From: "Michal Suchánek" <msuchanek@suse.de>
To: 20220209170358.3266629-1-atomlin@redhat.com
Cc: mcgrof@kernel.org, cl@linux.com, pmladek@suse.com,
mbenes@suse.cz, akpm@linux-foundation.org, jeyu@kernel.org,
linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org,
live-patching@vger.kernel.org, atomlin@atomlin.com,
ghalat@redhat.com, allen.lkml@gmail.com, void@manifault.com,
joe@perches.com, christophe.leroy@csgroup.eu,
oleksandr@natalenko.name
Subject: Re: [PATCH v5 07/13] module: Move extra signature support out of core code
Date: Wed, 9 Feb 2022 21:48:12 +0100 [thread overview]
Message-ID: <20220209204812.GD3113@kunlun.suse.cz> (raw)
In-Reply-To: <20220209170814.3268487-1-atomlin@redhat.com>
Hello,
On Wed, Feb 09, 2022 at 05:08:08PM +0000, Aaron Tomlin wrote:
> No functional change.
There is functional change.
> @@ -2565,70 +2542,6 @@ static inline void kmemleak_load_module(const struct module *mod,
> }
> #endif
>
> -#ifdef CONFIG_MODULE_SIG
> -static int module_sig_check(struct load_info *info, int flags)
> -{
> - int err = -ENODATA;
> - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> - const char *reason;
> - const void *mod = info->hdr;
> - bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
> - MODULE_INIT_IGNORE_VERMAGIC);
> - /*
> - * Do not allow mangled modules as a module with version information
> - * removed is no longer the module that was signed.
> - */
> - if (!mangled_module &&
^^^^^^^^^^^^^
> - info->len > markerlen &&
> - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
> - /* We truncate the module to discard the signature */
> - info->len -= markerlen;
> - err = mod_verify_sig(mod, info);
> - if (!err) {
> - info->sig_ok = true;
> - return 0;
> - }
> - }
> diff --git a/kernel/module/signing.c b/kernel/module/signing.c
> index 8aeb6d2ee94b..ff41541e982a 100644
> --- a/kernel/module/signing.c
> +++ b/kernel/module/signing.c
> @@ -43,3 +62,59 @@ int mod_verify_sig(const void *mod, struct load_info *info)
> VERIFYING_MODULE_SIGNATURE,
> NULL, NULL);
> }
> +
> +int module_sig_check(struct load_info *info, int flags)
> +{
> + int err = -ENODATA;
> + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> + const char *reason;
> + const void *mod = info->hdr;
> +
> + /*
> + * Require flags == 0, as a module with version information
> + * removed is no longer the module that was signed
> + */
> + if (flags == 0 &&
^^^^^^
This reverts a97ac8cb24a3c3ad74794adb83717ef1605d1b47
Please re-apply.
Thanks
Michal
> + info->len > markerlen &&
> + memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
> + /* We truncate the module to discard the signature */
> + info->len -= markerlen;
> + err = mod_verify_sig(mod, info);
> + if (!err) {
> + info->sig_ok = true;
> + return 0;
> + }
> + }
next prev parent reply other threads:[~2022-02-09 20:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 17:08 [PATCH v5 07/13] module: Move extra signature support out of core code Aaron Tomlin
2022-02-09 17:08 ` [PATCH v5 08/13] module: Move kmemleak support to a separate file Aaron Tomlin
2022-02-10 13:07 ` Christophe Leroy
2022-02-11 15:42 ` Aaron Tomlin
2022-02-09 17:08 ` [PATCH v5 09/13] module: Move kallsyms support into " Aaron Tomlin
2022-02-10 13:43 ` Christophe Leroy
2022-02-11 19:55 ` Aaron Tomlin
2022-02-09 17:08 ` [PATCH v5 10/13] module: Move procfs " Aaron Tomlin
2022-02-10 13:46 ` Christophe Leroy
2022-02-09 20:48 ` Michal Suchánek [this message]
2022-02-10 9:59 ` [PATCH v5 07/13] module: Move extra signature support out of core code Aaron Tomlin
2022-02-10 13:01 ` Christophe Leroy
2022-02-11 13:51 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220209204812.GD3113@kunlun.suse.cz \
--to=msuchanek@suse.de \
--cc=20220209170358.3266629-1-atomlin@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=allen.lkml@gmail.com \
--cc=atomlin@atomlin.com \
--cc=christophe.leroy@csgroup.eu \
--cc=cl@linux.com \
--cc=ghalat@redhat.com \
--cc=jeyu@kernel.org \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mbenes@suse.cz \
--cc=mcgrof@kernel.org \
--cc=oleksandr@natalenko.name \
--cc=pmladek@suse.com \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).