On Wed, Nov 19, 2025 at 08:29:22AM -0500, Mimi Zohar wrote:
Hi Coiby,
Hi Mimi,
On Wed, 2025-11-19 at 11:47 +0800, Coiby Xu wrote:
Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS)
is enabled, IMA has no way to verify the appended module signature as it
can't decompress the module.
Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so
IMA can know only to collect original module data hash on
READING_MODULE_COMPRESSED and defer appraising/measuring it until on
READING_MODULE when the module has been decompressed.
This paragraph is a bit awkward. Perhaps something like:
-> so IMA can calculate the compressed kernel module data hash and defer
measuring/appraising ...
Before enabling in-kernel module decompression, a kernel module in
initramfs can still be loaded with ima_policy=secure_boot. So adjust the
kernel module rule in secure_boot policy to allow either an IMA
signature OR an appended signature i.e. to use
"appraise func=MODULE_CHECK appraise_type=imasig|modsig".
Reported-by: Karel Srot <[email protected]>
Suggested-by: Mimi Zohar <[email protected]>
Suggested-by: Paul Moore <[email protected]>
Signed-off-by: Coiby Xu <[email protected]>
Thanks, Coiby!
The patch applies cleanly to linus' tree, but needs to be applied to next-
integrity. Please re-base.
I've sent v4 which has been rebased onto next tree with improved
wording as suggested.
--
thanks,
Mimi
--
Best regards,
Coiby
