[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com>
Date: Wed, 13 Feb 2019 07:17:59 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, Jessica Yu <jeyu@...nel.org>,
Luis Chamberlain <mcgrof@...nel.org>,
David Howells <dhowells@...hat.com>,
Seth Forshee <seth.forshee@...onical.com>,
"Bruno E . O . Meneguele" <bmeneg@...hat.com>,
Mimi Zohar <zohar@...ux.ibm.com>
Subject: [PATCH v2] x86/ima: require signed kernel modules
Require signed kernel modules on systems with secure boot mode enabled.
Requiring appended kernel module signatures may be configured, enabled
on the boot command line, or with this patch enabled in secure boot
mode. This patch defines set_module_sig_enforced().
To coordinate between appended kernel module signatures and IMA
signatures, only define an IMA MODULE_CHECK policy rule if
CONFIG_MODULE_SIG is not enabled.
Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
---
Changelog:
- Removed new "sig_required" flag and associated functions, directly set
sig_enforce.
arch/x86/kernel/ima_arch.c | 9 ++++++++-
include/linux/module.h | 1 +
kernel/module.c | 5 +++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index e47cd9390ab4..3fb9847f1cad 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = {
"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
#endif /* CONFIG_KEXEC_VERIFY_SIG */
"measure func=KEXEC_KERNEL_CHECK",
+#if !IS_ENABLED(CONFIG_MODULE_SIG)
+ "appraise func=MODULE_CHECK appraise_type=imasig",
+#endif
+ "measure func=MODULE_CHECK",
NULL
};
const char * const *arch_get_ima_policy(void)
{
- if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
+ if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
+ if (IS_ENABLED(CONFIG_MODULE_SIG))
+ set_module_sig_enforced();
return sb_arch_rules;
+ }
return NULL;
}
diff --git a/include/linux/module.h b/include/linux/module.h
index 8fa38d3e7538..75e2a5c24a2b 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -660,6 +660,7 @@ static inline bool is_livepatch_module(struct module *mod)
#endif /* CONFIG_LIVEPATCH */
bool is_module_sig_enforced(void);
+void set_module_sig_enforced(void);
#else /* !CONFIG_MODULES... */
diff --git a/kernel/module.c b/kernel/module.c
index 2ad1b5239910..4cb5b733fb18 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -286,6 +286,11 @@ bool is_module_sig_enforced(void)
}
EXPORT_SYMBOL(is_module_sig_enforced);
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
+
/* Block module loading/unloading? */
int modules_disabled = 0;
core_param(nomodule, modules_disabled, bint, 0);
--
2.7.5
Powered by blists - more mailing lists