Google Git
Sign in
android-kvm / linux / 8db5da0b8618df79eceea99672e205d4a2a6309e
commit8db5da0b8618df79eceea99672e205d4a2a6309e[log] [tgz]
authorMimi Zohar <zohar@linux.ibm.com>Sun Jan 27 19:03:45 2019 -0500
committerMimi Zohar <zohar@linux.ibm.com>Wed Mar 27 10:36:44 2019 -0400
tree0c2f55e5fc3827130bc7a9b389fde8c4d24261b2
parent8d93e952fba216cd0811247f6360d97e0465d5fc [diff]
x86/ima: require signed kernel modules

Have the IMA architecture specific policy require signed kernel modules
on systems with secure boot mode enabled; and coordinate the different
signature verification methods, so only one signature is required.

Requiring appended kernel module signatures may be configured, enabled
on the boot command line, or with this patch enabled in secure boot
mode.  This patch defines set_module_sig_enforced().

To coordinate between appended kernel module signatures and IMA
signatures, only define an IMA MODULE_CHECK policy rule if
CONFIG_MODULE_SIG is not enabled.  A custom IMA policy may still define
and require an IMA signature.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Acked-by: Jessica Yu <jeyu@kernel.org>
3 files changed
tree: 0c2f55e5fc3827130bc7a9b389fde8c4d24261b2
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README