| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Feb 2019 12:58:15 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Luis Chamberlain <mcgrof@...nel.org>
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, Jessica Yu <jeyu@...nel.org>,
David Howells <dhowells@...hat.com>,
Seth Forshee <seth.forshee@...onical.com>,
"Bruno E . O . Meneguele" <bmeneg@...hat.com>
Subject: Re: [PATCH v3] x86/ima: require signed kernel modules
On Fri, 2019-02-15 at 09:01 -0800, Luis Chamberlain wrote:
> On Fri, Feb 15, 2019 at 11:50:18AM -0500, Mimi Zohar wrote:
> > Have the IMA architecture specific policy require signed kernel modules
> > on systems with secure boot mode enabled; and coordinate the different
> > signature verification methods, so only one signature is required.
> >
> > Requiring appended kernel module signatures may be configured, enabled
> > on the boot command line, or with this patch enabled in secure boot
> > mode. This patch defines set_module_sig_enforced().
> >
> > To coordinate between appended kernel module signatures and IMA
> > signatures, only define an IMA MODULE_CHECK policy rule if
> > CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define
> > and require an IMA signature.
> >
> > Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
>
> Reviewed-by: Luis Chamberlain <mcgrof@...nel.org>
Thanks!
Powered by blists - more mailing lists