x86/ima: update IMA arch policy to support appended signatures

Commit Message

Mimi Zohar Oct. 31, 2019, 3:54 a.m. UTC

Now that IMA supports appended file signatures, this patch updates
the architecture specific kernel module rules to allow either
appended signatures or the original IMA signature stored as an
xattr.  The associated measurement rule template format is updated
as well.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 arch/x86/kernel/ima_arch.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Patch

diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 4d4f5d9faac3..a58cf33d4386 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -78,10 +78,15 @@  static const char * const sb_arch_rules[] = {
 	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
 #endif /* CONFIG_KEXEC_SIG */
 	"measure func=KEXEC_KERNEL_CHECK",
-#if !IS_ENABLED(CONFIG_MODULE_SIG)
+#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) && IS_ENABLED(CONFIG_MODULE_SIG)
+	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
+	"measure func=MODULE_CHECK template=ima-modsig",
+#elif !IS_ENABLED(CONFIG_MODULE_SIG)
 	"appraise func=MODULE_CHECK appraise_type=imasig",
-#endif
 	"measure func=MODULE_CHECK",
+#else
+	"measure func=MODULE_CHECK",
+#endif
 	NULL
 };