On Fri, Feb 15, 2019 at 11:50:18AM -0500, Mimi Zohar wrote: > Have the IMA architecture specific policy require signed kernel modules > on systems with secure boot mode enabled; and coordinate the different > signature verification methods, so only one signature is required. > > Requiring appended kernel module signatures may be configured, enabled > on the boot command line, or with this patch enabled in secure boot > mode. This patch defines set_module_sig_enforced(). > > To coordinate between appended kernel module signatures and IMA > signatures, only define an IMA MODULE_CHECK policy rule if > CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define > and require an IMA signature. > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> Reviewed-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Luis
