[PATCH] ima: requiring signed kernel modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The kernel can be configured to verify the appended kernel module
signature, the IMA signature stored as an xattr, both types of
signatures, or none.  On systems with secure boot enabled AND the IMA
architecture specific policy enabled, this patch set requires the file
to be signed.

Both methods of loading kernel modules - init_module and finit_module
syscalls - need to either verify the kernel module signature or prevent
the kernel module from being loaded.

"modprobe" first tries loading the kernel module via the finit_module
syscall and falls back to the init_module syscall, making it difficult
to test one syscall and then the other.

Mimi Zohar (1):
  x86/ima: require signed kernel modules

 arch/x86/kernel/ima_arch.c        |  9 ++++++++-
 include/linux/module.h            |  7 ++++++-
 kernel/module.c                   | 15 +++++++++++----
 security/integrity/ima/ima_main.c |  2 +-
 4 files changed, 26 insertions(+), 7 deletions(-)

-- 
2.7.5




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux