When booting with either "ima_policy=secure_boot module.sig_enforce=1" or building a kernel with CONFIG_IMA_ARCH_POLICY and booting with "ima_policy=secure_boot", module loading behaves differently based on if the module is compressed or not. Originally when appraising a module with ima it had to be uncompressed and ima signed. Recent changes in 5.4 have allowed internally signed modules to load [1]. But this only works if the internally signed module is compressed. The uncompressed module that is internally signed must still be ima signed. This patch series tries to bring the two in line. I'm sending this as an RFC in case this was done intentionally. Or maybe there is another way around this problem? I also realize the uncompressed module will be verified again with module_sig_check. I'm open to suggestions on improvement if this is seen as a problem. [1] https://patchwork.kernel.org/cover/10986023 Eric Snowberg (2): ima: Implement support for uncompressed module appended signatures ima: Change default secure_boot policy to include appended signatures security/integrity/digsig.c | 9 +++++++-- security/integrity/ima/ima_appraise.c | 3 +++ security/integrity/ima/ima_policy.c | 4 ++-- security/integrity/integrity.h | 3 ++- 4 files changed, 14 insertions(+), 5 deletions(-) -- 2.18.1