From: "Thomas Weißschuh" <linux@weissschuh.net>
To: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Nathan Chancellor <nathan@kernel.org>,
Nicolas Schier <nsc@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Sami Tolvanen <samitolvanen@google.com>,
Daniel Gomez <da.gomez@samsung.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Jonathan Corbet <corbet@lwn.net>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Naveen N Rao <naveen@kernel.org>,
Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Nicolas Schier <nicolas.schier@linux.dev>,
Daniel Gomez <da.gomez@kernel.org>,
Aaron Tomlin <atomlin@atomlin.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,
Xiu Jianfeng <xiujianfeng@huawei.com>,
Christophe Leroy <chleroy@kernel.org>
Cc: "Martin KaFai Lau" <martin.lau@linux.dev>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>,
bpf@vger.kernel.org,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>,
"Arnout Engelen" <arnout@bzzt.net>,
"Mattia Rizzolo" <mattia@mapreri.org>,
kpcyrd <kpcyrd@archlinux.org>,
"Christian Heusel" <christian@heusel.eu>,
"Câju Mihai-Drosi" <mcaju95@gmail.com>,
"Eric Biggers" <ebiggers@kernel.org>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org,
debian-kernel@lists.debian.org,
"Thomas Weißschuh" <linux@weissschuh.net>
Subject: [PATCH v5 07/14] module: Make module authentication usable without MODULE_SIG
Date: Tue, 05 May 2026 11:05:11 +0200 [thread overview]
Message-ID: <20260505-module-hashes-v5-7-e174a5a49fce@weissschuh.net> (raw)
In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>
The module authentication functionality will also be used by the
hash-based module authentication. Split it out from CONFIG_MODULE_SIG
so it is usable by both.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
crypto/algapi.c | 4 ++--
include/linux/module.h | 18 +++++++++---------
kernel/module/Kconfig | 5 ++++-
kernel/module/Makefile | 1 +
kernel/module/auth.c | 32 ++++++++++++++++++++++++++++++++
kernel/module/internal.h | 2 +-
kernel/module/main.c | 8 ++++----
kernel/module/signing.c | 23 +----------------------
8 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 37de377719ae..14252b780266 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -24,8 +24,8 @@ static LIST_HEAD(crypto_template_list);
static inline void crypto_check_module_sig(struct module *mod)
{
- if (fips_enabled && mod && !module_sig_ok(mod))
- panic("Module %s signature verification failed in FIPS mode\n",
+ if (fips_enabled && mod && !module_auth_ok(mod))
+ panic("Module %s authentication failed in FIPS mode\n",
module_name(mod));
}
diff --git a/include/linux/module.h b/include/linux/module.h
index 7566815fabbe..b4760777daad 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -437,9 +437,9 @@ struct module {
/* GPL-only exported symbols. */
bool using_gplonly_symbols;
-#ifdef CONFIG_MODULE_SIG
- /* Signature was verified. */
- bool sig_ok;
+#ifdef CONFIG_MODULE_AUTH
+ /* Module was authenticated. */
+ bool auth_ok;
#endif
bool async_probe_requested;
@@ -918,16 +918,16 @@ static inline bool retpoline_module_ok(bool has_retpoline)
}
#endif
-#ifdef CONFIG_MODULE_SIG
+#ifdef CONFIG_MODULE_AUTH
bool is_module_sig_enforced(void);
void set_module_sig_enforced(void);
-static inline bool module_sig_ok(struct module *module)
+static inline bool module_auth_ok(struct module *module)
{
- return module->sig_ok;
+ return module->auth_ok;
}
-#else /* !CONFIG_MODULE_SIG */
+#else /* !CONFIG_MODULE_AUTH */
static inline bool is_module_sig_enforced(void)
{
return false;
@@ -937,11 +937,11 @@ static inline void set_module_sig_enforced(void)
{
}
-static inline bool module_sig_ok(struct module *module)
+static inline bool module_auth_ok(struct module *module)
{
return true;
}
-#endif /* CONFIG_MODULE_SIG */
+#endif /* CONFIG_MODULE_AUTH */
#if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS)
int module_kallsyms_on_each_symbol(const char *modname,
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index f535181e0d98..84297da666ff 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -271,9 +271,12 @@ config MODULE_SIG
debuginfo strip done by some packagers (such as rpmbuild) and
inclusion into an initramfs that wants the module size reduced.
+config MODULE_AUTH
+ def_bool MODULE_SIG
+
config MODULE_SIG_FORCE
bool "Require modules to be validly signed"
- depends on MODULE_SIG
+ depends on MODULE_AUTH
help
Reject unsigned modules or signed modules for which we don't have a
key. Without this, such modules will simply taint the kernel.
diff --git a/kernel/module/Makefile b/kernel/module/Makefile
index d9e8759a7b05..c7200e293d04 100644
--- a/kernel/module/Makefile
+++ b/kernel/module/Makefile
@@ -14,6 +14,7 @@ obj-y += strict_rwx.o
obj-y += kmod.o
obj-$(CONFIG_MODULE_DEBUG_AUTOLOAD_DUPS) += dups.o
obj-$(CONFIG_MODULE_DECOMPRESS) += decompress.o
+obj-$(CONFIG_MODULE_AUTH) += auth.o
obj-$(CONFIG_MODULE_SIG) += signing.o
obj-$(CONFIG_LIVEPATCH) += livepatch.o
obj-$(CONFIG_MODULES_TREE_LOOKUP) += tree_lookup.o
diff --git a/kernel/module/auth.c b/kernel/module/auth.c
new file mode 100644
index 000000000000..956ac63d9d33
--- /dev/null
+++ b/kernel/module/auth.c
@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/* Module authentication checker
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#include <linux/export.h>
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/types.h>
+
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "module."
