From: Aaron Tomlin <atomlin@redhat.com>
To: kbuild-all@lists.01.org
Subject: [RFC PATCH v3 07/13] module: Move extra signature support out of core code
Date: Fri, 28 Jan 2022 20:26:29 +0000 [thread overview]
Message-ID: <20220128202635.596450-8-atomlin@redhat.com> (raw)
In-Reply-To: <20220128202635.596450-1-atomlin@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 7377 bytes --]
No functional change.
This patch migrates additional module signature check
code from core module code into kernel/module/signing.c.
Signed-off-by: Aaron Tomlin <atomlin@redhat.com>
---
include/linux/module.h | 5 ++-
kernel/module/internal.h | 9 +++++
kernel/module/main.c | 87 ----------------------------------------
kernel/module/signing.c | 75 ++++++++++++++++++++++++++++++++++
4 files changed, 87 insertions(+), 89 deletions(-)
diff --git a/include/linux/module.h b/include/linux/module.h
index 7bf93c0d87e6..68dabc036100 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -758,8 +758,8 @@ static inline bool set_livepatch_module(struct module *mod)
}
#endif /* CONFIG_LIVEPATCH */
-bool is_module_sig_enforced(void);
-void set_module_sig_enforced(void);
+extern bool is_module_sig_enforced(void);
+extern void set_module_sig_enforced(void);
#else /* !CONFIG_MODULES... */
@@ -949,6 +949,7 @@ static inline bool module_sig_ok(struct module *module)
{
return true;
}
+#define sig_enforce false
#endif /* CONFIG_MODULE_SIG */
int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *,
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 0cd624179545..5aab87716d9f 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -80,3 +80,12 @@ static inline void module_decompress_cleanup(struct load_info *info)
{
}
#endif
+
+#ifdef CONFIG_MODULE_SIG
+extern int module_sig_check(struct load_info *info, int flags);
+#else /* !CONFIG_MODULE_SIG */
+static int module_sig_check(struct load_info *info, int flags)
+{
+ return 0;
+}
+#endif /* !CONFIG_MODULE_SIG */
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 4f590b0c7aca..36ed4dd64cac 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -22,7 +22,6 @@
#include <linux/vmalloc.h>
#include <linux/elf.h>
#include <linux/proc_fs.h>
-#include <linux/security.h>
#include <linux/seq_file.h>
#include <linux/syscalls.h>
#include <linux/fcntl.h>
@@ -114,28 +113,6 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
-#ifdef CONFIG_MODULE_SIG
-static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
-module_param(sig_enforce, bool_enable_only, 0644);
-
-void set_module_sig_enforced(void)
-{
- sig_enforce = true;
-}
-#else
-#define sig_enforce false
-#endif
-
-/*
- * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
- * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
- */
-bool is_module_sig_enforced(void)
-{
- return sig_enforce;
-}
-EXPORT_SYMBOL(is_module_sig_enforced);
-
/* Block module loading/unloading? */
int modules_disabled = 0;
core_param(nomodule, modules_disabled, bint, 0);
@@ -2516,70 +2493,6 @@ static inline void kmemleak_load_module(const struct module *mod,
}
#endif
-#ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info, int flags)
-{
- int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
- const char *reason;
- const void *mod = info->hdr;
- bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
- MODULE_INIT_IGNORE_VERMAGIC);
- /*
- * Do not allow mangled modules as a module with version information
- * removed is no longer the module that was signed.
- */
- if (!mangled_module &&
- info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
- /* We truncate the module to discard the signature */
- info->len -= markerlen;
- err = mod_verify_sig(mod, info);
- if (!err) {
- info->sig_ok = true;
- return 0;
- }
- }
-
- /*
- * We don't permit modules to be loaded into the trusted kernels
- * without a valid signature on them, but if we're not enforcing,
- * certain errors are non-fatal.
- */
- switch (err) {
- case -ENODATA:
- reason = "unsigned module";
- break;
- case -ENOPKG:
- reason = "module with unsupported crypto";
- break;
- case -ENOKEY:
- reason = "module with unavailable key";
- break;
-
- default:
- /*
- * All other errors are fatal, including lack of memory,
- * unparseable signatures, and signature check failures --
- * even if signatures aren't required.
