linux-kernel - [RFC PATCH v10 9/9] powerpc/ima: indicate kernel modules appended signatures are enforced

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date:   Wed, 30 Oct 2019 23:31:34 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     linuxppc-dev@...abs.org, linux-efi@...r.kernel.org,
        linux-integrity@...r.kernel.org
Cc:     Mimi Zohar <zohar@...ux.ibm.com>, linux-kernel@...r.kernel.org,
        Michael Ellerman <mpe@...erman.id.au>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Jeremy Kerr <jk@...abs.org>,
        Eric Ricther <erichte@...ux.ibm.com>,
        "Oliver O'Halloran" <oohall@...il.com>,
        Nayna Jain <nayna@...ux.ibm.com>, Jessica Yu <jeyu@...nel.org>
Subject: [RFC PATCH v10 9/9] powerpc/ima: indicate kernel modules appended signatures are enforced

The arch specific kernel module policy rule requires kernel modules to
be signed, either as an IMA signature, stored as an xattr, or as an
appended signature.  As a result, kernel modules appended signatures
could be enforced without "sig_enforce" being set or reflected in
/sys/module/module/parameters/sig_enforce.  This patch sets
"sig_enforce".

Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Jessica Yu <jeyu@...nel.org>
---
 arch/powerpc/kernel/ima_arch.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b9de0fb45bb9..e34116255ced 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
  */
 const char *const *arch_get_ima_policy(void)
 {
-	if (is_ppc_secureboot_enabled())
+	if (is_ppc_secureboot_enabled()) {
+		if (IS_ENABLED(CONFIG_MODULE_SIG))
+			set_module_sig_enforced();
+
 		if (is_ppc_trustedboot_enabled())
 			return secure_and_trusted_rules;
 		else
 			return secure_rules;
-	else if (is_ppc_trustedboot_enabled())
+	} else if (is_ppc_trustedboot_enabled()) {
 		return trusted_rules;
+	}
 
 	return NULL;
 }
-- 
2.7.5