* [PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
When configuration settings are disabled the guarded functions are
defined as empty stubs, so the check is unnecessary.
The specific configuration option for set_module_sig_enforced() is
about to change and removing the checks avoids some later churn.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
security/integrity/ima/ima_efi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 138029bfcce1..a35dd166ad47 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] = {
const char * const *arch_get_ima_policy(void)
{
if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
- if (IS_ENABLED(CONFIG_MODULE_SIG))
- set_module_sig_enforced();
- if (IS_ENABLED(CONFIG_KEXEC_SIG))
- set_kexec_sig_enforced();
+ set_module_sig_enforced();
+ set_kexec_sig_enforced();
return sb_arch_rules;
}
return NULL;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 00/17] module: Introduce hash-based integrity checking
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh, Coiby Xu,
kernel test robot
The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds. Either the module signing key
is generated at build time, which makes the build unreproducible, or a
static signing key is used, which precludes rebuilds by third parties
and makes the whole build and packaging process much more complicated.
The goal is to reach bit-for-bit reproducibility. Excluding certain
parts of the build output from the reproducibility analysis would be
error-prone and force each downstream consumer to introduce new tooling.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a merkle tree root of all modules built as part of the full
kernel build into vmlinux.
Interest has been proclaimed by NixOS, Arch Linux, Proxmox, SUSE and the
general reproducible builds community.
Compatibility with IMA modsig is not provided yet. It is still unclear
to me if it should be hooked up transparently without any changes to the
policy or it should require new policy options.
Further improvements:
* Use MODULE_SIG_HASH for configuration
* UAPI for discovery?
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
Changes in v4:
- Use as Merkle tree over a linera list of hashes.
- Provide compatibilith with INSTALL_MOD_STRIP
- Rework commit messages.
- Use vmlinux.unstripped over plain "vmlinux".
- Link to v3: https://lore.kernel.org/r/20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net
Changes in v3:
- Rebase on v6.15-rc1
- Use openssl to calculate hash
- Avoid warning if no modules are built
- Simplify module_integrity_check() a bit
- Make incompatibility with INSTALL_MOD_STRIP explicit
- Update docs
- Add IMA cleanups
- Link to v2: https://lore.kernel.org/r/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net
Changes in v2:
- Drop RFC state
- Mention interested parties in cover letter
- Expand Kconfig description
- Add compatibility with CONFIG_MODULE_SIG
- Parallelize module-hashes.sh
- Update Documentation/kbuild/reproducible-builds.rst
- Link to v1: https://lore.kernel.org/r/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net
---
Coiby Xu (1):
module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
Thomas Weißschuh (16):
powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG
ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG
module: Make mod_verify_sig() static
module: Switch load_info::len to size_t
kbuild: add stamp file for vmlinux BTF data
kbuild: generate module BTF based on vmlinux.unstripped
module: Deduplicate signature extraction
module: Make module loading policy usable without MODULE_SIG
module: Move integrity checks into dedicated function
module: Move lockdown check into generic module loader
module: Move signature splitting up
module: Report signature type to users
lockdown: Make the relationship to MODULE_SIG a dependency
module: Introduce hash-based integrity checking
kbuild: move handling of module stripping to Makefile.lib
kbuild: make CONFIG_MODULE_HASHES compatible with module stripping
.gitignore | 2 +
Documentation/kbuild/reproducible-builds.rst | 5 +-
Makefile | 8 +-
arch/powerpc/kernel/ima_arch.c | 3 +-
include/asm-generic/vmlinux.lds.h | 11 +
include/linux/module.h | 20 +-
include/linux/module_hashes.h | 25 ++
include/linux/module_signature.h | 5 +-
kernel/module/Kconfig | 29 +-
kernel/module/Makefile | 1 +
kernel/module/hashes.c | 92 ++++++
kernel/module/hashes_root.c | 6 +
kernel/module/internal.h | 13 +-
kernel/module/main.c | 68 +++-
kernel/module/signing.c | 83 +----
kernel/module_signature.c | 49 ++-
scripts/.gitignore | 1 +
scripts/Makefile | 3 +
scripts/Makefile.lib | 32 ++
scripts/Makefile.modfinal | 28 +-
scripts/Makefile.modinst | 46 +--
scripts/Makefile.vmlinux | 6 +
scripts/link-vmlinux.sh | 20 +-
scripts/modules-merkle-tree.c | 467 +++++++++++++++++++++++++++
security/integrity/ima/ima_efi.c | 6 +-
security/integrity/ima/ima_modsig.c | 28 +-
security/lockdown/Kconfig | 2 +-
27 files changed, 884 insertions(+), 175 deletions(-)
---
base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8
change-id: 20241225-module-hashes-7a50a7cc2a30
Best regards,
--
Thomas Weißschuh <linux@weissschuh.net>
^ permalink raw reply
* [PATCH v4 01/17] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh, Coiby Xu,
kernel test robot
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
From: Coiby Xu <coxu@redhat.com>
Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=n
e.g. [1], it can lead to a linking error,
ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'
This happens because the actual implementation of
set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the
function declaration and the empty stub definition are tied to
CONFIG_MODULES.
So bind set_module_sig_enforced to CONFIG_MODULE_SIG instead. This
allows (future) users to call set_module_sig_enforced directly without
the "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.
Note this issue hasn't caused a real problem because all current callers
of set_module_sig_enforced e.g. security/integrity/ima/ima_efi.c
use "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard.
