Re: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled

From: Nayna
Date: Thu Apr 28 2022 - 18:08:45 EST

On 4/25/22 18:21, Eric Snowberg wrote:
The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
modes (log, fix, enforce) to be configured at boot time. When booting
with Secure Boot enabled, all modes are ignored except enforce. To use
log or fix, Secure Boot must be disabled.

With a policy such as:

appraise func=BPRM_CHECK appraise_type=imasig

A user may just want to audit signature validation. Not all users
are interested in full enforcement and find the audit log appropriate
for their use case.

Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
to work when Secure Boot is enabled.

Tianocore(UEFI Reference Implementation) defines four secure boot modes, one of which is Audit Mode. Refer to last few lines of Feature Summary section in Readme.MD ( Based on the reference, IMA appraise_mode="log" should probably work in coordination with AuditMode.

Thanks & Regards,

    - Nayna