Google Git
Sign in
linux / linux / kernel / git / zohar / linux-integrity / 56dc986a6b20b20aab1b76e0d8bff79954a00333
commit56dc986a6b20b20aab1b76e0d8bff79954a00333[log] [tgz]
authorCoiby Xu <coxu@redhat.com>Wed Jul 26 10:08:05 2023 +0800
committerMimi Zohar <zohar@linux.ibm.com>Tue Aug 01 08:18:11 2023 -0400
tree8dac3db48e573eea858c51945f8282e3c90d020e
parentf20765fdfdc2c8f47b41cb08489fdad3194a8465 [diff]
ima: require signed IMA policy when UEFI secure boot is enabled

With commit 099f26f22f58 ("integrity: machine keyring CA
configuration"), users are able to add custom IMA CA keys via
MOK.  This allows users to sign their own IMA polices without
recompiling the kernel. For the sake of security, mandate signed IMA
policy when UEFI secure boot is enabled.

Note this change may affect existing users/tests i.e users won't be able
to load an unsigned IMA policy when the IMA architecture specific policy
is configured and UEFI secure boot is enabled.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
1 file changed
tree: 8dac3db48e573eea858c51945f8282e3c90d020e
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. .rustfmt.toml
  32. COPYING
  33. CREDITS
  34. Kbuild
  35. Kconfig
  36. MAINTAINERS
  37. Makefile
  38. README