From: Mimi Zohar <zohar@linux.ibm.com>
To: Coiby Xu <coxu@redhat.com>, linux-integrity@vger.kernel.org
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Karel Srot <ksrot@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ima: Fall back to default kernel module signature verification
Date: Tue, 30 Sep 2025 09:57:07 -0400 [thread overview]
Message-ID: <896f4fb0c0146512a66daf0b4c1e033aca4bd6d4.camel@linux.ibm.com> (raw)
In-Reply-To: <20250928030358.3873311-1-coxu@redhat.com>
On Sun, 2025-09-28 at 11:03 +0800, Coiby Xu wrote:
> Currently, for any IMA policy that requires appraisal for kernel modules
> e.g. ima_policy=secure_boot, PowerPC architecture specific policy,
> booting will fail because IMA will reject a kernel module which will
> be decompressed in the kernel space and then have its signature
> verified.
>
> This happens because when in-kernel module decompression
> (CONFIG_MODULE_DECOMPRESS) is enabled, kmod will use finit_module
> syscall instead of init_module to load a module. And IMA mandates IMA
> xattr verification for finit_module unless appraise_type=imasig|modsig
> is specified in the rule. However currently initramfs doesn't support
> xattr. And IMA rule "func=MODULE_CHECK appraise_type=imasig|modsig"
> doesn't work either because IMA will treat to-be-decompressed kernel
> module as not having module signature as it can't decompress kernel
> module to check if signature exists.
>
> So fall back to default kernel module signature verification when we have
> no way to verify IMA xattr.
>
> Reported-by: Karel Srot <ksrot@redhat.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
> Another approach will be to make IMA decompress the kernel module to
> check the signature. This requires refactoring kernel module code to
> make the in-kernel module decompressing feature modular and seemingly
> more efforts are needed. A second disadvantage is it feels
> counter-intuitive to verify the same kernel module signature twice. And
> we still need to make ima_policy=secure_boot allow verifying appended
> module signature.
>
> Anyways, I'm open to suggestions and can try the latter approach if
> there are some benefits I'm not aware of or a better approach.
Coiby, there are multiple issues being discussed here. Before deciding on an
appropriate solution, let's frame the issues(s) properly.
1. The finit_module syscall eventually calls init_module_from_file() to read the
module into memory and then decompress it. The problem is that the kernel
module signature verification occurs during the kernel_read_file(), before the
kernel module is decompressed. Thus, the appended kernel module signature
cannot be verified.
2. CPIO doesn't have xattr support. There were multiple attempts at including
xattrs in CPIO, but none were upstreamed [1]. If file signatures stored in
security.ima were available in the initramfs, then finit_module() could verify
them, as opposed to the appended kernel module signature.
3. The issues described above are generic, not limited to Power. When
CONFIG_MODULE_SIG is configured, the arch specific IMA policy rules do not
include an "appraise func=MODULE_CHECK".
4. Unlike the arch specific IMA policy rules, the built-in secure boot IMA
policy, specified on the boot command line as "ima_policy=secure_boot", always
enforces the IMA signature stored in security.ima.
Partial solutions without kernel changes:
- Enable CONFIG_MODULE_SIG (Doesn't solve 4)
- Disable kernel module compression.
Complete solution:
- Pick up and upstream Roberto Sassu's last version of initramfs support [1].
- Somehow prevent kernel_read_file() from failing when the kernel_read_file_id
enumeration is READING_MODULE and the kernel module is compressed. The change
might be limited to ima_post_read_file().
thanks,
Mimi
[1] [PATCH v4 0/3] initramfs: add support for xattrs in the initial ram disk
https://lore.kernel.org/linux-fsdevel/20190523121803.21638-1-roberto.sassu@huawei.com/
next prev parent reply other threads:[~2025-09-30 13:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-28 3:03 [PATCH] ima: Fall back to default kernel module signature verification Coiby Xu
2025-09-30 13:57 ` Mimi Zohar [this message]
2025-09-30 20:28 ` Mimi Zohar
2025-10-02 17:17 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=896f4fb0c0146512a66daf0b4c1e033aca4bd6d4.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=coxu@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=ksrot@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).