Re: [PATCH] ima: Fall back to default kernel module signature verification

[Coiby Xu]

On Fri, Oct 17, 2025 at 01:49:58PM -0400, Mimi Zohar wrote:

On Fri, 2025-10-17 at 11:19 +0800, Coiby Xu wrote:

On Thu, Oct 16, 2025 at 10:31:35PM -0400, Mimi Zohar wrote:
> On Thu, 2025-10-16 at 11:46 +0800, Coiby Xu wrote:
> > On Tue, Sep 30, 2025 at 04:28:14PM -0400, Mimi Zohar wrote:
> > > On Tue, 2025-09-30 at 09:57 -0400, Mimi Zohar wrote:
> > > > On Sun, 2025-09-28 at 11:03 +0800, Coiby Xu wrote:
> > > > > Currently, for any IMA policy that requires appraisal for kernel 
modules
> > > > > e.g. ima_policy=secure_boot, PowerPC architecture specific policy,
> > > > > booting will fail because IMA will reject a kernel module which will
> > > > > be decompressed in the kernel space and then have its signature
> > > > > verified.
> > > > >
> > > > > This happens because when in-kernel module decompression
> > > > > (CONFIG_MODULE_DECOMPRESS) is enabled, kmod will use finit_module
> > > > > syscall instead of init_module to load a module. And IMA mandates IMA
> > > > > xattr verification for finit_module unless appraise_type=imasig|modsig
> > > > > is specified in the rule.  However currently initramfs doesn't support
> > > > > xattr. And IMA rule "func=MODULE_CHECK appraise_type=imasig|modsig"
> > > > > doesn't work either because IMA will treat to-be-decompressed kernel
> > > > > module as not having module signature as it can't decompress kernel
> > > > > module to check if signature exists.
> > > > >
> > > > > So fall back to default kernel module signature verification when we 
have
> > > > > no way to verify IMA xattr.
> > > > >
> > > > > Reported-by: Karel Srot <ks...@redhat.com>
> > > > > Signed-off-by: Coiby Xu <c...@redhat.com>
> > > > > ---
> > > > > Another approach will be to make IMA decompress the kernel module to
> > > > > check the signature. This requires refactoring kernel module code to
> > > > > make the in-kernel module decompressing feature modular and seemingly
> > > > > more efforts are needed. A second disadvantage is it feels
> > > > > counter-intuitive to verify the same kernel module signature twice. 
And
> > > > > we still need to make ima_policy=secure_boot allow verifying appended
> > > > > module signature.
> > > > >
> > > > > Anyways, I'm open to suggestions and can try the latter approach if
> > > > > there are some benefits I'm not aware of or a better approach.
> > > >
> > > > Coiby, there are multiple issues being discussed here.  Before deciding 
on an
> > > > appropriate solution, let's frame the issues(s) properly.
> >
> > Hi Mimi,
> >
> > Thanks for listing and framing the issues! Sorry, it took me a while to
> > go through your feedback as I also had a 8-day holiday.
> >
> > > >
> > > > 1. The finit_module syscall eventually calls init_module_from_file() to 
read the
> > > > module into memory and then decompress it.  The problem is that the 
kernel
> > > > module signature verification occurs during the kernel_read_file(), 
before the
> > > > kernel module is decompressed.  Thus, the appended kernel module 
signature
> > > > cannot be verified.
> >
> > Since IMA only accesses a kernel module as a fd or struct file*, even if
> > IMA hook is triggerd after kernel module is decompressed, IMA still
> > doesn't know the default verification has passed or can't access the
> > decompressed kernel buffer [2] to do the verification by itself.
> >
> > [2] 
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/module/main.c?h=v6.17#n3689
> >
> > > >
> > > > 2. CPIO doesn't have xattr support. There were multiple attempts at 
including
> > > > xattrs in CPIO, but none were upstreamed [1].  If file signatures 
stored in
> > > > security.ima were available in the initramfs, then finit_module() could 
verify
> > > > them, as opposed to the appended kernel module signature.
> >
> > Thanks you for pointing me to the work [1]. I'll take a more careful
> > look at [1]. I think CPIO supporting xattr can be a long-term solution
> > and also close a important security gap.
> >
> > > >
> > > > 3. The issues described above are generic, not limited to Power.  When
> > > > CONFIG_MODULE_SIG is configured, the arch specific IMA policy rules do 
not
> > > > include an "appraise func=MODULE_CHECK".
> >
> > Yes, the issue is not limited to Power. And thanks for correcting me
> > that Power arch specific IMA policy rules don't have this problem! Sorry
> > I misread the code.
> >
> > > >
> > > > 4. Unlike the arch specific IMA policy rules, the built-in secure boot 
IMA
> > > > policy, specified on the boot command line as "ima_policy=secure_boot", 
always
> > > > enforces the IMA signature stored in security.ima.
> > > >
> > > > Partial solutions without kernel changes:
> > > > - Enable CONFIG_MODULE_SIG  (Doesn't solve 4)
> > > > - Disable kernel module compression.
> > > >
> > > > Complete solution:
> > > > - Pick up and upstream Roberto Sassu's last version of initramfs 
support [1].
> > > > - Somehow prevent kernel_read_file() from failing when the 
kernel_read_file_id
> > > > enumeration is READING_MODULE and the kernel module is compressed.  The 
change
> > > > might be limited to ima_post_read_file().
> > >
> > > or perhaps not totally.
> > >
> > > init_module_from_file() doesn't pass the flags variable to 
kernel_read_file().
> > > You might want to consider defining a new kernel_read_file_id enumeration 
named
> > > READING_COMPRESSED_MODULE.
> >
> > Thanks for suggesting the solutions! I like the solution of CPIO
> > supporting xattr but it seems it won't land in upstream soon. So I
> > prefer the last approach. I've implemented one [3] by defining a new
> > kernel_read_file_id enumeration, would you like me to post the patches
> > to the mailing list directly?
> >
> > [3] https://github.com/coiby/linux/tree/in_kernel_decompression_ima
>
> A few thoughts, before you post the patch.