[1] https://lore.kernel.org/lkml/20250928030358.3873311-1-coxu@redhat.com/
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@intel.com/
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
From modules/modules-next
---
include/linux/module.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/module.h b/include/linux/module.h
index d80c3ea57472..f288ca5cd95b 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -770,8 +770,6 @@ static inline bool is_livepatch_module(struct module *mod)
#endif
}
-void set_module_sig_enforced(void);
-
void module_for_each_mod(int(*func)(struct module *mod, void *data), void *data);
#else /* !CONFIG_MODULES... */
@@ -866,10 +864,6 @@ static inline bool module_requested_async_probing(struct module *module)
}
-static inline void set_module_sig_enforced(void)
-{
-}
-
/* Dereference module function descriptor */
static inline
void *dereference_module_function_descriptor(struct module *mod, void *ptr)
@@ -925,6 +919,8 @@ static inline bool retpoline_module_ok(bool has_retpoline)
#ifdef CONFIG_MODULE_SIG
bool is_module_sig_enforced(void);
+void set_module_sig_enforced(void);
+
static inline bool module_sig_ok(struct module *module)
{
return module->sig_ok;
@@ -935,6 +931,10 @@ static inline bool is_module_sig_enforced(void)
return false;
}
+static inline void set_module_sig_enforced(void)
+{
+}
+
static inline bool module_sig_ok(struct module *module)
{
return true;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 05/17] module: Switch load_info::len to size_t
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
Switching the types will make some later changes cleaner.
size_t is also the semantically correct type for this field.
As both 'size_t' and 'unsigned int' are always the same size, this
should be risk-free.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
kernel/module/internal.h | 2 +-
kernel/module/main.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index e68fbcd60c35..037fbb3b7168 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -66,7 +66,7 @@ struct load_info {
/* pointer to module in temporary copy, freed at end of load_module() */
struct module *mod;
Elf_Ehdr *hdr;
- unsigned long len;
+ size_t len;
Elf_Shdr *sechdrs;
char *secstrings, *strtab;
unsigned long symoffs, stroffs, init_typeoffs, core_typeoffs;
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 710ee30b3bea..a88f95a13e06 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1838,7 +1838,7 @@ static int validate_section_offset(const struct load_info *info, Elf_Shdr *shdr)
static int elf_validity_ehdr(const struct load_info *info)
{
if (info->len < sizeof(*(info->hdr))) {
- pr_err("Invalid ELF header len %lu\n", info->len);
+ pr_err("Invalid ELF header len %zu\n", info->len);
return -ENOEXEC;
}
if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0) {
--
2.52.0
^ permalink raw reply related
* [PATCH v4 09/17] module: Make module loading policy usable without MODULE_SIG
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The loading policy functionality will also be used by the hash-based
module validation. Split it out from CONFIG_MODULE_SIG so it is usable
by both.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
include/linux/module.h | 8 ++++----
kernel/module/Kconfig | 5 ++++-
kernel/module/main.c | 26 +++++++++++++++++++++++++-
kernel/module/signing.c | 21 ---------------------
4 files changed, 33 insertions(+), 27 deletions(-)
diff --git a/include/linux/module.h b/include/linux/module.h
index f288ca5cd95b..f9601cba47cd 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -444,7 +444,7 @@ struct module {
const u32 *gpl_crcs;
bool using_gplonly_symbols;
-#ifdef CONFIG_MODULE_SIG
+#ifdef CONFIG_MODULE_SIG_POLICY
/* Signature was verified. */
bool sig_ok;
#endif
@@ -916,7 +916,7 @@ static inline bool retpoline_module_ok(bool has_retpoline)
}
#endif
-#ifdef CONFIG_MODULE_SIG
+#ifdef CONFIG_MODULE_SIG_POLICY
bool is_module_sig_enforced(void);
void set_module_sig_enforced(void);
@@ -925,7 +925,7 @@ static inline bool module_sig_ok(struct module *module)
{
return module->sig_ok;
}
-#else /* !CONFIG_MODULE_SIG */
+#else /* !CONFIG_MODULE_SIG_POLICY */
static inline bool is_module_sig_enforced(void)
{
return false;
@@ -939,7 +939,7 @@ static inline bool module_sig_ok(struct module *module)
{
return true;
}
-#endif /* CONFIG_MODULE_SIG */
+#endif /* CONFIG_MODULE_SIG_POLICY */
#if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS)
int module_kallsyms_on_each_symbol(const char *modname,
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index e8bb2c9d917e..db3b61fb3e73 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -270,9 +270,12 @@ config MODULE_SIG
debuginfo strip done by some packagers (such as rpmbuild) and
inclusion into an initramfs that wants the module size reduced.
+config MODULE_SIG_POLICY
+ def_bool MODULE_SIG
+
config MODULE_SIG_FORCE
bool "Require modules to be validly signed"
- depends on MODULE_SIG
+ depends on MODULE_SIG_POLICY
help
Reject unsigned modules or signed modules for which we don't have a
key. Without this, such modules will simply taint the kernel.
diff --git a/kernel/module/main.c b/kernel/module/main.c
index a88f95a13e06..4442397a9f92 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2541,7 +2541,7 @@ static void module_augment_kernel_taints(struct module *mod, struct load_info *i
mod->name);
add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK);
}
-#ifdef CONFIG_MODULE_SIG
+#ifdef CONFIG_MODULE_SIG_POLICY
mod->sig_ok = info->sig_ok;
if (!mod->sig_ok) {
pr_notice_once("%s: module verification failed: signature "
@@ -3921,3 +3921,27 @@ static int module_debugfs_init(void)
}
module_init(module_debugfs_init);
#endif
+
+#ifdef CONFIG_MODULE_SIG_POLICY
+
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "module."
