Skip to content

Commit

Permalink
fstab, init: Remove securityfs mount
Browse files Browse the repository at this point in the history 
This is unused, remove it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
  • Loading branch information
@JonathonHall-Purism
JonathonHall-Purism committed Mar 13, 2023
1 parent 1f8c88a commit 6a9e7e2
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 2 deletions.
1 change: 0 additions & 1 deletion initrd/etc/fstab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,3 @@ devpts /dev/pts devpts defaults 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
efivarfs /sys/firmware/efi/efivars efivarfs defaults 0 0
securityfs /sys/kernel/security securityfs defaults 0 0
1 change: 0 additions & 1 deletion initrd/init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-
mount /dev 2>/dev/ttyprintk
mount /proc 2>/dev/ttyprintk
mount /sys 2>/dev/ttyprintk
mount /sys/kernel/security 2>/dev/ttyprintk

if [ "$CONFIG_LINUXBOOT" = "y" ]; then
mount /sys/firmware/efi/efivars
Expand Down

2 comments on commit 6a9e7e2

@tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented on 6a9e7e2 May 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JonathonHall-Purism Actually, it was used per talos II. Will revert that commit in another PR.
Discussing under Dasharo/dasharo-issues#415 added value.

Feature is called IMA, and provides kernel measurements aggregates and extends pcr10.

ls: /sys/kernel/security/integrity/ima/ascii_runtime_measurements: No such file or directory
~ # mount securityfs /sys/kernel/security -t securityfs
~ # ls  /sys/kernel/security/integrity/ima/ascii_runtime_measurements
/sys/kernel/security/integrity/ima/ascii_runtime_measurements
~ # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
10 c1d0d555befd54add3ea66ca2aea495435c7d2b8 ima-ng sha1:b8a6946296ed2755eda10d1a709b4bf9a3d56fc8 boot_aggregate

@tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented on 6a9e7e2 May 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might not be that interesting since we use busybox and IMA is not used to change PCR10 when loading modules through insmod provided there. More useful on kexec'ed kernel for runtime kernel.

~ # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
10 c1d0d555befd54add3ea66ca2aea495435c7d2b8 ima-ng sha1:b8a6946296ed2755eda10d1a709b4bf9a3d56fc8 boot_aggregate
~ # /sbin/insmod /lib/modules/usb-storage.ko 
New value of PCR[5]: a88503ab9860996f75f1149fdd55b779715e746a
~ # cat /sys/kernel/security/ima/ascii_runtime_measurements 
10 c1d0d555befd54add3ea66ca2aea495435c7d2b8 ima-ng sha1:b8a6946296ed2755eda10d1a709b4bf9a3d56fc8 boot_aggregate

Please sign in to comment.