- */
- return err;
- }
-
- if (is_module_sig_enforced()) {
- pr_notice("Loading of %s is rejected\n", reason);
- return -EKEYREJECTED;
- }
-
- return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
-}
-#else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info, int flags)
-{
- return 0;
-}
-#endif /* !CONFIG_MODULE_SIG */
-
static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr)
{
#if defined(CONFIG_64BIT)
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 8aeb6d2ee94b..ff41541e982a 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -11,9 +11,28 @@
#include <linux/module_signature.h>
#include <linux/string.h>
#include <linux/verification.h>
+#include <linux/security.h>
#include <crypto/public_key.h>
#include "internal.h"
+static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+module_param(sig_enforce, bool_enable_only, 0644);
+
+/*
+ * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+ * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
+ */
+bool is_module_sig_enforced(void)
+{
+ return sig_enforce;
+}
+EXPORT_SYMBOL(is_module_sig_enforced);
+
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
+
/*
* Verify the signature on a module.
*/
@@ -43,3 +62,59 @@ int mod_verify_sig(const void *mod, struct load_info *info)
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
}
+
+int module_sig_check(struct load_info *info, int flags)
+{
+ int err = -ENODATA;
+ const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const char *reason;
+ const void *mod = info->hdr;
+
+ /*
+ * Require flags == 0, as a module with version information
+ * removed is no longer the module that was signed
+ */
+ if (flags == 0 &&
+ info->len > markerlen &&
+ memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ /* We truncate the module to discard the signature */
+ info->len -= markerlen;
+ err = mod_verify_sig(mod, info);
+ if (!err) {
+ info->sig_ok = true;
+ return 0;
+ }
+ }
+
+ /*
+ * We don't permit modules to be loaded into the trusted kernels
+ * without a valid signature on them, but if we're not enforcing,
+ * certain errors are non-fatal.
+ */
+ switch (err) {
+ case -ENODATA:
+ reason = "unsigned module";
+ break;
+ case -ENOPKG:
+ reason = "module with unsupported crypto";
+ break;
+ case -ENOKEY:
+ reason = "module with unavailable key";
+ break;
+
+ default:
+ /*
+ * All other errors are fatal, including lack of memory,
+ * unparseable signatures, and signature check failures --
+ * even if signatures aren't required.
+ */
+ return err;
+ }
+
+ if (is_module_sig_enforced()) {
+ pr_notice("Loading of %s is rejected\n", reason);
+ return -EKEYREJECTED;
+ }
+
+ return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
+}
--
2.34.1
next prev parent reply other threads:[~2022-01-28 20:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-28 20:26 [RFC PATCH v3 00/13] module: core code clean up Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 01/13] module: Move all into module/ Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 02/13] module: Simple refactor in preparation for split Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 03/13] module: Move livepatch support to a separate file Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 04/13] module: Move latched RB-tree " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 05/13] module: Move arch strict rwx " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 06/13] module: Move " Aaron Tomlin
2022-01-28 20:26 ` Aaron Tomlin [this message]
2022-01-28 20:26 ` [RFC PATCH v3 08/13] module: Move kmemleak " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 09/13] module: Move kallsyms support into " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 10/13] module: Move procfs " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 11/13] module: Move sysfs " Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 12/13] module: Move kdb_modules list out of core code Aaron Tomlin
2022-01-28 20:26 ` [RFC PATCH v3 13/13] module: Move version support into a separate file Aaron Tomlin
-- strict thread matches above, loose matches on Subject: below --
2022-01-28 20:39 [RFC PATCH v3 00/13] module: core code clean up Aaron Tomlin
2022-01-28 20:39 ` [RFC PATCH v3 07/13] module: Move extra signature support out of core code Aaron Tomlin
2022-01-28 13:23 [RFC PATCH v3 00/13] module: core code clean up Aaron Tomlin
2022-01-28 13:23 ` [RFC PATCH v3 07/13] module: Move extra signature support out of core code Aaron Tomlin
2022-01-28 12:50 [RFC PATCH v3 00/13] module: core code clean up Aaron Tomlin
2022-01-28 12:50 ` [RFC PATCH v3 07/13] module: Move extra signature support out of core code Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220128202635.596450-8-atomlin@redhat.com \
--to=atomlin@redhat.com \
--cc=kbuild-all@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.