Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] x86/ima: update IMA arch policy to support appended signatures
@ 2019-10-31  3:54 Mimi Zohar
  0 siblings, 0 replies; only message in thread
From: Mimi Zohar @ 2019-10-31  3:54 UTC (permalink / raw)
  To: linux-integrity; +Cc: linux-kernel, Mimi Zohar, Jessica Yu

Now that IMA supports appended file signatures, this patch updates
the architecture specific kernel module rules to allow either
appended signatures or the original IMA signature stored as an
xattr.  The associated measurement rule template format is updated
as well.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 arch/x86/kernel/ima_arch.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 4d4f5d9faac3..a58cf33d4386 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -78,10 +78,15 @@ static const char * const sb_arch_rules[] = {
 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
 #endif /* CONFIG_KEXEC_SIG */
 	"measure func=KEXEC_KERNEL_CHECK",
-#if !IS_ENABLED(CONFIG_MODULE_SIG)
+#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) && IS_ENABLED(CONFIG_MODULE_SIG)
+	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+	"measure func=MODULE_CHECK template=ima-modsig",
+#elif !IS_ENABLED(CONFIG_MODULE_SIG)
 	"appraise func=MODULE_CHECK appraise_type=imasig",
-#endif
 	"measure func=MODULE_CHECK",
+#else
+	"measure func=MODULE_CHECK",
+#endif
 	NULL
 };
 
-- 
2.7.5


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-31  3:54 [PATCH] x86/ima: update IMA arch policy to support appended signatures Mimi Zohar

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git