[RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures
Mimi Zohar
zohar at linux.ibm.com
Thu Feb 6 19:10:17 UTC 2020
On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote:
> > On Feb 6, 2020, at 11:05 AM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> >
> > On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:
> >> Currently IMA can validate compressed modules containing appended
> >> signatures. This adds the ability to also validate uncompressed
> >> modules when appraise_type=imasig|modsig.
> >>
> >> Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
> >
> > Your patch description in no way matches the code.
> >
>
> How about if I changed the description to the following:
>
> Currently IMA can only validate compressed modules containing appended
> signatures when appraise_type=imasig|modsig. An uncompressed module that
> is internally signed must still be ima signed.
>
> Add the ability to validate the uncompress module by validating it against
> keys contained within the .builtin_trusted_keys keyring. Now when using a
> policy such as:
>
> appraise func=MODULE_CHECK appraise_type=imasig|modsig
>
> It will load modules containing an appended signature when either compressed
> or uncompressed.
We - Nayna and I - will be commenting on the cover letter shortly. I
think that will help clarify the problem(s).
Mimi
More information about the Linux-security-module-archive
mailing list