Afaict the ppc ima arch policy is about ensuring that signature verification is done for module loading and kexec, which in our kernel will be enforced by automatically turning on lockdown integrity mode under secure boot. So my conclusion is that CONFIG_MODULE_SIG_FORCE should stay off and CONFIG_IMA_ARCH_POLICY should be disabled.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson <gcwil...@us.ibm.com> - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
