On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote: > > On Feb 6, 2020, at 11:05 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote: > >> Currently IMA can validate compressed modules containing appended > >> signatures. This adds the ability to also validate uncompressed > >> modules when appraise_type=imasig|modsig. > >> > >> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > > > > Your patch description in no way matches the code. > > > > How about if I changed the description to the following: > > Currently IMA can only validate compressed modules containing appended > signatures when appraise_type=imasig|modsig. An uncompressed module that > is internally signed must still be ima signed. > > Add the ability to validate the uncompress module by validating it against > keys contained within the .builtin_trusted_keys keyring. Now when using a > policy such as: > > appraise func=MODULE_CHECK appraise_type=imasig|modsig > > It will load modules containing an appended signature when either compressed > or uncompressed. We - Nayna and I - will be commenting on the cover letter shortly. I think that will help clarify the problem(s). Mimi