Thank you for sharing your thoughts!

>
> 1. In the general case, the kernel module could be compressed, but without an
> appended signature.  The new code should only defer appended signature
> verification, if there isn't an xattr or appended signature.

I'll add these two condition checks, thanks!

>
> 2. Instead of defining an additional process_measurement() argument to 
identify
> compressed kernel modules, to simplify the code it might be possible to 
define a
> new "func" named COMPRESSED_MODULE_CHECK.
>
> +       [READING_COMPRESSED_MODULE] = MODULE_CHECK,  -> 
COMPRESSED_MODULE_CHECK

I also thought about this approach. But IMA rule maps kernel module
loading to MODULE_CHECK. If we define a new rule and ask users to use
this new rule, ima_policy=secure_boot still won't work.

I don't have a problem with extending the "secure-boot" policy to support
uncompressed kernel modules appended signatures, based on whether
CONFIG_MODULE_SIG is enabled.  The new rule would be in addition to the existing
MODULE_CHECK rule.

I assume once the new rule get added, we can't remove it for userspace
backward compatibility, right? And with CPIO xattr supported, it seems
there is no need to keep this rule. So if this concern is valid, do you
think we shall switch to another approach i.e. to make IMA support
verifying decompressed module and then make "secure-boot" to allow
appended module signature?

Another thought is to make CPIO support xattr. Today I realize that
ima_policy=secure_boot can also cause failure of loading kdump kernel.
So the issue this patch tries to resolves has much less impact than I
thought. Maybe we can wait until CPIO xattr support is ready? I'll help
review and test Roberto's patches if this is the best way forward.

>
> 3.  The patch title "ima: Use default kernel module signature verification for
> compressed ones" is a bit off.  It should be something along the lines of 
"ima:
> defer compressed kernel module appended signature verification".

>
> 4. Simplify the patch description.

I'll rephrase the title and try simplifying it. Thanks!

Thank you.

--
Best regards,
Coiby