Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

2025-02-24 Thread Petr Vorel
> On Fri, 2025-02-21 at 09:16 +0100, Petr Vorel wrote: > > > On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr V

Re: [RFC PATCH 3/3] ima: additional ToMToU violation tests

2025-02-24 Thread Mimi Zohar
On Fri, 2025-02-21 at 09:16 +0100, Petr Vorel wrote: > > On Thu, 2025-02-20 at 22:43 +0100, Petr Vorel wrote: > > > > On Thu, 2025-02-20 at 15:22 -0500, Mimi Zohar wrote: > > > > > On Thu, 2025-02-20 at 20:13 +0100, Petr Vorel wrote: > > > > > > > On Thu, 2025-02-20 at 19:16 +0100, Petr Vorel wrote

[PATCH] ima_selinux.sh: Require ima_policy=critical_data kernel cmdline

2025-02-24 Thread Petr Vorel
Test requires not only func=CRITICAL_DATA IMA policy content but also ima_policy=critical_data kernel cmdline. Without cmdline no measures are done. https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-policy-critical-data https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Re: TPM operation times out (very rarely)

2025-02-24 Thread Michal Suchánek
On Fri, Feb 21, 2025 at 12:44:45PM +, Jonathan McDowell wrote: > On Thu, Feb 20, 2025 at 09:42:28AM +0100, Michal Suchánek wrote: > > On Wed, Feb 19, 2025 at 10:29:45PM +, Jonathan McDowell wrote: > > > On Wed, Jan 29, 2025 at 04:27:15PM +0100, Michal Suchánek wrote: > > > > Hello, > > > >

Re: TPM operation times out (very rarely)

2025-02-24 Thread Michal Suchánek
On Wed, Feb 19, 2025 at 10:29:45PM +, Jonathan McDowell wrote: > On Wed, Jan 29, 2025 at 04:27:15PM +0100, Michal Suchánek wrote: > > Hello, > > > > there is a problem report that booting a specific type of system about > > 0.1% of the time encrypted volume (using a PCR to release the key) fai

Re: TPM operation times out (very rarely)

2025-02-24 Thread Michal Suchánek
On Mon, Feb 10, 2025 at 07:32:53PM +0200, Jarkko Sakkinen wrote: > On Mon Feb 10, 2025 at 6:18 PM EET, Jonathan McDowell wrote: > > Who then handles the ERESTARTSYS though? Part of the issues we've seen > > is the failure happens in a context save or load, which is all within > > the kernel rather

[PATCH] ima_kexec.sh: Detect kernel image from BOOT_IMAGE from /proc/cmdline

2025-02-24 Thread Petr Vorel
Default value was suitable only for x86_64. This helps to use other archs on distros which set $BOOT_IMAGE. Signed-off-by: Petr Vorel --- NOTE: this will not help for non-x86_64 archs on distros which don't specify BOOT_IMAGE on kernel command line (e.g. aarch64 or ppc64le). But unless I get repo