+
+static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+module_param(sig_enforce, bool_enable_only, 0644);
+
+/*
+ * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+ * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
+ */
+bool is_module_sig_enforced(void)
+{
+ return sig_enforce;
+}
+EXPORT_SYMBOL(is_module_sig_enforced);
+
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
+#endif
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 6d64c0d18d0a..66d90784de89 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -16,27 +16,6 @@
#include <uapi/linux/module.h>
#include "internal.h"
-#undef MODULE_PARAM_PREFIX
-#define MODULE_PARAM_PREFIX "module."
-
-static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
-module_param(sig_enforce, bool_enable_only, 0644);
-
-/*
- * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
- * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
- */
-bool is_module_sig_enforced(void)
-{
- return sig_enforce;
-}
-EXPORT_SYMBOL(is_module_sig_enforced);
-
-void set_module_sig_enforced(void)
-{
- sig_enforce = true;
-}
-
int module_sig_check(struct load_info *info, int flags)
{
int err;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 07/17] kbuild: generate module BTF based on vmlinux.unstripped
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The upcoming module hashes functionality will build the modules in
between the generation of the BTF data and the final link of vmlinux.
At this point vmlinux is not yet built and therefore can't be used for
module BTF generation. vmlinux.unstripped however is usable and
sufficient for BTF generation.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
scripts/Makefile.modfinal | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index adfef1e002a9..930db0524a0a 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -40,11 +40,11 @@ quiet_cmd_ld_ko_o = LD [M] $@
quiet_cmd_btf_ko = BTF [M] $@
cmd_btf_ko = \
- if [ ! -f $(objtree)/vmlinux ]; then \
- printf "Skipping BTF generation for %s due to unavailability of vmlinux\n" $@ 1>&2; \
+ if [ ! -f $(objtree)/vmlinux.unstripped ]; then \
+ printf "Skipping BTF generation for %s due to unavailability of vmlinux.unstripped\n" $@ 1>&2; \
else \
- LLVM_OBJCOPY="$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE_FLAGS) --btf_base $(objtree)/vmlinux $@; \
- $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux $@; \
+ LLVM_OBJCOPY="$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE_FLAGS) --btf_base $(objtree)/vmlinux.unstripped $@; \
+ $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux.unstripped $@; \
fi;
# Same as newer-prereqs, but allows to exclude specified extra dependencies
--
2.52.0
^ permalink raw reply related
* [PATCH v4 10/17] module: Move integrity checks into dedicated function
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
With the addition of hash-based integrity checking, the configuration
matrix is easier to represent in a dedicated function and with explicit
usage of IS_ENABLED().
Drop the now unnecessary stub for module_sig_check().
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
kernel/module/internal.h | 7 -------
kernel/module/main.c | 18 ++++++++++++++----
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 037fbb3b7168..e053c29a5d08 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -337,14 +337,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
const char *secstrings);
-#ifdef CONFIG_MODULE_SIG
int module_sig_check(struct load_info *info, int flags);
-#else /* !CONFIG_MODULE_SIG */
-static inline int module_sig_check(struct load_info *info, int flags)
-{
- return 0;
-}
-#endif /* !CONFIG_MODULE_SIG */
#ifdef CONFIG_DEBUG_KMEMLEAK
void kmemleak_load_module(const struct module *mod, const struct load_info *info);
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 4442397a9f92..9c570078aa9c 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3344,6 +3344,16 @@ static int early_mod_check(struct load_info *info, int flags)
return err;
}
+static int module_integrity_check(struct load_info *info, int flags)
+{
+ int err = 0;
+
+ if (IS_ENABLED(CONFIG_MODULE_SIG))
+ err = module_sig_check(info, flags);
+
+ return err;
+}
+
/*
* Allocate and load the module: note that size of section 0 is always
* zero, and we rely on this for optional sections.
@@ -3357,18 +3367,18 @@ static int load_module(struct load_info *info, const char __user *uargs,
char *after_dashes;
/*
- * Do the signature check (if any) first. All that
- * the signature check needs is info->len, it does
+ * Do the integrity checks (if any) first. All that
+ * they need is info->len, it does
* not need any of the section info. That can be
* set up later. This will minimize the chances
* of a corrupt module causing problems before
- * we even get to the signature check.
+ * we even get to the integrity check.
*
* The check will also adjust info->len by stripping
* off the sig length at the end of the module, making
* checks against info->len more correct.
*/
- err = module_sig_check(info, flags);
+ err = module_integrity_check(info, flags);
if (err)
goto free_copy;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 04/17] module: Make mod_verify_sig() static
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
It is not used outside of signing.c.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
kernel/module/internal.h | 1 -
kernel/module/signing.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index 618202578b42..e68fbcd60c35 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -119,7 +119,6 @@ struct module_use {
struct module *source, *target;
};
-int mod_verify_sig(const void *mod, struct load_info *info);
int try_to_force_load(struct module *mod, const char *reason);
bool find_symbol(struct find_symbol_arg *fsa);
struct module *find_module_all(const char *name, size_t len, bool even_unformed);
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..fe3f51ac6199 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -40,7 +40,7 @@ void set_module_sig_enforced(void)
/*
* Verify the signature on a module.
*/
-int mod_verify_sig(const void *mod, struct load_info *info)
+static int mod_verify_sig(const void *mod, struct load_info *info)
{
struct module_signature ms;
size_t sig_len, modlen = info->len;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 11/17] module: Move lockdown check into generic module loader
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The lockdown check buried in module_sig_check() will not compose well
with the introduction of hash-based module validation.
