From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D011BCA9EBB for ; Thu, 24 Oct 2019 17:34:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9DAB020650 for ; Thu, 24 Oct 2019 17:34:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="FlkyGU6I" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2503842AbfJXRez (ORCPT ); Thu, 24 Oct 2019 13:34:55 -0400 Received: from linux.microsoft.com ([13.77.154.182]:57686 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2503819AbfJXRey (ORCPT ); Thu, 24 Oct 2019 13:34:54 -0400 Received: from [10.137.112.111] (unknown [131.107.147.111]) by linux.microsoft.com (Postfix) with ESMTPSA id E5AD02010AC3; Thu, 24 Oct 2019 10:34:53 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E5AD02010AC3 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1571938494; bh=QdSrXCYUwtpMpli7Gl4G6qgqXWpnd26Qx0Uoa9NFbl8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=FlkyGU6IaKamoiEDN/toTRVHqvED/hfEVum2YK7OArrnh9QkY5P2UtdQfRsl4N0jy vkbhCfgVkApKl8t6C8jHxRVPcOjzEMNfQnMzzKFHRN8mkOOm7N5MND7q9f8dTr7dus ixO6+VaWTm+bZrwM3e4YGcc88FR8Wm50wtymCoyg= Subject: Re: [PATCH v9 2/8] powerpc/ima: add support to initialize ima policy rules To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , Oliver O'Halloran , Prakhar Srivastava References: <20191024034717.70552-1-nayna@linux.ibm.com> <20191024034717.70552-3-nayna@linux.ibm.com> From: Lakshmi Ramasubramanian Message-ID: Date: Thu, 24 Oct 2019 10:35:11 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2 MIME-Version: 1.0 In-Reply-To: <20191024034717.70552-3-nayna@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 10/23/2019 8:47 PM, Nayna Jain wrote: > +/* > + * The "secure_rules" are enabled only on "secureboot" enabled systems. > + * These rules verify the file signatures against known good values. > + * The "appraise_type=imasig|modsig" option allows the known good signature > + * to be stored as an xattr or as an appended signature. > + * > + * To avoid duplicate signature verification as much as possible, the IMA > + * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE > + * is not enabled. > + */ > +static const char *const secure_rules[] = { > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#ifndef CONFIG_MODULE_SIG_FORCE > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif > + NULL > +}; Is there any way to not use conditional compilation in the above array definition? Maybe define different functions to get "secure_rules" for when CONFIG_MODULE_SIG_FORCE is defined and when it is not defined. Just a suggestion. -lakshmi