ima: indicate kernel modules appended signatures are enforced

Mimi Zohar Wed, 30 Oct 2019 20:51:26 -0700

The arch specific kernel module policy rule requires kernel modules to
be signed, either as an IMA signature, stored as an xattr, or as an
appended signature.  As a result, kernel modules appended signatures
could be enforced without "sig_enforce" being set or reflected in
/sys/module/module/parameters/sig_enforce.  This patch sets
"sig_enforce".


Signed-off-by: Mimi Zohar <zo...@linux.ibm.com>
Cc: Jessica Yu <j...@kernel.org>
---
 arch/powerpc/kernel/ima_arch.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index b9de0fb45bb9..e34116255ced 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
  */
 const char *const *arch_get_ima_policy(void)
 {
-       if (is_ppc_secureboot_enabled())
+       if (is_ppc_secureboot_enabled()) {
+               if (IS_ENABLED(CONFIG_MODULE_SIG))
+                       set_module_sig_enforced();
+
                if (is_ppc_trustedboot_enabled())
                        return secure_and_trusted_rules;
                else
                        return secure_rules;
-       else if (is_ppc_trustedboot_enabled())
+       } else if (is_ppc_trustedboot_enabled()) {
                return trusted_rules;
+       }
 
        return NULL;
 }
-- 
2.7.5

[RFC PATCH v10 9/9] powerpc/ima: indicate kernel modules appended signatures are enforced

Reply via email to