On Fri, Jun 13, 2025 at 4:35 PM Mimi Zohar <zo...@linux.ibm.com> wrote: > On Wed, 2025-06-11 at 16:27 -0400, Paul Moore wrote: > > On Fri, May 30, 2025 at 6:04 PM Mimi Zohar <zo...@linux.ibm.com> wrote: > > > On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote: > > > > This patch converts IMA and EVM to use the LSM frameworks's initcall > > > > mechanism. There were two challenges to doing this conversion: the > > > > first simply being the number of initcalls across IMA and EVM, and the > > > > second was the number of resources shared between the two related, > > > > yet independent LSMs. > > > > > > There are a number of the initcalls under integrity/platform/, which load > > > arch > > > specific keys onto the platform and machine keyrings, which shouldn't be > > > included in this patch. > > > > I don't want to assume too much from your reply, but if the cert/key > > loading under integrity/platform shouldn't be subject to the LSM > > initcall rework, that implies that the integrity/platform cert/key > > loading is independent of IMA/EVM and should perhaps live somewhere > > else, e.g. security/keys? > > > > Or am I misunderstanding something? > > When the .platform keyring was upstreamed it was upstreamed for a very > specific > purpose so that IMA could verify the kexec kernel image. Afterwareds it was > immediately used to verify the pesigned kexec image. Now it is being (ab)used > by other subsystems - ipe and dm-verity - and is being proposed by the "[PATCH > RFC 0/1] module: Optionally use .platform keyring for signatures > verification". > From an integrity perspective this is definitely not a good idea. The > discussion, which I'm sure you're aware of, is here: > https://lore.kernel.org/linux-integrity/20250602132535.897944-1-vkuzn...@redhat.com/ > > It does not make any sense to move the code for the platform and machine > keyrings to security/keys. If they need to move anywhere, it would be to the > certs/ directory.
To bring some off-list discussions back on-list, and wrap up this thread, Mimi has agreed to move the platform and machine keyring code to the certs/ directory as they are no longer IMA/EVM-only keyrings. I'll also be dropping them from the next revision of LSM initialization rework patchset will be posted at some point this evening (waiting on a testing refresh). -- paul-moore.com
