Re: [PATCH v3] x86/ima: require signed kernel modules

From: Mimi Zohar
Date: Fri Feb 15 2019 - 12:58:37 EST

Next message: Jens Axboe: "Re: [dm-devel] [PATCH V15 00/18] block: support multi-page bvec"
Previous message: Linus Torvalds: "Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault"
In reply to: Luis Chamberlain: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2019-02-15 at 09:01 -0800, Luis Chamberlain wrote:
> On Fri, Feb 15, 2019 at 11:50:18AM -0500, Mimi Zohar wrote:
> > Have the IMA architecture specific policy require signed kernel modules
> > on systems with secure boot mode enabled; and coordinate the different
> > signature verification methods, so only one signature is required.
> >
> > Requiring appended kernel module signatures may be configured, enabled
> > on the boot command line, or with this patch enabled in secure boot
> > mode. This patch defines set_module_sig_enforced().
> >
> > To coordinate between appended kernel module signatures and IMA
> > signatures, only define an IMA MODULE_CHECK policy rule if
> > CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define
> > and require an IMA signature.
> >
> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>
> Reviewed-by: Luis Chamberlain <mcgrof@xxxxxxxxxx>

Thanks!

Next message: Jens Axboe: "Re: [dm-devel] [PATCH V15 00/18] block: support multi-page bvec"
Previous message: Linus Torvalds: "Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault"
In reply to: Luis Chamberlain: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]