summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.ibm.com>2021-04-09 10:41:57 -0400
committerMimi Zohar <zohar@linux.ibm.com>2021-04-09 10:55:05 -0400
commit60c8eb38c1b75e83194a07ec7acfe85852fcc0d8 (patch)
tree05c396347eaa59a17fe6819603f6eacc1cd546f9 /security
parent7990ccafaa37dc6d8bb095d4d7cd997e8903fd10 (diff)
parent6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0 (diff)
Merge branch 'ima-module-signing-v4' into next-integrity
From the series cover letter: Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled. The kernel module signing key is a self-signed CA only loaded onto the .builtin_trusted_key keyring. On secure boot enabled systems with an arch specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules are not signed, nor is the kernel module signing public key loaded onto the IMA keyring. In order to load the the kernel module signing key onto the IMA trusted keyring ('.ima'), the certificate needs to be signed by a CA key either on the builtin or secondary keyrings. The original version of this patch set created and loaded a kernel-CA key onto the builtin keyring. The kernel-CA key signed the kernel module signing key, allowing it to be loaded onto the IMA trusted keyring. However, missing from this version was support for the kernel-CA to sign the hardware token certificate. Adding that support would add additional complexity. Since the kernel module signing key is embedded into the Linux kernel at build time, instead of creating and loading a kernel-CA onto the builtin trusted keyring, this version makes an exception and allows the self-signed kernel module signing key to be loaded directly onto the trusted IMA keyring.
Diffstat (limited to 'security')
-rw-r--r--security/integrity/digsig.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 250fb0836156..3b06a01bd0fd 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -111,6 +111,8 @@ static int __init __integrity_init_keyring(const unsigned int id,
} else {
if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]);
+ if (id == INTEGRITY_KEYRING_IMA)
+ load_module_cert(keyring[id]);
}
return err;