* [PATCH] x86/ima: update IMA arch policy to support appended signatures
@ 2019-10-31 3:54 Mimi Zohar
0 siblings, 0 replies; only message in thread
From: Mimi Zohar @ 2019-10-31 3:54 UTC (permalink / raw)
To: linux-integrity; +Cc: linux-kernel, Mimi Zohar, Jessica Yu
Now that IMA supports appended file signatures, this patch updates
the architecture specific kernel module rules to allow either
appended signatures or the original IMA signature stored as an
xattr. The associated measurement rule template format is updated
as well.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
arch/x86/kernel/ima_arch.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 4d4f5d9faac3..a58cf33d4386 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -78,10 +78,15 @@ static const char * const sb_arch_rules[] = {
"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
#endif /* CONFIG_KEXEC_SIG */
"measure func=KEXEC_KERNEL_CHECK",
-#if !IS_ENABLED(CONFIG_MODULE_SIG)
+#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) && IS_ENABLED(CONFIG_MODULE_SIG)
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+#elif !IS_ENABLED(CONFIG_MODULE_SIG)
"appraise func=MODULE_CHECK appraise_type=imasig",
-#endif
"measure func=MODULE_CHECK",
+#else
+ "measure func=MODULE_CHECK",
+#endif
NULL
};
--
2.7.5
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-10-31 3:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-31 3:54 [PATCH] x86/ima: update IMA arch policy to support appended signatures Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).