superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/kernel/module
History
Coiby Xu c200892b46 ima: Access decompressed kernel module to verify appended signature 
Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS)
is enabled, IMA has no way to verify the appended module signature as it
can't decompress the module.

Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so
IMA can calculate the compressed kernel module data hash on
READING_MODULE_COMPRESSED and defer appraising/measuring it until on
READING_MODULE when the module has been decompressed.

Before enabling in-kernel module decompression, a kernel module in
initramfs can still be loaded with ima_policy=secure_boot. So adjust the
kernel module rule in secure_boot policy to allow either an IMA
signature OR an appended signature i.e. to use
"appraise func=MODULE_CHECK appraise_type=imasig|modsig".

Reported-by: Karel Srot <ksrot@redhat.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 		2025-11-19 09:19:42 -05:00
..
Kconfig kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI 2025-09-24 14:29:14 -07:00
Makefile module: Fix KCOV-ignored file name 2024-08-08 17:36:35 +02:00
debug_kmemleak.c module: prepare to handle ROX allocations for text 2024-11-07 14:25:15 -08:00
decompress.c module/decompress: use kvmalloc() consistently 2023-11-02 07:35:39 -10:00
dups.c remove pointless includes of <linux/fdtable.h> 2024-10-07 13:34:41 -04:00
internal.h module: move 'struct module_use' to internal.h 2025-07-31 13:40:46 +02:00
kallsyms.c module: Use RCU in all users of __module_address(). 2025-03-10 11:54:45 +01:00
kdb.c module: replace module_layout with module_memory 2023-03-09 12:55:15 -08:00
kmod.c remove pointless includes of <linux/fdtable.h> 2024-10-07 13:34:41 -04:00
livepatch.c livepatch: fix ELF typos 2023-03-09 11:08:24 +01:00
main.c ima: Access decompressed kernel module to verify appended signature 2025-11-19 09:19:42 -05:00
procfs.c module: replace module_layout with module_memory 2023-03-09 12:55:15 -08:00
signing.c
stats.c module: Fix comment typo 2023-11-01 13:07:08 -07:00
strict_rwx.c module: Make .static_call_sites read-only after init 2025-05-18 13:56:22 +02:00
sysfs.c sysfs: treewide: switch back to attribute_group::bin_attrs 2025-06-17 10:44:15 +02:00
tracking.c module: Remove module_assert_mutex_or_preempt() from try_add_tainted_module(). 2025-03-10 11:54:44 +01:00
tree_lookup.c kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI 2025-09-24 14:29:14 -07:00
version.c module: Use RCU in find_symbol(). 2025-03-10 11:54:44 +01:00