/integrity/ima/Kconfig
> >>  source security/integrity/evm/Kconfig
> >> +
> >> +endmenu
> >> +
> >> +endif   # if INTEGRITY
> >> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
> >> index d606f3d..df20a2f 100644
> >> --- a/security/integrity/evm/Kconfig
> >> +++ b/security/integrity/evm/Kconfig
> >> @@ -1,6 +1,6 @@
> >>  config EVM
> >>  	boolean "EVM support"
> >> -	depends on SECURITY
> >> +	depends on INTEGRITY
> > By adding the "if INTEGRITY",  the "depends on INTEGRITY" is redundant.
> > Please remove the depends here and in the other places.
> >
> > Mimi
> >
> >>  	select KEYS
> >>  	select ENCRYPTED_KEYS
> >>  	select CRYPTO_HMAC
> >> @@ -12,10 +12,6 @@ config EVM
> >>
> >>  	  If you are unsure how to answer this question, answer N.
> >>
> >> -if EVM
> >> -
> >> -menu "EVM options"
> >> -
> >>  config EVM_ATTR_FSUUID
> >>  	bool "FSUUID (version 2)"
> >>  	default y
> >> @@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS
> >>  	  additional info to the calculation, requires existing EVM
> >>  	  labeled file systems to be relabeled.
> >>
> >> -endmenu
> >> -
> >> -endif
> >> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> >> index 08758fb..2477d1e 100644
> >> --- a/security/integrity/ima/Kconfig
> >> +++ b/security/integrity/ima/Kconfig
> >> @@ -2,8 +2,7 @@
> >>  #
> >>  config IMA
> >>  	bool "Integrity Measurement Architecture(IMA)"
> >> -	depends on SECURITY
> >> -	select INTEGRITY
> >> +	depends on INTEGRITY
> >>  	select SECURITYFS
> >>  	select CRYPTO
> >>  	select CRYPTO_HMAC
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2014-09-03 19:47 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-03  7:29 [PATCH v2 0/3] integrity: build scripts changes Dmitry Kasatkin
2014-09-03  7:29 ` [PATCH v2 1/3] integrity: move asymmetric keys config option Dmitry Kasatkin
2014-09-03  7:29 ` [PATCH v2 2/3] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
2014-09-03 12:35   ` Mimi Zohar
2014-09-03 12:55     ` Dmitry Kasatkin
2014-09-03 19:47       ` Mimi Zohar
2014-09-03 13:42     ` Dmitry Kasatkin
2014-09-03  7:29 ` [PATCH v2 3/3] integrity: make all integrity components as integrity module Dmitry Kasatkin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.