On Thu, 2025-09-11 at 15:30 -0400, Paul Moore wrote: > On Mon, Sep 8, 2025 at 6:34 PM Mimi Zohar <zo...@linux.ibm.com> wrote: > > On Sun, 2025-09-07 at 21:05 -0400, Paul Moore wrote: > > > > The "unrelated to IMA/EVM" wording misses the point. An exception was > > > > made to > > > > load the pre-boot keys onto the .platform keyring in order for IMA/EVM > > > > to verify > > > > the kexec kernel image appended signature. This exception was > > > > subsequently > > > > extended to verifying the pesigned kexec kernel image signature. (Other > > > > subsystems are abusing the keys on the .platform keyring to verify other > > > > signatures.) > > > > > > > > Instead of saying "unrelated to IMA/EVM", how about saying something > > > > along the > > > > lines of "IMA has a dependency on the platform and machine keyrings, > > > > but this > > > > dependency isn't limited to IMA/EVM." > > > > > > > > Paul, this patch set doesn't apply to cleanly to Linus's tree. What is > > > > the base > > > > commit? > > > > > > It would have been based on the lsm/dev branch since the LSM tree is > > > the target, however, given the scope of the patchset and the fact that > > > it has been several weeks since it was originally posted, I wouldn't > > > be surprised it if needs some fuzzing when applied on top of lsm/dev > > > too. > > > > Thanks, Paul. I was able to apply the patches and run some regression > > tests. > > Mimi, I know you already tagged Roberto's patch with a 'Reviewed-by' > tag, but I wanted to follow up and see if you were comfortable > converting that into an ACK, or if you wanted more time to review > Roberto's patch? No wrong answers, just trying to understand where > you are at with this patch.
Please don't convert the Reviewed-by tag quite yet to an Ack. I'd really like to review the entire patch set and do some additional testing. thanks, Mimi
