Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

From: David Howells
Date: Mon Oct 30 2017 - 11:49:55 EST

Next message: Russell King - ARM Linux: "Re: [PATCH] ARM: add a private asm/unaligned.h"
Previous message: SF Markus Elfring: "[PATCH 3/3] pinctrl: mcp23s08: Combine two function calls in mcp23s08_dbg_show()"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> Huh?! ÂWith the "secure_boot" policy enabled on the boot command line,
> IMA-appraisal would verify the kexec kernel image, firmware, kernel
> modules, and custom IMA policy signatures.

What happens if the "secure_boot" policy isn't enabled on the boot command
line? Can you sum up both cases in a paragraph I can add to the patch
description?

> Other patches in this patch series need to be updated as well to check
> if IMA-appraisal is enabled.

Which exactly? I've added your "!is_ima_appraise_enabled() &&" line to
kexec_file() and module_sig_check(). Anything else?

David

Next message: Russell King - ARM Linux: "Re: [PATCH] ARM: add a private asm/unaligned.h"
Previous message: SF Markus Elfring: "[PATCH 3/3] pinctrl: mcp23s08: Combine two function calls in mcp23s08_dbg_show()"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]