On Mon, 2020-02-10 at 09:34 -0700, Eric Snowberg wrote:

quoted

On Feb 8, 2020, at 4:43 PM, Mimi Zohar [off-list ref] wrote:

On Fri, 2020-02-07 at 14:38 -0700, Eric Snowberg wrote:

quoted

quoted

On Feb 7, 2020, at 11:54 AM, Mimi Zohar [off-list ref] wrote:

On Fri, 2020-02-07 at 11:45 -0700, Eric Snowberg wrote:

quoted

quoted

On Feb 7, 2020, at 11:28 AM, Mimi Zohar [off-list ref] wrote:

On Fri, 2020-02-07 at 10:49 -0700, Eric Snowberg wrote:

quoted

quoted

On Feb 7, 2020, at 10:40 AM, Mimi Zohar [off-list ref] wrote:

quoted

$ insmod ./foo.ko
insmod: ERROR: could not insert module ./foo.ko: Permission denied

last entry from audit log:
type=INTEGRITY_DATA msg=audit(1581089373.076:83): pid=2874 uid=0
auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 op=appraise_data cause=invalid-signature comm="insmod"
name="/root/keys/modules/foo.ko" dev="dm-0" ino=10918365
res=0^]UID="root" AUID=“root"

This is because modsig_verify() will be called from within
ima_appraise_measurement(), 
since try_modsig is true.  Then modsig_verify() will return
INTEGRITY_FAIL.

Why is it an "invalid signature"?  For that you need to look at the
kernel messages.  Most likely it can't find the public key on the .ima
keyring to verify the signature.

It is invalid because the module has not been ima signed. 

With the IMA policy rule "appraise func=MODULE_CHECK
appraise_type=imasig|modsig", IMA first tries to verify the IMA
signature stored as an xattr and on failure then attempts to verify
the appended signatures.

The audit message above indicates that there was a signature, but the
signature validation failed.

I do have  CONFIG_IMA_APPRAISE_MODSIG enabled.  I believe the audit message above 
is coming from modsig_verify in security/integrity/ima/ima_appraise.c.

Right, and it's calling:

	rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);

It's failing because it is trying to find the public key on the .ima
keyring.  Make sure that the public needed to validate the kernel
module is on the IMA keyring (eg. keyctl show %keyring:.ima).

I know that will validate the module properly, but that is not what I’m 
trying to solve here. I thought the point of adding “|modsig” to the
ima policy was to tell ima it can either validate against an ima keyring OR 
default back to the kernel keyring.  This is what happens with the compressed
module.  There isn’t anything in the ima keyring to validate the compressed
modules and it loads when I add “|modsig”.

"modsig" has nothing to do with keyrings.  The term "modsig" is
juxtaposed to "imasig".  "modsig" refers to kernel module appended
signature. 

Ok, understood, “modsig” refers to strictly kernel module appended signatures
without regard to the keyring that verifies it.  Since there are inconsistencies
here, would you consider something like my first patch?  It will verify an 
uncompressed kernel module containing an appended signature  when the public key
is contained within the kernel keyring instead of the ima keyring.  Why force a 
person to add the same keys into the ima keyring for validation?  Especially when
the kernel keyring is now used to verify appended signatures in the compressed
modules.

Different use case scenarios have different requirements.  Suppose for
example that the group creating the kernel image is not the same as
using it.  The group using the kernel image could sign all files,
including kernel modules (imasig), with their own private key. Only
files that they signed would be permitted.  Your proposal would break
the current expectations, allowing kernel modules signed by someone
else to be loaded.

Mimi