mirror of https://github.com/torvalds/linux.git
c200892b46
Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS) is enabled, IMA has no way to verify the appended module signature as it can't decompress the module. Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so IMA can calculate the compressed kernel module data hash on READING_MODULE_COMPRESSED and defer appraising/measuring it until on READING_MODULE when the module has been decompressed. Before enabling in-kernel module decompression, a kernel module in initramfs can still be loaded with ima_policy=secure_boot. So adjust the kernel module rule in secure_boot policy to allow either an IMA signature OR an appended signature i.e. to use "appraise func=MODULE_CHECK appraise_type=imasig|modsig". Reported-by: Karel Srot <ksrot@redhat.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| debug_kmemleak.c | ||
| decompress.c | ||
| dups.c | ||
| internal.h | ||
| kallsyms.c | ||
| kdb.c | ||
| kmod.c | ||
| livepatch.c | ||
| main.c | ||
| procfs.c | ||
| signing.c | ||
| stats.c | ||
| strict_rwx.c | ||
| sysfs.c | ||
| tracking.c | ||
| tree_lookup.c | ||
| version.c | ||