x86/ima: require signed kernel modules

Have the IMA architecture specific policy require signed kernel modules on systems with secure boot mode enabled; and coordinate the different signature verification methods, so only one signature is required. Requiring appended kernel module signatures may be configured, enabled on the boot command line, or with this patch enabled in secure boot mode. This patch defines set_module_sig_enforced(). To coordinate between appended kernel module signatures and IMA signatures, only define an IMA MODULE_CHECK policy rule if CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define and require an IMA signature. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Acked-by: Jessica Yu <jeyu@kernel.org>
author: Mimi Zohar <zohar@linux.ibm.com> 2019-01-27 19:03:45 -0500
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-03-27 10:36:44 -0400
commit: 8db5da0b8618df79eceea99672e205d4a2a6309e (patch)
tree: 0c2f55e5fc3827130bc7a9b389fde8c4d24261b2 /kernel/module.c
parent: 8d93e952fba216cd0811247f6360d97e0465d5fc (diff)
download: linux-8db5da0b8618df79eceea99672e205d4a2a6309e.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/kernel/module.c b/kernel/module.c
index 0b9aa8ab89f0..985caa467aef 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -286,6 +286,11 @@ bool is_module_sig_enforced(void)
 }
 EXPORT_SYMBOL(is_module_sig_enforced);
 
+void set_module_sig_enforced(void)
+{
+	sig_enforce = true;
+}
+
 /* Block module loading/unloading? */
 int modules_disabled = 0;
 core_param(nomodule, modules_disabled, bint, 0);
author	Mimi Zohar <zohar@linux.ibm.com>	2019-01-27 19:03:45 -0500
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-03-27 10:36:44 -0400
commit	8db5da0b8618df79eceea99672e205d4a2a6309e (patch)
tree	0c2f55e5fc3827130bc7a9b389fde8c4d24261b2 /kernel/module.c
parent	8d93e952fba216cd0811247f6360d97e0465d5fc (diff)
download	linux-8db5da0b8618df79eceea99672e205d4a2a6309e.tar.bz2