Move it into module_integrity_check() which will work better.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
kernel/module/main.c | 6 +++++-
kernel/module/signing.c | 3 +--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 9c570078aa9c..c09b25c0166a 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3351,7 +3351,11 @@ static int module_integrity_check(struct load_info *info, int flags)
if (IS_ENABLED(CONFIG_MODULE_SIG))
err = module_sig_check(info, flags);
- return err;
+ if (err)
+ return err;
+ if (info->sig_ok)
+ return 0;
+ return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
}
/*
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 66d90784de89..8a5f66389116 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -11,7 +11,6 @@
#include <linux/module_signature.h>
#include <linux/string.h>
#include <linux/verification.h>
-#include <linux/security.h>
#include <crypto/public_key.h>
#include <uapi/linux/module.h>
#include "internal.h"
@@ -68,5 +67,5 @@ int module_sig_check(struct load_info *info, int flags)
return -EKEYREJECTED;
}
- return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
+ return 0;
}
--
2.52.0
^ permalink raw reply related
* [PATCH v4 08/17] module: Deduplicate signature extraction
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The logic to extract the signature bits from a module file are
duplicated between the module core and IMA modsig appraisal.
Unify the implementation.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
include/linux/module_signature.h | 4 +--
kernel/module/signing.c | 52 +++++++------------------------------
kernel/module_signature.c | 41 +++++++++++++++++++++++++++--
security/integrity/ima/ima_modsig.c | 24 ++++-------------
4 files changed, 56 insertions(+), 65 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 7eb4b00381ac..186a55effa30 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -40,7 +40,7 @@ struct module_signature {
__be32 sig_len; /* Length of signature data */
};
-int mod_check_sig(const struct module_signature *ms, size_t file_len,
- const char *name);
+int mod_split_sig(const void *buf, size_t *buf_len, bool mangled,
+ size_t *sig_len, const u8 **sig, const char *name);
#endif /* _LINUX_MODULE_SIGNATURE_H */
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index fe3f51ac6199..6d64c0d18d0a 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -37,54 +37,22 @@ void set_module_sig_enforced(void)
sig_enforce = true;
}
-/*
- * Verify the signature on a module.
- */
-static int mod_verify_sig(const void *mod, struct load_info *info)
-{
- struct module_signature ms;
- size_t sig_len, modlen = info->len;
- int ret;
-
- pr_devel("==>%s(,%zu)\n", __func__, modlen);
-
- if (modlen <= sizeof(ms))
- return -EBADMSG;
-
- memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
-
- ret = mod_check_sig(&ms, modlen, "module");
- if (ret)
- return ret;
-
- sig_len = be32_to_cpu(ms.sig_len);
- modlen -= sig_len + sizeof(ms);
- info->len = modlen;
-
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
-}
-
int module_sig_check(struct load_info *info, int flags)
{
- int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ int err;
const char *reason;
const void *mod = info->hdr;
+ size_t sig_len;
+ const u8 *sig;
bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
MODULE_INIT_IGNORE_VERMAGIC);
- /*
- * Do not allow mangled modules as a module with version information
- * removed is no longer the module that was signed.
- */
- if (!mangled_module &&
- info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
- /* We truncate the module to discard the signature */
- info->len -= markerlen;
- err = mod_verify_sig(mod, info);
+
+ err = mod_split_sig(info->hdr, &info->len, mangled_module, &sig_len, &sig, "module");
+ if (!err) {
+ err = verify_pkcs7_signature(mod, info->len, sig, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
if (!err) {
info->sig_ok = true;
return 0;
diff --git a/kernel/module_signature.c b/kernel/module_signature.c
index 00132d12487c..b2384a73524c 100644
--- a/kernel/module_signature.c
+++ b/kernel/module_signature.c
@@ -8,6 +8,7 @@
#include <linux/errno.h>
#include <linux/printk.h>
+#include <linux/string.h>
#include <linux/module_signature.h>
#include <asm/byteorder.h>
@@ -18,8 +19,8 @@
* @file_len: Size of the file to which @ms is appended.
* @name: What is being checked. Used for error messages.
*/
-int mod_check_sig(const struct module_signature *ms, size_t file_len,
- const char *name)
+static int mod_check_sig(const struct module_signature *ms, size_t file_len,
+ const char *name)
{
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
@@ -44,3 +45,39 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,
return 0;
}
+
+int mod_split_sig(const void *buf, size_t *buf_len, bool mangled,
+ size_t *sig_len, const u8 **sig, const char *name)
+{
+ const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ struct module_signature ms;
+ size_t modlen = *buf_len;
+ int ret;
+
+ /*
+ * Do not allow mangled modules as a module with version information
+ * removed is no longer the module that was signed.
