x86/ima: require signed kernel modules (8db5da0b) · Commits · 戴 / test

arch/x86/kernel/ima_arch.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -64,12 +64,19 @@ static const char * const sb_arch_rules[] = {
		"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
		#endif /* CONFIG_KEXEC_VERIFY_SIG */
		"measure func=KEXEC_KERNEL_CHECK",
		#if !IS_ENABLED(CONFIG_MODULE_SIG)
		"appraise func=MODULE_CHECK appraise_type=imasig",
		#endif
		"measure func=MODULE_CHECK",
		NULL
		};

		const char * const *arch_get_ima_policy(void)
		{
		if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot())
		if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
		if (IS_ENABLED(CONFIG_MODULE_SIG))
		set_module_sig_enforced();
		return sb_arch_rules;
		}
		return NULL;
		}

+5 −0

Original line number	Diff line number	Diff line
		@@ -676,6 +676,7 @@ static inline bool is_livepatch_module(struct module *mod)
		#endif /* CONFIG_LIVEPATCH */

		bool is_module_sig_enforced(void);
		void set_module_sig_enforced(void);

		#else /* !CONFIG_MODULES... */

		@@ -796,6 +797,10 @@ static inline bool is_module_sig_enforced(void)
		return false;
		}

		static inline void set_module_sig_enforced(void)
		{
		}

		/* Dereference module function descriptor */
		static inline
		void dereference_module_function_descriptor(struct module mod, void *ptr)

+5 −0

Original line number	Diff line number	Diff line
		@@ -286,6 +286,11 @@ bool is_module_sig_enforced(void)
		}
		EXPORT_SYMBOL(is_module_sig_enforced);

		void set_module_sig_enforced(void)
		{
		sig_enforce = true;
		}

		/* Block module loading/unloading? */
		int modules_disabled = 0;
		core_param(nomodule, modules_disabled, bint, 0);