On Sun, 2025-09-07 at 21:05 -0400, Paul Moore wrote: > > The "unrelated to IMA/EVM" wording misses the point. An exception was made > > to > > load the pre-boot keys onto the .platform keyring in order for IMA/EVM to > > verify > > the kexec kernel image appended signature. This exception was subsequently > > extended to verifying the pesigned kexec kernel image signature. (Other > > subsystems are abusing the keys on the .platform keyring to verify other > > signatures.) > > > > Instead of saying "unrelated to IMA/EVM", how about saying something along > > the > > lines of "IMA has a dependency on the platform and machine keyrings, but > > this > > dependency isn't limited to IMA/EVM." > > > > Paul, this patch set doesn't apply to cleanly to Linus's tree. What is the > > base > > commit? > > It would have been based on the lsm/dev branch since the LSM tree is > the target, however, given the scope of the patchset and the fact that > it has been several weeks since it was originally posted, I wouldn't > be surprised it if needs some fuzzing when applied on top of lsm/dev > too.
Thanks, Paul. I was able to apply the patches and run some regression tests. Mimi
