From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0EB0C433DF for ; Tue, 13 Oct 2020 06:59:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 51E3D21582 for ; Tue, 13 Oct 2020 06:59:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602572361; bh=MsewuQOJT/wXiW46OehDHWV7hm6+8FWK9p28D9EVkwQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=RA1sYPBgjJIMn06j5HoUFgmKPpOxfSFRORrj5ALWDLKwG3OXhj44NZGcMCaBjxK7N /RDzAAUYShS0GxWIkkbrLCpYIrwC+jGUDrvrqX74qGvKRU0cxiJwJV5KdAk1fzLTVM iOlvAT8BIr0VDdebbtviDwKjcrzbDVq0YHEFjrMk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732556AbgJMG7U (ORCPT ); Tue, 13 Oct 2020 02:59:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:45156 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727353AbgJMG7U (ORCPT ); Tue, 13 Oct 2020 02:59:20 -0400 Received: from mail-oi1-f174.google.com (mail-oi1-f174.google.com [209.85.167.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 547E720797; Tue, 13 Oct 2020 06:59:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602572359; bh=MsewuQOJT/wXiW46OehDHWV7hm6+8FWK9p28D9EVkwQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=EgcDUHEHrfPVidj5EugL6yu2g2ITDLQTfHjUbdogcWroG1ciS41T+BbFnuD3szL4M v2ve0+qKH/CM/wm3O2Dxd9cXze0xlK9lsJsm70RZ86456oiRT4ad1XGl0VSI42bfin aPN3PdfTVeyZJOYMNvvYW2tGUT+aXPGTDkrC4U+I= Received: by mail-oi1-f174.google.com with SMTP id t77so21447636oie.4; Mon, 12 Oct 2020 23:59:19 -0700 (PDT) X-Gm-Message-State: AOAM530V+wfFtjAJzlbbZwpOLW9pdRIZ+/fkpf7DItRoLqQhI4FCGcdi C7D/rnOA1oegnnY6+B3lPZeONhgp3NafbjJvovc= X-Google-Smtp-Source: ABdhPJyN/h+J29thUNFJa4d27RQWpUv7YcAxi8l5038ROzT3Mq+4mXzc3tQ9EWfXOH5/8xKQIm6xa1A6Gs5j70rnZ8c= X-Received: by 2002:aca:d64f:: with SMTP id n76mr13668902oig.174.1602572358590; Mon, 12 Oct 2020 23:59:18 -0700 (PDT) MIME-Version: 1.0 References: <20201012083631.12724-1-ardb@kernel.org> In-Reply-To: From: Ard Biesheuvel Date: Tue, 13 Oct 2020 08:59:07 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] ima: defer arch_ima_get_secureboot() call to IMA init time To: Mimi Zohar Cc: linux-efi , linux-integrity , linux-security-module@vger.kernel.org, Chester Lin , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org On Mon, 12 Oct 2020 at 23:29, Mimi Zohar wrote: > > Hi Ard, > > On Mon, 2020-10-12 at 10:36 +0200, Ard Biesheuvel wrote: > > Chester reports that it is necessary to introduce a new way to pass > > the EFI secure boot status between the EFI stub and the core kernel > > on ARM systems. The usual way of obtaining this information is by > > checking the SecureBoot and SetupMode EFI variables, but this can > > only be done after the EFI variable workqueue is created, which > > occurs in a subsys_initcall(), whereas arch_ima_get_secureboot() > > is called much earlier by the IMA framework. > > > > However, the IMA framework itself is started as a late_initcall, > > and the only reason the call to arch_ima_get_secureboot() occurs > > so early is because it happens in the context of a __setup() > > callback that parses the ima_appraise= command line parameter. > > > > So let's refactor this code a little bit, by using a core_param() > > callback to capture the command line argument, and deferring any > > reasoning based on its contents to the IMA init routine. > > Other than this patch needing to be on top of commit e4d7e2df3a09 > ("ima: limit secure boot feedback scope for appraise"), it looks good. > Thanks Mimi, I will rebase and resend.