+ */
+ if (!mangled &&
+ *buf_len > markerlen &&
+ memcmp(buf + modlen - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ /* We truncate the module to discard the signature */
+ modlen -= markerlen;
+ }
+
+ if (modlen <= sizeof(ms))
+ return -EBADMSG;
+
+ memcpy(&ms, buf + (modlen - sizeof(ms)), sizeof(ms));
+
+ ret = mod_check_sig(&ms, modlen, name);
+ if (ret)
+ return ret;
+
+ *sig_len = be32_to_cpu(ms.sig_len);
+ modlen -= *sig_len + sizeof(ms);
+ *buf_len = modlen;
+ *sig = buf + modlen;
+
+ return 0;
+}
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index 3265d744d5ce..a57342d39b07 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -40,44 +40,30 @@ struct modsig {
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig)
{
- const size_t marker_len = strlen(MODULE_SIG_STRING);
- const struct module_signature *sig;
+ size_t buf_len_sz = buf_len;
struct modsig *hdr;
size_t sig_len;
- const void *p;
+ const u8 *sig;
int rc;
- if (buf_len <= marker_len + sizeof(*sig))
- return -ENOENT;
-
- p = buf + buf_len - marker_len;
- if (memcmp(p, MODULE_SIG_STRING, marker_len))
- return -ENOENT;
-
- buf_len -= marker_len;
- sig = (const struct module_signature *)(p - sizeof(*sig));
-
- rc = mod_check_sig(sig, buf_len, func_tokens[func]);
+ rc = mod_split_sig(buf, &buf_len_sz, true, &sig_len, &sig, func_tokens[func]);
if (rc)
return rc;
- sig_len = be32_to_cpu(sig->sig_len);
- buf_len -= sig_len + sizeof(*sig);
-
/* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
hdr = kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL);
if (!hdr)
return -ENOMEM;
hdr->raw_pkcs7_len = sig_len;
- hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
+ hdr->pkcs7_msg = pkcs7_parse_message(sig, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) {
rc = PTR_ERR(hdr->pkcs7_msg);
kfree(hdr);
return rc;
}
- memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
+ memcpy(hdr->raw_pkcs7, sig, sig_len);
/* We don't know the hash algorithm yet. */
hdr->hash_algo = HASH_ALGO__LAST;
--
2.52.0
^ permalink raw reply related
* [PATCH v4 12/17] module: Move signature splitting up
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The signature splitting will also be used by CONFIG_MODULE_HASHES.
Move it up the callchain, so the result can be reused.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
kernel/module/internal.h | 2 +-
kernel/module/main.c | 13 ++++++++++++-
kernel/module/signing.c | 21 +++++++--------------
3 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index e053c29a5d08..e2d49122c2a1 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -337,7 +337,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs,
void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
const char *secstrings);
-int module_sig_check(struct load_info *info, int flags);
+int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len);
#ifdef CONFIG_DEBUG_KMEMLEAK
void kmemleak_load_module(const struct module *mod, const struct load_info *info);
diff --git a/kernel/module/main.c b/kernel/module/main.c
index c09b25c0166a..d65bc300a78c 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3346,10 +3346,21 @@ static int early_mod_check(struct load_info *info, int flags)
static int module_integrity_check(struct load_info *info, int flags)
{
+ bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
+ MODULE_INIT_IGNORE_VERMAGIC);
+ size_t sig_len;
+ const u8 *sig;
int err = 0;
+ if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) {
+ err = mod_split_sig(info->hdr, &info->len, mangled_module,
+ &sig_len, &sig, "module");
+ if (err)
+ return err;
+ }
+
if (IS_ENABLED(CONFIG_MODULE_SIG))
- err = module_sig_check(info, flags);
+ err = module_sig_check(info, sig, sig_len);
if (err)
return err;
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 8a5f66389116..86164761cac7 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -15,26 +15,19 @@
#include <uapi/linux/module.h>
#include "internal.h"
-int module_sig_check(struct load_info *info, int flags)
+int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len)
{
int err;
const char *reason;
const void *mod = info->hdr;
- size_t sig_len;
- const u8 *sig;
- bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
- MODULE_INIT_IGNORE_VERMAGIC);
- err = mod_split_sig(info->hdr, &info->len, mangled_module, &sig_len, &sig, "module");
+ err = verify_pkcs7_signature(mod, info->len, sig, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
if (!err) {
- err = verify_pkcs7_signature(mod, info->len, sig, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
- if (!err) {
- info->sig_ok = true;
- return 0;
- }
+ info->sig_ok = true;
+ return 0;
}
/*
--
2.52.0
^ permalink raw reply related
* [PATCH v4 14/17] lockdown: Make the relationship to MODULE_SIG a dependency
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The new hash-based module integrity checking will also be able to
satisfy the requirements of lockdown.
Such an alternative is not representable with "select", so use
"depends on" instead.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
security/lockdown/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e84ddf484010..155959205b8e 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -1,7 +1,7 @@
config SECURITY_LOCKDOWN_LSM
bool "Basic module for enforcing kernel lockdown"
depends on SECURITY
- select MODULE_SIG if MODULES
+ depends on !MODULES || MODULE_SIG
help
Build support for an LSM that enforces a coarse kernel lockdown
behaviour.
--
2.52.0
^ permalink raw reply related
* [PATCH v4 13/17] module: Report signature type to users
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The upcoming CONFIG_MODULE_HASHES will introduce a signature type.
This needs to be handled by callers differently than PKCS7 signatures.
Report the signature type to the caller and let them verify it.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
include/linux/module_signature.h | 2 +-
kernel/module/main.c | 9 +++++++--
kernel/module_signature.c | 14 ++++----------
security/integrity/ima/ima_modsig.c | 8 +++++++-
4 files changed, 19 insertions(+), 14 deletions(-)
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index 186a55effa30..a45ce3b24403 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -41,6 +41,6 @@ struct module_signature {
};
int mod_split_sig(const void *buf, size_t *buf_len, bool mangled,
- size_t *sig_len, const u8 **sig, const char *name);
+ enum pkey_id_type *sig_type, size_t *sig_len, const u8 **sig, const char *name);
#endif /* _LINUX_MODULE_SIGNATURE_H */
diff --git a/kernel/module/main.c b/kernel/module/main.c
index d65bc300a78c..2a28a0ece809 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3348,19 +3348,24 @@ static int module_integrity_check(struct load_info *info, int flags)
{
bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
MODULE_INIT_IGNORE_VERMAGIC);
+ enum pkey_id_type sig_type;
size_t sig_len;
const u8 *sig;
int err = 0;
if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) {
err = mod_split_sig(info->hdr, &info->len, mangled_module,
- &sig_len, &sig, "module");
+ &sig_type, &sig_len, &sig, "module");
if (err)
return err;
}
- if (IS_ENABLED(CONFIG_MODULE_SIG))
+ if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type == PKEY_ID_PKCS7) {
err = module_sig_check(info, sig, sig_len);
+ } else {
+ pr_err("module: not signed with expected PKCS#7 message\n");
+ err = -ENOPKG;
+ }
if (err)
return err;
diff --git a/kernel/module_signature.c b/kernel/module_signature.c
index b2384a73524c..8e0ac9906c9c 100644
--- a/kernel/module_signature.c
+++ b/kernel/module_signature.c
@@ -19,18 +19,11 @@
* @file_len: Size of the file to which @ms is appended.
