[PATCH] x86/ima: require signed kernel modules

Luis Chamberlain mcgrof at kernel.org
Tue Feb 5 21:13:37 UTC 2019


On Tue, Feb 05, 2019 at 07:24:39AM -0500, Mimi Zohar wrote:
> On Mon, 2019-02-04 at 14:30 -0800, Luis Chamberlain wrote:
> > On Mon, Feb 04, 2019 at 05:05:10PM -0500, Mimi Zohar wrote:
> > > On Mon, 2019-02-04 at 12:38 -0800, Luis Chamberlain wrote:
> 
> > > I don't see a need for an additional LSM just for verifying kernel
> > > module signatures.
> > 
> > But it is one, module signing was just spawned pre the boom of LSMs.
> > 
> > I do believe that treating the code as such would help with its reading
> > and long term maintenance.
> > 
> > Anyway, I had to try to convince you.
> 
> Perhaps, after IMA supports appended signatures (for kernel modules),
> I could see making the existing kernel module appended signature
> verification an LSM.

I don't see why wait.

> For now, other than updating the comment, would you be willing to add
> your Review/Ack to this patch?

But I don't particularly like the changes, I still believe trying to
LSM'ify kernel module signing would be a better start to help with
long term maintenace on this code.

Also, do we have selftests implemented to ensure we don't regress with
your changes?

  Luis



More information about the Linux-security-module-archive mailing list