Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2211314imj;
        Mon, 18 Feb 2019 01:53:30 -0800 (PST)
X-Google-Smtp-Source: AHgI3IZS/V2NEk95B//+x+nv4cLX2GNTdeUzpbQDS7VkWVy3WZWwK6y8CD15Z3p+7wDtaINB5mar
X-Received: by 2002:a17:902:380c:: with SMTP id l12mr23989560plc.326.1550483610114;
        Mon, 18 Feb 2019 01:53:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1550483610; cv=none;
        d=google.com; s=arc-20160816;
        b=HvUAxDHDZT0XRtuqj2BASiIlBttQt3L1PYVetcc0boFgLys8J36lYmUFBba5kPsn8z
         mzrWr8vcJ5rVtEJPvJTCUoikUzcV6tYB7IG3bt4LxNe8pkJyeQcaqJCd6fqAf5Iin5Wj
         iMy9KsJBJXQV5eqIHZn8eN9UsnHpF+AOwb7wEmyR+xFqyaWtMssPAj3E7naCnIDJVYVT
         8IYy6gTaYiHATzTLHE8YOHXkD1jCwYfpMJGrIsyHqPyHUlzrjp6GV4cxM9kFB1Y3dliY
         RvWlfukjI7pj0tiF0Ul/Yiwx3pyZ6oU7flgvECQCgFTbWn9/aa7jAnaB7Jw/RyWLXvkz
         0/Ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=owaRwK+4LcMHCAVUvalzSoV5Wt2MgI74+DkdtWhUnAc=;
        b=k70Q8NNa3SUsSUrWPXyNspWN7qG3b+FFGiemdwlpV92cWRORagZ45k7au5IaLuBxaT
         fR2UWeOszi05zOkbg9Iz2aRGOVDBmSqqyAOb1v1SC7RrRrGD8IeC1+AnAibNWKU2uzLw
         c8Q0tNvXVu8pLKCN5vg7maH+2ynuCbcOlkjjbNpGGuiIFKEwEnzhZmud/X1ie8HF0F8U
         NrU0TCB9Far2QxBA1nbIeN/HGmZfb4c6nYhZu03ufsawk60Kr38ziJtAxCjhXzQbtuoM
         Xg5bwF3Qu60g1daYFFKHXSHxoPwuSHfk6OI6TpAnIHS+AQFsTIrCpXSCu4GiJMTkqtlM
         6bDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rzJVQkO8;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b2si12186799pgw.113.2019.02.18.01.53.14;
        Mon, 18 Feb 2019 01:53:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rzJVQkO8;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729758AbfBRJnV (ORCPT <rfc822;zeqiangyin@gmail.com>
        + 99 others); Mon, 18 Feb 2019 04:43:21 -0500
Received: from mail.kernel.org ([198.145.29.99]:43730 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727228AbfBRJnU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Feb 2019 04:43:20 -0500
Received: from linux-8ccs (ip5f5adbd6.dynamic.kabel-deutschland.de [95.90.219.214])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6A2E22177E;
        Mon, 18 Feb 2019 09:43:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1550482999;
        bh=5KQyjcgHMMJvQhYRe9+MzGsF49jugRElnB4gy2U8kfQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=rzJVQkO8Hk69UziSZkHvvTTvc6v5DwuFfktadgZz9jl5Ear/TdWqJOvPf6T0YDUPQ
         /r9hdNPNrc27dT17sgF8XUBBiURP5TiNZd9kdNrzfQpcS7YWYr8WR/gsiMuX8eU+LR
         L6TOUUbRjfx0csEV8OR7Xa0ZSN1AelLVUcSFJV+E=
Date:   Mon, 18 Feb 2019 10:43:14 +0100
From:   Jessica Yu <jeyu@kernel.org>
To:     Mimi Zohar <zohar@linux.ibm.com>
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, Luis Chamberlain <mcgrof@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        "Bruno E . O . Meneguele" <bmeneg@redhat.com>
Subject: Re: [PATCH v3] x86/ima: require signed kernel modules
Message-ID: <20190218094313.GA9296@linux-8ccs>
References: <1550249418-7986-1-git-send-email-zohar@linux.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <1550249418-7986-1-git-send-email-zohar@linux.ibm.com>
X-OS:   Linux linux-8ccs 4.12.14-lp150.12.28-default x86_64
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

+++ Mimi Zohar [15/02/19 11:50 -0500]:
>Have the IMA architecture specific policy require signed kernel modules
>on systems with secure boot mode enabled; and coordinate the different
>signature verification methods, so only one signature is required.
>
>Requiring appended kernel module signatures may be configured, enabled
>on the boot command line, or with this patch enabled in secure boot
>mode.  This patch defines set_module_sig_enforced().
>
>To coordinate between appended kernel module signatures and IMA
>signatures, only define an IMA MODULE_CHECK policy rule if
>CONFIG_MODULE_SIG is not enabled.  A custom IMA policy may still define
>and require an IMA signature.
>
>Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Acked-by: Jessica Yu <jeyu@kernel.org>

Thanks!

>---
> arch/x86/kernel/ima_arch.c | 9 ++++++++-
> include/linux/module.h     | 5 +++++
> kernel/module.c            | 5 +++++
> 3 files changed, 18 insertions(+), 1 deletion(-)
>
>diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
>index e47cd9390ab4..3fb9847f1cad 100644
>--- a/arch/x86/kernel/ima_arch.c
>+++ b/arch/x86/kernel/ima_arch.c
>@@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = {
> 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> #endif /* CONFIG_KEXEC_VERIFY_SIG */
> 	"measure func=KEXEC_KERNEL_CHECK",
>+#if !IS_ENABLED(CONFIG_MODULE_SIG)
>+	"appraise func=MODULE_CHECK appraise_type=imasig",
>+#endif
>+	"measure func=MODULE_CHECK",
> 	NULL
> };
>
> const char * const *arch_get_ima_policy(void)
> {
>-	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
>+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
>+		if (IS_ENABLED(CONFIG_MODULE_SIG))
>+			set_module_sig_enforced();
> 		return sb_arch_rules;
>+	}
> 	return NULL;
> }
>diff --git a/include/linux/module.h b/include/linux/module.h
>index 8fa38d3e7538..5aaa9359adc8 100644
>--- a/include/linux/module.h
>+++ b/include/linux/module.h
>@@ -660,6 +660,7 @@ static inline bool is_livepatch_module(struct module *mod)
> #endif /* CONFIG_LIVEPATCH */
>
> bool is_module_sig_enforced(void);
>+void set_module_sig_enforced(void);
>
> #else /* !CONFIG_MODULES... */
>
>@@ -780,6 +781,10 @@ static inline bool is_module_sig_enforced(void)
> 	return false;
> }
>
>+static inline void set_module_sig_enforced(void)
>+{
>+}
>+
> /* Dereference module function descriptor */
> static inline
> void *dereference_module_function_descriptor(struct module *mod, void *ptr)
>diff --git a/kernel/module.c b/kernel/module.c
>index 2ad1b5239910..73cada04bd24 100644
>--- a/kernel/module.c
>+++ b/kernel/module.c
>@@ -286,6 +286,11 @@ bool is_module_sig_enforced(void)
> }
> EXPORT_SYMBOL(is_module_sig_enforced);
>
>+void set_module_sig_enforced(void)
>+{
>+	sig_enforce = true;
>+}
>+
> /* Block module loading/unloading? */
> int modules_disabled = 0;
> core_param(nomodule, modules_disabled, bint, 0);
>-- 
>2.7.5
>