* @name: What is being checked. Used for error messages.
*/
-static int mod_check_sig(const struct module_signature *ms, size_t file_len,
- const char *name)
+static int mod_check_sig(const struct module_signature *ms, size_t file_len, const char *name)
{
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
- if (ms->id_type != PKEY_ID_PKCS7) {
- pr_err("%s: not signed with expected PKCS#7 message\n",
- name);
- return -ENOPKG;
- }
-
if (ms->algo != 0 ||
ms->hash != 0 ||
ms->signer_len != 0 ||
@@ -38,7 +31,7 @@ static int mod_check_sig(const struct module_signature *ms, size_t file_len,
ms->__pad[0] != 0 ||
ms->__pad[1] != 0 ||
ms->__pad[2] != 0) {
- pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
+ pr_err("%s: signature info has unexpected non-zero params\n",
name);
return -EBADMSG;
}
@@ -47,7 +40,7 @@ static int mod_check_sig(const struct module_signature *ms, size_t file_len,
}
int mod_split_sig(const void *buf, size_t *buf_len, bool mangled,
- size_t *sig_len, const u8 **sig, const char *name)
+ enum pkey_id_type *sig_type, size_t *sig_len, const u8 **sig, const char *name)
{
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
struct module_signature ms;
@@ -74,6 +67,7 @@ int mod_split_sig(const void *buf, size_t *buf_len, bool mangled,
if (ret)
return ret;
+ *sig_type = ms.id_type;
*sig_len = be32_to_cpu(ms.sig_len);
modlen -= *sig_len + sizeof(ms);
*buf_len = modlen;
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index a57342d39b07..a05008324a10 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -41,15 +41,21 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig)
{
size_t buf_len_sz = buf_len;
+ enum pkey_id_type sig_type;
struct modsig *hdr;
size_t sig_len;
const u8 *sig;
int rc;
- rc = mod_split_sig(buf, &buf_len_sz, true, &sig_len, &sig, func_tokens[func]);
+ rc = mod_split_sig(buf, &buf_len_sz, true, &sig_type, &sig_len, &sig, func_tokens[func]);
if (rc)
return rc;
+ if (sig_type != PKEY_ID_PKCS7) {
+ pr_err("%s: not signed with expected PKCS#7 message\n", func_tokens[func]);
+ return -ENOPKG;
+ }
+
/* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
hdr = kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL);
if (!hdr)
--
2.52.0
^ permalink raw reply related
* [PATCH v4 17/17] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping
From: Thomas Weißschuh @ 2026-01-13 12:29 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
CONFIG_MODULE_HASHES needs to process the modules at build time in the
exact form they will be loaded at runtime. If the modules are stripped
afterwards they will not be loadable anymore.
Also evaluate INSTALL_MOD_STRIP at build time and build the hashes based
on modules stripped this way.
If users specify inconsistent values of INSTALL_MOD_STRIP between build
and installation time, an error is reported.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
.gitignore | 1 +
kernel/module/Kconfig | 5 +++++
scripts/Makefile.modfinal | 9 +++++++--
scripts/Makefile.modinst | 4 ++--
scripts/Makefile.vmlinux | 1 +
5 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/.gitignore b/.gitignore
index 299c54083672..900251c72ade 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,6 +29,7 @@
*.gz
*.i
*.ko
+*.ko.stripped
*.lex.c
*.ll
*.lst
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index c00ca830330c..9fd34765ce2c 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -425,6 +425,11 @@ config MODULE_HASHES
Also see the warning in MODULE_SIG about stripping modules.
+# To validate the consistency of INSTALL_MOD_STRIP for MODULE_HASHES
+config MODULE_INSTALL_STRIP
+ string
+ default "$(INSTALL_MOD_STRIP)"
+
config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
bool "Allow loading of modules with missing namespace imports"
help
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index 5b8e94170beb..890724edac69 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -63,10 +63,14 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES
endif
+$(call cmd,check_tracepoint)
+%.ko.stripped: %.ko $(wildcard include/config/MODULE_INSTALL_STRIP)
+ $(call cmd,install_mod)
+ $(call cmd,strip_mod)
+
quiet_cmd_merkle = MERKLE $@
- cmd_merkle = $(objtree)/scripts/modules-merkle-tree $@ .ko
+ cmd_merkle = $(objtree)/scripts/modules-merkle-tree $@ $(if $(CONFIG_MODULE_INSTALL_STRIP),.ko.stripped,.ko)
-.tmp_module_hashes.c: $(modules:%.o=%.ko) $(objtree)/scripts/modules-merkle-tree FORCE
+.tmp_module_hashes.c: $(if $(CONFIG_MODULE_INSTALL_STRIP),$(modules:%.o=%.ko.stripped),$(modules:%.o=%.ko)) $(objtree)/scripts/modules-merkle-tree $(wildcard include/config/MODULE_INSTALL_STRIP) FORCE
$(call cmd,merkle)
ifdef CONFIG_MODULE_HASHES
@@ -75,6 +79,7 @@ endif
targets += $(modules:%.o=%.ko) $(modules:%.o=%.mod.o) .module-common.o
targets += $(modules:%.o=%.merkle) .tmp_module_hashes.c
+targets += $(modules:%.o=%.ko.stripped)
