[PATCH] ima: requiring signed kernel modules

From: Mimi Zohar
Date: Thu Jan 31 2019 - 14:20:03 EST


The kernel can be configured to verify the appended kernel module
signature, the IMA signature stored as an xattr, both types of
signatures, or none. On systems with secure boot enabled AND the IMA
architecture specific policy enabled, this patch set requires the file
to be signed.

Both methods of loading kernel modules - init_module and finit_module
syscalls - need to either verify the kernel module signature or prevent
the kernel module from being loaded.

"modprobe" first tries loading the kernel module via the finit_module
syscall and falls back to the init_module syscall, making it difficult
to test one syscall and then the other.

Mimi Zohar (1):
x86/ima: require signed kernel modules

arch/x86/kernel/ima_arch.c | 9 ++++++++-
include/linux/module.h | 7 ++++++-
kernel/module.c | 15 +++++++++++----
security/integrity/ima/ima_main.c | 2 +-
4 files changed, 26 insertions(+), 7 deletions(-)

--
2.7.5