On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote: > Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot. > Skip testing in that case. > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b > > This fixes errors: > > ima_policy 2 TINFO: verify that policy file is not opened concurrently > and able to loaded multiple times > ima_policy 2 TFAIL: problem loading or extending policy (may require > policy to be signed) > https://openqa.suse.de/tests/18723792#step/ima_conditionals/6 > > ima_conditionals 1 TINFO: verify measuring user files when requested via > uid > echo: write error: Permission denied > ima_conditionals 1 TBROK: echo measure uid=65534 > > /sys/kernel/security/ima/policy failed > > Ideally there would be test which check that unsigned policy cannot be > written. > > Signed-off-by: Petr Vorel <[email protected]>
Thanks, Petr. Reviewed-by: Mimi Zohar <[email protected]> At some point, consider adding support for signing policy rules, if the private/public keypair is provided. Mimi