# Add FORCE to the prerequisites of a target to force it to be always rebuilt.
# ---------------------------------------------------------------------------
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 07380c7233a0..45606f994ad9 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -68,8 +68,8 @@ __modinst: $(install-y)
ifdef CONFIG_MODULE_HASHES
ifeq ($(KBUILD_EXTMOD),)
-ifdef INSTALL_MOD_STRIP
-$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive)
+ifneq ($(INSTALL_MOD_STRIP),$(CONFIG_MODULE_INSTALL_STRIP))
+$(error Inconsistent values for INSTALL_MOD_STRIP between build and installation)
endif
endif
endif
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index f4e38b953b01..4ce849f6253a 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -81,6 +81,7 @@ endif
ifdef CONFIG_MODULE_HASHES
vmlinux.unstripped: $(objtree)/scripts/modules-merkle-tree
vmlinux.unstripped: modules.order
+vmlinux.unstripped: $(wildcard include/config/MODULE_INSTALL_STRIP)
endif
# vmlinux
--
2.52.0
^ permalink raw reply related
* [PATCH v4 16/17] kbuild: move handling of module stripping to Makefile.lib
From: Thomas Weißschuh @ 2026-01-13 12:29 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
To allow CONFIG_MODULE_HASHES in combination with INSTALL_MOD_STRIP,
this logc will also be used by Makefile.modfinal.
Move it to a shared location to enable reuse.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
scripts/Makefile.lib | 32 ++++++++++++++++++++++++++++++++
scripts/Makefile.modinst | 37 +++++--------------------------------
2 files changed, 37 insertions(+), 32 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 28a1c08e3b22..7fcf3c43e408 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -474,6 +474,38 @@ define sed-offsets
s:->::; p;}'
endef
+#
+# Module Installation
+#
+quiet_cmd_install_mod = INSTALL $@
+ cmd_install_mod = cp $< $@
+
+# Module Strip
+# ---------------------------------------------------------------------------
+#
+# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after they
+# are installed. If INSTALL_MOD_STRIP is '1', then the default option
+# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be used
+# as the options to the strip command.
+ifeq ($(INSTALL_MOD_STRIP),1)
+mod-strip-option := --strip-debug
+else
+mod-strip-option := $(INSTALL_MOD_STRIP)
+endif
+
+# Strip
+ifdef INSTALL_MOD_STRIP
+
+quiet_cmd_strip_mod = STRIP $@
+ cmd_strip_mod = $(STRIP) $(mod-strip-option) $@
+
+else
+
+quiet_cmd_strip_mod =
+ cmd_strip_mod = :
+
+endif
+
# Use filechk to avoid rebuilds when a header changes, but the resulting file
# does not
define filechk_offsets
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index ba4343b40497..07380c7233a0 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -8,6 +8,7 @@ __modinst:
include $(objtree)/include/config/auto.conf
include $(srctree)/scripts/Kbuild.include
+include $(srctree)/scripts/Makefile.lib
install-y :=
@@ -36,7 +37,7 @@ install-y += $(addprefix $(MODLIB)/, modules.builtin modules.builtin.modinfo)
install-$(CONFIG_BUILTIN_MODULE_RANGES) += $(MODLIB)/modules.builtin.ranges
$(addprefix $(MODLIB)/, modules.builtin modules.builtin.modinfo modules.builtin.ranges): $(MODLIB)/%: % FORCE
- $(call cmd,install)
+ $(call cmd,install_mod)
endif
@@ -65,40 +66,12 @@ install-$(CONFIG_MODULES) += $(modules)
__modinst: $(install-y)
@:
-#
-# Installation
-#
-quiet_cmd_install = INSTALL $@
- cmd_install = cp $< $@
-
-# Strip
-#
-# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after they
-# are installed. If INSTALL_MOD_STRIP is '1', then the default option
-# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be used
-# as the options to the strip command.
-ifdef INSTALL_MOD_STRIP
-
ifdef CONFIG_MODULE_HASHES
ifeq ($(KBUILD_EXTMOD),)
+ifdef INSTALL_MOD_STRIP
$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive)
endif
endif
-
-ifeq ($(INSTALL_MOD_STRIP),1)
-strip-option := --strip-debug
-else
-strip-option := $(INSTALL_MOD_STRIP)
-endif
-
-quiet_cmd_strip = STRIP $@
- cmd_strip = $(STRIP) $(strip-option) $@
-
-else
-
-quiet_cmd_strip =
- cmd_strip = :
-
endif
#
@@ -133,8 +106,8 @@ endif
$(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir)))
$(dst)/%.ko: %.ko FORCE
- $(call cmd,install)
- $(call cmd,strip)
+ $(call cmd,install_mod)
+ $(call cmd,strip_mod)
$(call cmd,sign)
ifdef CONFIG_MODULES
--
2.52.0
^ permalink raw reply related
* [PATCH v4 06/17] kbuild: add stamp file for vmlinux BTF data
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The upcoming module hashes functionality will build the modules in
between the generation of the BTF data and the final link of vmlinux.
Having a dependency from the modules on vmlinux would make this
impossible as it would mean having a cyclic dependency.
