Gentwo Git Trees - linux/.git/commit

author	Coiby Xu <coxu@redhat.com>
	Wed, 19 Nov 2025 14:03:25 +0000 (22:03 +0800)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Wed, 19 Nov 2025 14:19:42 +0000 (09:19 -0500)
commit	c200892b46ba3df3dd210b7117a463ec283600c3
tree	f634b8754302ef54bd5e3f22bf5e313a41e95ad3	tree \| snapshot
parent	43369273518f57b7d56c1cf12d636a809b7bd81b	commit \| diff

ima: Access decompressed kernel module to verify appended signature

Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS)
is enabled, IMA has no way to verify the appended module signature as it
can't decompress the module.

Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so
IMA can calculate the compressed kernel module data hash on
READING_MODULE_COMPRESSED and defer appraising/measuring it until on
READING_MODULE when the module has been decompressed.

Before enabling in-kernel module decompression, a kernel module in
initramfs can still be loaded with ima_policy=secure_boot. So adjust the
kernel module rule in secure_boot policy to allow either an IMA
signature OR an appended signature i.e. to use
"appraise func=MODULE_CHECK appraise_type=imasig|modsig".

Reported-by: Karel Srot <ksrot@redhat.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

include/linux/kernel_read_file.h		diff \| blob \| blame \| history
kernel/module/main.c		diff \| blob \| blame \| history
security/integrity/ima/ima_main.c		diff \| blob \| blame \| history
security/integrity/ima/ima_policy.c		diff \| blob \| blame \| history
security/ipe/hooks.c		diff \| blob \| blame \| history
security/selinux/hooks.c		diff \| blob \| blame \| history