Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 8db5da0b authored by Mimi Zohar's avatar Mimi Zohar
Browse files

x86/ima: require signed kernel modules 



Have the IMA architecture specific policy require signed kernel modules
on systems with secure boot mode enabled; and coordinate the different
signature verification methods, so only one signature is required.

Requiring appended kernel module signatures may be configured, enabled
on the boot command line, or with this patch enabled in secure boot
mode.  This patch defines set_module_sig_enforced().

To coordinate between appended kernel module signatures and IMA
signatures, only define an IMA MODULE_CHECK policy rule if
CONFIG_MODULE_SIG is not enabled.  A custom IMA policy may still define
and require an IMA signature.

Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
Acked-by: default avatarJessica Yu <jeyu@kernel.org>
parent 8d93e952
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment