[PATCH v2] ima: defer arch_ima_get_secureboot() call to IMA init time
Mimi Zohar
zohar at linux.ibm.com
Wed Oct 14 06:45:41 AEDT 2020
On Tue, 2020-10-13 at 18:59 +0200, Ard Biesheuvel wrote:
> Suggestion: can we take the get_sb_mode() code from ima_arch.c in
> arch/x86, and generalize it for all EFI architectures? That way, we
> can enable 32-bit ARM and RISC-V seamlessly once someone gets around
> to enabling IMA on those platforms. In fact, get_sb_mode() itself
> should probably be factored out into a generic helper for use outside
> of IMA as well (Xen/x86 has code that does roughly the same already)
On Power, there are three different policies - secure, trusted, and
secure & trusted boot policy rules. Based on whether secure or trusted
boot is enabled, the appropriate policy is enabled. On x86, if
secure_boot is enabled (and CONFIG_IMA_ARCH_POLICY is enabled) both the
secure and trusted boot rules are defined. Is this design fine enough
granularity or should should there be a get_trustedboot_mode() function
as well?
Agreed, the code should not be duplicated across arch's. As for making
get_sb_mode() generic, not dependent on IMA, where would it reside?
Would this be in EFI?
thanks,
Mimi
More information about the Linuxppc-dev
mailing list