patch: allow to off modules signature check dynamically

0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch

@@ -0,0 +1,36 @@
+From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Mon, 10 Aug 2020 10:38:20 +0300
+Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically
+
+Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1
+It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed.
+
+GRUB or another bootloader is password-protected when needed,
+so I am not afraid much that someone will be able to turn it off when not needed.
+
+in production systems.
+
+ROSA-specific patch.
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ kernel/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 6baa1080c..118d8ee60 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -268,7 +268,7 @@ static void module_assert_mutex_or_preempt(void)
+ }
+ 
+ static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+-module_param(sig_enforce, bool_enable_only, 0644);
++module_param(sig_enforce, bool, 0644);
+ 
+ /*
+  * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+-- 
+2.17.1
+

kernel.spec

@@ -24,7 +24,7 @@
 %define sublevel	40
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		10
+%define rpmrel		11
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -285,6 +285,8 @@ Patch303:	perf-5.4.20-binutil-libs-2.34.patch
 Patch304: 	0001-mm-add-sysctl-to-disable-disk-based-swap.patch
 # Support loading GOST-signed modules
 Patch305:	0001-crypto-support-loading-GOST-signed-kernel-modules.patch
+# Allow to off modules signature check dynamically
+Patch306:	0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
 
 # Disable AutoReq
 AutoReq: 	0