On Thu, Aug 16, 2012 at 9:49 PM, Josh Boyer <jwbo...@gmail.com> wrote: > On Wed, Aug 15, 2012 at 2:43 PM, Dmitry Kasatkin > <dmitry.kasat...@intel.com> wrote: >> @@ -2437,6 +2438,14 @@ static int copy_and_check(struct load_info *info, >> >> info->hdr = hdr; >> info->len = len; >> + >> + err = integrity_module_check(hdr, len); >> + if (err < 0) >> + goto free_hdr; >> + >> + /* cut signature tail */ >> + info->len = err; >> + >> return 0; >> >> free_hdr: > > So if I'm reading this correctly, any module that fails signature > verification will fail to load. That makes sense, but I wonder if you > intend to support a non-enforcing mode for module signatures at all? > Actually, a brief document in Documentation describing how this whole > mechanism works and what the fail states are would be good. David's > patches have it nicely spelled out and I don't see anything similar in > your patch set. > > josh
Hi, I had enable and enforce mode in my previous patches. I have removed them just before posting. I added now enforcing back.. - Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
