On Thu, 2020-02-06 at 14:40 -0700, Eric Snowberg wrote: <snip> > Currently the upstream code will fail if the module is uncompressed. > If you compress the same module it will load with the current > upstream code. > > > Lastly, there is nothing in these patches that indicate that the > kernel modules being compressed/uncompressed is related to the > signature verification. > > > > Basically if you have the following setup: > > Kernel built with CONFIG_IMA_ARCH_POLICY or kernel booted with > module.sig_enforce=1 along with the following ima policy: > > appraise func=MODULE_CHECK appraise_type=imasig|modsig Enabling CONFIG_IMA_ARCH_POLICY or module.sig_enforce=1 behave totally differently. CONFIG_IMA_ARCH_POLICY coordinates between the IMA signature verification and the original module_sig_check() verification. Either one signature verification method is enabled or the other, but not both. The existing IMA x86 arch policy has not been updated to support appended signatures. To understand what is happening, we need to analyze each scenario separately. - If CONFIG_MODULE_SIG is configured or enabled on the boot command line ("module.sig_enforce = 1"), then the IMA arch x86 policy WILL NOT require an IMA signature. - If CONFIG_MODULE_SIG is NOT configured or enabled on the boot command line, then the IMA arch x86 policy WILL require an IMA signature. - If CONFIG_MODULE_SIG is configured or enabled on the boot command line, the IMA arch x86 policy is not configured, and the above policy rule is defined, an appended signature will be verified by both IMA and module_sig_check(). > > If you have a module foo.ko that contains a valid appended signature > but is not ima signed, it will fail to load. That would only happen in the second scenario or in the last scenario if the key is not found. > Now if the end user simply compresses the same foo.ko, making it > foo.ko.xz. The module will load. This implies that CONFIG_MODULE_SIG is configured or enabled on the boot command line, like the first scenario described above, or in the last scenario and the key is found. > > Modules can be loaded thru two different syscalls, finit_module and > init_module. The changes added in [1] work if you use the > init_module syscall. My change adds support when the finit_module > syscall gets used instead. With the IMA arch x86 policy, without CONFIG_MODULE_SIG configured or enabled on the boot command line, IMA will prevent the init_module() syscall. This is intentional. Your second patch (2/2) changes the arch x86 policy rule to allow appended signatures. The reason for any other changes needs to be clearer. I suggest you look at the audit log and kernel messages, as well as the kexec selftests, to better understand what is happening. Mimi