On Wed, Nov 05, 2025 at 03:47:25PM -0500, Mimi Zohar wrote:
On Wed, 2025-11-05 at 08:18 +0800, Coiby Xu wrote:
[...]
Hi Coiby, Based on the conversation with Paul, there is no reason to remove the existing security_kernel_post_read_file() call. The changes are similar to the 2nd link, but a bit different. - Define a single enumeration named READING_MODULE_COMPRESSED. - In module/main.c add a new security_kernel_post_read_file() call immediately after decompressing the kernel module. Like a previous version of this patch, call kernel_read_file() with either READING_MODULE or READING_MODULE_COMPRESSED based on MODULE_INIT_COMPRESSED_FILE. - In ima_post_read_file() defer verifying the signature when the enumeration is READING_MODULE_COMPRESSED. (No need for a new function ima_read_kernel_module.)
Hi Mimi, Thanks for summarizing your conversation with Paul! I can confirm Paul's approach works https://github.com/coiby/linux/tree/in_kernel_decompression_ima_no_lsm_hook_paul While testing the patch today, I realized there is another issue/challenge introduced by in-kernel module decompression. IMA appraisal is to verify the digest of compressed kernel module but currently the passed buffer is uncompressed module. When IMA uses uncompressed module data to calculate the digest, xattr signature verification will fail. If we always make IMA read the original kernel module data again to calculate the digest, does it look like a quick-and-dirty fix? If we can assume people won't load kernel module so often, the performance impact is negligible. Otherwise we may have to introduce a new LSM hook so IMA can access uncompressed and original module data one time.
thanks, Mimi
-- Best regards, Coiby
