From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
mathew.j.martineau@linux.intel.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH 1/4] IMA: Define an IMA hook to measure keys
Date: Tue, 07 Jan 2020 14:26:34 -0800 [thread overview]
Message-ID: <1578435994.4288.9.camel@HansenPartnership.com> (raw)
In-Reply-To: <20200107194350.3782-2-nramas@linux.microsoft.com>
On Tue, 2020-01-07 at 11:43 -0800, Lakshmi Ramasubramanian wrote:
[...]
> diff --git a/security/integrity/ima/Kconfig
> b/security/integrity/ima/Kconfig
> index 838476d780e5..73a3974712d8 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -310,3 +310,12 @@ config IMA_APPRAISE_SIGNED_INIT
> default n
> help
> This option requires user-space init to be signed.
> +
> +config IMA_MEASURE_ASYMMETRIC_KEYS
> + bool "Enable measuring asymmetric keys on key create or
> update"
I don't believe there's a need to expose this to the person configuring
the kernel, is there? It's just one more option no-one really wants to
have to understand. Without the text following bool and the help, this
becomes a hidden config option, which is what I think it should be.
> + depends on IMA=y
Not that it matters, but IMA is a bool, so this can be simply depends
on IMA
> + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
We only need the =y here becase the variable is a tristate, so this
becomes n for both the n and m cases.
> + default y
> + help
> + This option enables measuring asymmetric keys when
> + the key is created or updated.
And drop the help entry. For future information, help text must be tab
followed by two spaces, not three ... checkpatch doesn't actually catch
this, unfortunately.
James
next prev parent reply other threads:[~2020-01-07 22:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-07 19:43 [PATCH 0/4] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2020-01-07 19:43 ` [PATCH 1/4] IMA: Define an IMA hook to measure keys Lakshmi Ramasubramanian
2020-01-07 22:26 ` James Bottomley [this message]
2020-01-07 19:43 ` [PATCH 2/4] KEYS: Call the " Lakshmi Ramasubramanian
2020-01-07 22:51 ` Mimi Zohar
2020-01-07 19:43 ` [PATCH 3/4] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2020-01-07 19:43 ` [PATCH 4/4] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1578435994.4288.9.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).