[Fedora 09/19] binfmt_elf: Elf executable signature verification
Vivek Goyal
vgoyal at redhat.com
Thu Sep 5 16:12:25 UTC 2013
On Thu, Sep 05, 2013 at 03:53:45PM +0000, Matthew Garrett wrote:
> On Thu, 2013-09-05 at 11:50 -0400, Vivek Goyal wrote:
> > On Thu, Sep 05, 2013 at 11:06:10AM -0400, Eric Paris wrote:
>
> > > And it's just plain wrong. CONFIG_IMA requires CONFIG_TCG_TPM. But
> > > select is not recursive. So can end up with a config where IMA is on,
> > > but TPM is off...
> >
> > I fail to understand that why it is wrong.
> >
> > - If select is not recursive, then it is limitation of select. Either
> > it needs to be fixed or as a workaround one can put explicit select
> > for nested dependencies here.
>
> It is a limitation of select. It's not changing. You can put explicit
> selects for dependencies of dependencies, but then when someone adds an
> additional dependency to one of your dependencies your code suddenly
> breaks. It's a bad idea. Don't do it.
Is this true that select is not recursive?
I am doing little experiment. First I took default config where IMA
and TPM are not enabled.
# CONFIG_IMA is not set
# CONFIG_TCG_TPM is not set
Now I wrote a small patch where I selected "IMA" if BINFMT_ELF.
--- linux-2.6.orig/fs/Kconfig.binfmt 2013-09-05 12:02:55.885946882
-0400
+++ linux-2.6/fs/Kconfig.binfmt 2013-09-05 12:07:46.405155521 -0400
@@ -1,6 +1,7 @@
config BINFMT_ELF
bool "Kernel support for ELF binaries"
depends on MMU && (BROKEN || !FRV)
+ select IMA
default y
After applying patch I run "make menuconfig" and save .config and I see
that IMA got enabled at the same time TPM got enabled.
CONFIG_IMA=y
CONFIG_TCG_TPM=y
In fact I see other nested selects got enabled too.
So I am understanding it wrong. To me if I selected IMA, anything IMA
was selecting in turn got enabled.
Thanks
Vivek
More information about the kernel
mailing list