Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures
From: Mimi Zohar
Date: Thu Feb 06 2020 - 14:10:32 EST
On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote:
> > On Feb 6, 2020, at 11:05 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> >
> > On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:
> >> Currently IMA can validate compressed modules containing appended
> >> signatures. This adds the ability to also validate uncompressed
> >> modules when appraise_type=imasig|modsig.
> >>
> >> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> >
> > Your patch description in no way matches the code.
> >
>
> How about if I changed the description to the following:
>
> Currently IMA can only validate compressed modules containing appended
> signatures when appraise_type=imasig|modsig. An uncompressed module that
> is internally signed must still be ima signed.
>
> Add the ability to validate the uncompress module by validating it against
> keys contained within the .builtin_trusted_keys keyring. Now when using a
> policy such as:
>
> appraise func=MODULE_CHECK appraise_type=imasig|modsig
>
> It will load modules containing an appended signature when either compressed
> or uncompressed.
We - Nayna and I - will be commenting on the cover letter shortly. ÂI
think that will help clarify the problem(s).
Mimi