Re: [PATCH v2] x86/ima: require signed kernel modules

Matthew Garrett Thu, 07 Mar 2019 14:28:09 -0800

On Wed, Feb 13, 2019 at 4:18 AM Mimi Zohar <zo...@linux.ibm.com> wrote:
> -       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
> +       if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
> +               if (IS_ENABLED(CONFIG_MODULE_SIG))
> +                       set_module_sig_enforced();
>                 return sb_arch_rules;


Linus previously pushed back on having the lockdown features
automatically enabled on secure boot systems. Why are we doing the
same in IMA?

Re: [PATCH v2] x86/ima: require signed kernel modules

Reply via email to