On Thu, Feb 8, 2024 at 3:06 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
On Wed, 2024-02-07 at 22:18 -0500, Paul Moore wrote:
...
I had some pretty minor comments but I think the only thing I saw that I think needs a change/addition is a comment in the Makefile regarding the IMA/EVM ordering; take a look and let me know what you think.
Oh, I remember well, it is there but difficult to spot...
--- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_powerpc.o \ platform_certs/keyring_handler.o +# The relative order of the 'ima' and 'evm' LSMs depends on the order below. obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_EVM) += evm/
Great, thanks for that. Not sure how I missed that ... ?
Once you add a Makefile commane and we sort out the IMA/EVM approval process I think we're good to get this into linux-next. A while back Mimi and I had a chat offline and if I recall everything correctly she preferred that I take this patchset via the LSM tree. I don't have a problem with that, and to be honest I would probably prefer that too, but I wanted to check with everyone that is still the case. Just in case, I've added my ACKs/reviews to this patchset in case this needs to be merged via the integrity tree.
Ok, given that there is the comment in the Makefile, the last thing to do from your side is to remove the vague comment in the file_release patch.
Other than that, I think Mimi wanted to give a last look. If that is ok, then the patches should be ready for your repo and linux-next.
If Mimi is okay with the patchset as-is, and both of you would prefer this to in via the LSM tree, don't worry about the file_release comment, I'll just remove that when merging.