On Fri, 2025-08-22 at 16:45 -0400, Paul Moore wrote: > On Thu, Aug 14, 2025 at 6:55 PM Paul Moore <[email protected]> wrote: > > > > This patch converts IMA and EVM to use the LSM frameworks's initcall > > mechanism. There was a minor challenge in this conversion that wasn't > > seen when converting the other LSMs brought about by the resource > > sharing between the two related, yes independent IMA and EVM LSMs. > > This was resolved by registering the same initcalls for each LSM and > > including code in each registered initcall to ensure it only executes > > once during each boot. > > > > It is worth mentioning that this patch does not touch any of the > > "platform certs" code that lives in the security/integrity/platform_certs > > directory as the IMA/EVM maintainers have assured me that this code is > > unrelated to IMA/EVM, despite the location, and will be moved to a more > > relevant subsystem in the future.
The "unrelated to IMA/EVM" wording misses the point. An exception was made to load the pre-boot keys onto the .platform keyring in order for IMA/EVM to verify the kexec kernel image appended signature. This exception was subsequently extended to verifying the pesigned kexec kernel image signature. (Other subsystems are abusing the keys on the .platform keyring to verify other signatures.) Instead of saying "unrelated to IMA/EVM", how about saying something along the lines of "IMA has a dependency on the platform and machine keyrings, but this dependency isn't limited to IMA/EVM." Paul, this patch set doesn't apply to cleanly to Linus's tree. What is the base commit? Mimi