+
+static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+module_param(sig_enforce, bool_enable_only, 0644);
+
+/*
+ * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+ * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
+ */
+bool is_module_sig_enforced(void)
+{
+ return sig_enforce;
+}
+EXPORT_SYMBOL(is_module_sig_enforced);
+
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 006ada7d4e6e..f8f425b167f1 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -68,7 +68,7 @@ struct load_info {
Elf_Shdr *sechdrs;
char *secstrings, *strtab;
unsigned long symoffs, stroffs, init_typeoffs, core_typeoffs;
- bool sig_ok;
+ bool auth_ok;
#ifdef CONFIG_KALLSYMS
unsigned long mod_kallsyms_init_off;
#endif
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 17a352198016..cd8a74df117e 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2601,10 +2601,10 @@ static void module_augment_kernel_taints(struct module *mod, struct load_info *i
mod->name);
add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK);
}
-#ifdef CONFIG_MODULE_SIG
- mod->sig_ok = info->sig_ok;
- if (!mod->sig_ok) {
- pr_notice_once("%s: module verification failed: signature "
+#ifdef CONFIG_MODULE_AUTH
+ mod->auth_ok = info->auth_ok;
+ if (!mod->auth_ok) {
+ pr_notice_once("%s: module authentication failed: signature "
"and/or required key missing - tainting "
"kernel\n", mod->name);
add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK);
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 69d4b1758540..07a786723221 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -16,27 +16,6 @@
#include <uapi/linux/module.h>
#include "internal.h"
-#undef MODULE_PARAM_PREFIX
-#define MODULE_PARAM_PREFIX "module."
-
-static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
-module_param(sig_enforce, bool_enable_only, 0644);
-
-/*
- * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
- * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
- */
-bool is_module_sig_enforced(void)
-{
- return sig_enforce;
-}
-EXPORT_SYMBOL(is_module_sig_enforced);
-
-void set_module_sig_enforced(void)
-{
- sig_enforce = true;
-}
-
/*
* Verify the signature on a module.
*/
@@ -84,7 +63,7 @@ int module_sig_check(struct load_info *info, int flags)
info->len -= markerlen;
err = mod_verify_sig(mod, info);
if (!err) {
- info->sig_ok = true;
+ info->auth_ok = true;
return 0;
}
}
--
2.54.0
next prev parent reply other threads:[~2026-05-05 9:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 9:05 [PATCH v5 00/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 01/14] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 03/14] kbuild: rename the strip_relocs command Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 04/14] module: Drop pointless debugging message Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 05/14] module: Make mod_verify_sig() static Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 06/14] module: Switch load_info::len to size_t Thomas Weißschuh
2026-05-05 9:05 ` Thomas Weißschuh [this message]
2026-05-05 9:05 ` [PATCH v5 08/14] module: Move authentication logic into dedicated new file Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 09/14] module: Move signature type check out of mod_check_sig() Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 10/14] module: Prepare for additional module authentication mechanisms Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 11/14] module: update timestamp of modules.order after modules are built Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 12/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 13/14] kbuild: move handling of module stripping to Makefile.lib Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 14/14] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505-module-hashes-v5-7-e174a5a49fce@weissschuh.net \
--to=linux@weissschuh.net \
--cc=andrii@kernel.org \
--cc=arnd@arndb.de \
--cc=arnout@bzzt.net \
--cc=ast@kernel.org \
--cc=atomlin@atomlin.com \
--cc=bigeasy@linutronix.de \
--cc=bpf@vger.kernel.org \
--cc=chleroy@kernel.org \
--cc=christian@heusel.eu \
--cc=corbet@lwn.net \
--cc=da.gomez@kernel.org \
--cc=da.gomez@samsung.com \
--cc=daniel@iogearbox.net \
--cc=debian-kernel@lists.debian.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiggers@kernel.org \
--cc=eddyz87@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=f.gruenbichler@proxmox.com \
--cc=jmorris@namei.org \
--cc=jolsa@kernel.org \
--cc=kpcyrd@archlinux.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=martin.lau@linux.dev \
--cc=mattia@mapreri.org \
--cc=mcaju95@gmail.com \
--cc=mcgrof@kernel.org \
--cc=memxor@gmail.com \
--cc=mpe@ellerman.id.au \
--cc=nathan@kernel.org \
--cc=naveen@kernel.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=nicolas.schier@linux.dev \
--cc=npiggin@gmail.com \
--cc=nsc@kernel.org \
--cc=paul@paul-moore.com \
--cc=petr.pavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=samitolvanen@google.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=xiujianfeng@huawei.com \
--cc=yonghong.song@linux.dev \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox