On Fri, 2019-02-15 at 09:01 -0800, Luis Chamberlain wrote: > On Fri, Feb 15, 2019 at 11:50:18AM -0500, Mimi Zohar wrote: > > Have the IMA architecture specific policy require signed kernel modules > > on systems with secure boot mode enabled; and coordinate the different > > signature verification methods, so only one signature is required. > > > > Requiring appended kernel module signatures may be configured, enabled > > on the boot command line, or with this patch enabled in secure boot > > mode. This patch defines set_module_sig_enforced(). > > > > To coordinate between appended kernel module signatures and IMA > > signatures, only define an IMA MODULE_CHECK policy rule if > > CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define > > and require an IMA signature. > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Reviewed-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Thanks!
