Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support

From: Nayna
Date: Thu Feb 06 2020 - 15:25:17 EST



On 2/6/20 11:42 AM, Eric Snowberg wrote:
When booting with either "ima_policy=secure_boot module.sig_enforce=1"
or building a kernel with CONFIG_IMA_ARCH_POLICY and booting with
"ima_policy=secure_boot", module loading behaves differently based on if
the module is compressed or not. Originally when appraising a module
with ima it had to be uncompressed and ima signed. Recent changes in 5.4
have allowed internally signed modules to load [1]. But this only works
if the internally signed module is compressed. The uncompressed module
that is internally signed must still be ima signed. This patch series
tries to bring the two in line.

We (Mimi and I) have been trying to understand the cover letter. It seems "by internally signed" you are referring to modules signed with build time generated keys.

Our interpretation of the cover letter is that IMA originally did not support appended signatures and now does. Since the modules are signed with build time generated keys, the signature verification still fails, as the keys are only available on the .builtin keyring and not the .ima keyring.

Lastly, there is nothing in these patches that indicate that the kernel modules being compressed/uncompressed is related to the signature verification.

Thanks & Regards,

ÂÂÂÂ - Nayna