Re: [PATCH v3] x86/ima: require signed kernel modules

From: Luis Chamberlain
Date: Fri Feb 15 2019 - 12:01:52 EST

Next message: Stephen Boyd: "Re: [PATCH 2/9] clk: Introduce get_parent_hw clk op"
Previous message: Kees Cook: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
In reply to: Mimi Zohar: "[PATCH v3] x86/ima: require signed kernel modules"
Next in thread: Mimi Zohar: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 15, 2019 at 11:50:18AM -0500, Mimi Zohar wrote:
> Have the IMA architecture specific policy require signed kernel modules
> on systems with secure boot mode enabled; and coordinate the different
> signature verification methods, so only one signature is required.
>
> Requiring appended kernel module signatures may be configured, enabled
> on the boot command line, or with this patch enabled in secure boot
> mode. This patch defines set_module_sig_enforced().
>
> To coordinate between appended kernel module signatures and IMA
> signatures, only define an IMA MODULE_CHECK policy rule if
> CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define
> and require an IMA signature.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Reviewed-by: Luis Chamberlain <mcgrof@xxxxxxxxxx>

Luis

Next message: Stephen Boyd: "Re: [PATCH 2/9] clk: Introduce get_parent_hw clk op"
Previous message: Kees Cook: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
In reply to: Mimi Zohar: "[PATCH v3] x86/ima: require signed kernel modules"
Next in thread: Mimi Zohar: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]