On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote:

quoted

On Feb 6, 2020, at 11:05 AM, Mimi Zohar [off-list ref] wrote:

On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:

quoted

Currently IMA can validate compressed modules containing appended
signatures.  This adds the ability to also validate uncompressed
modules when appraise_type=imasig|modsig.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Your patch description in no way matches the code.

How about if I changed the description to the following:

Currently IMA can only validate compressed modules containing appended
signatures when appraise_type=imasig|modsig.  An uncompressed module that 
is internally signed must still be ima signed.  

Add the ability to validate the uncompress module by validating it against
keys contained within the .builtin_trusted_keys keyring. Now when using a
policy such as:

appraise func=MODULE_CHECK appraise_type=imasig|modsig

It will load modules containing an appended signature when either compressed
or uncompressed.

We - Nayna and I - will be commenting on the cover letter shortly.  I
think that will help clarify the problem(s).

Mimi