Hi Coiby, On Wed, 2025-11-19 at 11:47 +0800, Coiby Xu wrote: > Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS) > is enabled, IMA has no way to verify the appended module signature as it > can't decompress the module. > > Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so > IMA can know only to collect original module data hash on > READING_MODULE_COMPRESSED and defer appraising/measuring it until on > READING_MODULE when the module has been decompressed.
This paragraph is a bit awkward. Perhaps something like: -> so IMA can calculate the compressed kernel module data hash and defer measuring/appraising ... > > Before enabling in-kernel module decompression, a kernel module in > initramfs can still be loaded with ima_policy=secure_boot. So adjust the > kernel module rule in secure_boot policy to allow either an IMA > signature OR an appended signature i.e. to use > "appraise func=MODULE_CHECK appraise_type=imasig|modsig". > > Reported-by: Karel Srot <[email protected]> > Suggested-by: Mimi Zohar <[email protected]> > Suggested-by: Paul Moore <[email protected]> > Signed-off-by: Coiby Xu <[email protected]> Thanks, Coiby! The patch applies cleanly to linus' tree, but needs to be applied to next- integrity. Please re-base. -- thanks, Mimi
