[RFC][PATCH v1 0/2] integrity: module integrity verification

[Dmitry Kasatkin <dmitry.kasatkin@intel.com>]

Hi,

Here is another module verification patchset, which is based on the recently
upstreamed digital signature support used by EVM and IMA-appraisal.

The initial module verification code was dependent on IMA-appraisal and
was using security.ima extended attribute to store the signature.
Based on some feeback, it was decided to add the ability to store the
signature in a corresponding module signature file <module>.sig and also
make module checking no longer dependent on IMA-appraisal.
Having signature in a separate <module>.sig file allows to use it on filesystem,
which do not support extended attributes, e.g. network file system,
and also copying modules to target system from build system.

The initial module verification code was dependent on IMA-appraisal and
was using security.ima extended attribute to store the signature.
Based on some feeback it was decided to remove IMA dependency and also
add possibility to store the signature in the corresponding signature
file <module>.sig. It allows to use it on filesystems, which do not support
extended attributes and also allows copying of modules from build system to
the target for testing without extended attribute aware tools.

modprobe and insmod have been modified to read signature either from
extended attribute or signature file and pass it as a kernel module
parameter to load_module system call.

Signature generation is done using the same tool as for EVM/IMA: evm-utils.

These 2 patches are available on the top at #next-ima-module branch at
git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig.git

evm-utils and module-init-tools are available in linux-ima project GIT:
git://linux-ima.git.sourceforge.net / linux-ima/evm-utils
git://linux-ima.git.sourceforge.net / linux-ima/module-init-tools

- Dmitry

Dmitry Kasatkin (2):
  integrity: add ima_module_check hook
  integrity: verify module integrity based on signature

 Documentation/ABI/testing/securityfs-module-check |   17 ++
 include/linux/integrity.h                         |   10 +
 kernel/module.c                                   |   20 ++-
 security/integrity/Kconfig                        |   11 +
 security/integrity/Makefile                       |    1 +
 security/integrity/module.c                       |  251 +++++++++++++++++++++
 6 files changed, 305 insertions(+), 5 deletions(-)
 create mode 100644 Documentation/ABI/testing/securityfs-module-check
 create mode 100644 security/integrity/module.c

-- 
1.7.5.4