On Tue, 2015-05-12 at 11:23 +0200, Patrick Ohly wrote: > On Mon, 2015-05-11 at 15:42 +0200, Patrick Ohly wrote: > > Note that there is no kernel output at all when loading the policy > > (neither on success nor when it fails the signature check). Some more > > verbosity would have been useful. At least I couldn't figure out whether > > the kernel even tried to load the policy. Even with the .sig file in > > place and ima_load as boot parameter, the policy still doesn't get > > loaded. > > After adding some more output to the kernel I figured out why it didn't > work: the IMA_LOAD_POLICY kernel feature depends on a > "IMA_POLICY_LOADER" config option which does not exist (and never has, > at least not in the public kernel tree). Therefore IMA_LOAD_POLICY > cannot be enabled and the kernel code isn't actually active. The > attached patch fixes that, and now it works for me. > > However, I'm really scratching my head. How did policy loading work for > you when you wrote the Tizen Wiki instructions?
Answering myself: I was using patches from the ima-control-experimental branch in git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git; that has the broken Kconfig. The backport (?) to the 3.14 kernel in sandbox/jkozerski/ima-evm is not affected. It also has a patch which removes the need to add "ima_load" to the boot parameters. It looks like a lot more work will be needed to clean up these experimental patches. I'm now going back to the official upstream IMA/EVM in the 3.19 kernel. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
