On Tue, Nov 19, 2024 at 11:49:14AM +0100, Roberto Sassu wrote:
From: Roberto Sassu roberto.sassu@huawei.com Introduce load_parser() to load a kernel module containing a parser for the requested digest list format (compressed kernel modules are supported). Kernel modules are searched in the /lib/modules/<kernel ver>/security/integrity/digest_cache directory.
load_parser() calls ksys_finit_module() to load a kernel module directly from the kernel. request_module() cannot be used at this point, since the reference digests of modprobe and the linked libraries (required for IMA appraisal) might not be yet available, resulting in modprobe execution being denied.
You are doing a full solution implementation of loading modules in-kernel. Appraisals of modules is just part of the boot process, some module loading may need firmware to loading to get some functinality to work for example some firmware to get a network device up or a GPU driver. So module loading alone is not the only thing which may require IMA appraisal, and this solution only addresses modules. There are other things which may be needed other than firmware, eBPF programs are another example.
It sounds more like you want to provide or extend LSM hooks fit your architecture and make kernel_read_file() LSM hooks optionally use it to fit this model.
Because this is just for a *phase* in boot, which you've caught because a catch-22 situaton, where you didn't have your parsers loaded. Which is just a reflection that you hit that snag. It doesn't prove all snags will be caught yet.
And you only want to rely on this .. in-kernel loading solution only early on boot, is there a way to change this over to enable regular operation later?
Luis