Break this cyclic dependency by introducing a new target.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
scripts/Makefile.modfinal | 4 ++--
scripts/link-vmlinux.sh | 6 ++++++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index 149e12ff5700..adfef1e002a9 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -56,8 +56,8 @@ if_changed_except = $(if $(call newer_prereqs_except,$(2))$(cmd-check), \
printf '%s\n' 'savedcmd_$@ := $(make-cmd)' > $(dot-target).cmd, @:)
# Re-generate module BTFs if either module's .ko or vmlinux changed
-%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/vmlinux) FORCE
- +$(call if_changed_except,ld_ko_o,$(objtree)/vmlinux)
+%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/.tmp_vmlinux_btf.stamp) FORCE
+ +$(call if_changed_except,ld_ko_o,$(objtree)/.tmp_vmlinux_btf.stamp)
ifdef CONFIG_DEBUG_INFO_BTF_MODULES
+$(if $(newer-prereqs),$(call cmd,btf_ko))
endif
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
index 4ab44c73da4d..8c98f8645a5c 100755
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
@@ -111,6 +111,7 @@ vmlinux_link()
gen_btf()
{
local btf_data=${1}.btf.o
+ local btf_stamp=.tmp_vmlinux_btf.stamp
info BTF "${btf_data}"
LLVM_OBJCOPY="${OBJCOPY}" ${PAHOLE} -J ${PAHOLE_FLAGS} ${1}
@@ -131,6 +132,11 @@ gen_btf()
fi
printf "${et_rel}" | dd of="${btf_data}" conv=notrunc bs=1 seek=16 status=none
+ info STAMP $btf_stamp
+ if ! cmp --silent $btf_data $btf_stamp; then
+ cp $btf_data $btf_stamp
+ fi
+
btf_vmlinux_bin_o=${btf_data}
}
--
2.52.0
^ permalink raw reply related
* [PATCH v4 15/17] module: Introduce hash-based integrity checking
From: Thomas Weißschuh @ 2026-01-13 12:28 UTC (permalink / raw)
To: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng, Nicolas Schier,
Christophe Leroy
Cc: Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi,
Sebastian Andrzej Siewior, linux-kbuild, linux-kernel, linux-arch,
linux-modules, linux-security-module, linux-doc, linuxppc-dev,
linux-integrity, Thomas Weißschuh
In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net>
The current signature-based module integrity checking has some drawbacks
in combination with reproducible builds. Either the module signing key
is generated at build time, which makes the build unreproducible, or a
static signing key is used, which precludes rebuilds by third parties
and makes the whole build and packaging process much more complicated.
The goal is to reach bit-for-bit reproducibility. Excluding certain
parts of the build output from the reproducibility analysis would be
error-prone and force each downstream consumer to introduce new tooling.
Introduce a new mechanism to ensure only well-known modules are loaded
by embedding a merkle tree root of all modules built as part of the full
kernel build into vmlinux.
Non-builtin modules can be validated as before through signatures.
Normally the .ko module files depend on a fully built vmlinux to be
available for modpost validation and BTF generation. With
CONFIG_MODULE_HASHES, vmlinux now depends on the modules
to build a merkle tree. This introduces a dependency cycle which is
impossible to satisfy. Work around this by building the modules during
link-vmlinux.sh, after vmlinux is complete enough for modpost and BTF
but before the final module hashes are
The PKCS7 format which is used for regular module signatures can not
represent Merkle proofs, so a new kind of module signature is
introduced. As this signature type is only ever used for builtin
modules, no compatibility issues can arise.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
.gitignore | 1 +
Documentation/kbuild/reproducible-builds.rst | 5 +-
Makefile | 8 +-
include/asm-generic/vmlinux.lds.h | 11 +
include/linux/module_hashes.h | 25 ++
include/linux/module_signature.h | 1 +
kernel/module/Kconfig | 21 +-
kernel/module/Makefile | 1 +
kernel/module/hashes.c | 92 ++++++
kernel/module/hashes_root.c | 6 +
kernel/module/internal.h | 1 +
kernel/module/main.c | 4 +-
scripts/.gitignore | 1 +
scripts/Makefile | 3 +
scripts/Makefile.modfinal | 11 +
scripts/Makefile.modinst | 13 +
scripts/Makefile.vmlinux | 5 +
scripts/link-vmlinux.sh | 14 +-
scripts/modules-merkle-tree.c | 467 +++++++++++++++++++++++++++
security/lockdown/Kconfig | 2 +-
20 files changed, 685 insertions(+), 7 deletions(-)
diff --git a/.gitignore b/.gitignore
index 3a7241c941f5..299c54083672 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,6 +35,7 @@
*.lz4
*.lzma
*.lzo
+*.merkle
*.mod
*.mod.c
*.o
diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/kbuild/reproducible-builds.rst
index 96d208e578cd..bfde81e47b2d 100644
--- a/Documentation/kbuild/reproducible-builds.rst
+++ b/Documentation/kbuild/reproducible-builds.rst
@@ -82,7 +82,10 @@ generate a different temporary key for each build, resulting in the
modules being unreproducible. However, including a signing key with
your source would presumably defeat the purpose of signing modules.
-One approach to this is to divide up the build process so that the
+Instead ``CONFIG_MODULE_HASHES`` can be used to embed a static list
+of valid modules to load.
+
+Another approach to this is to divide up the build process so that the
unreproducible parts can be treated as sources:
1. Generate a persistent signing key. Add the certificate for the key
diff --git a/Makefile b/Makefile
index e404e4767944..841772a5a260 100644
--- a/Makefile
+++ b/Makefile
@@ -1588,8 +1588,10 @@ endif
# is an exception.
ifdef CONFIG_DEBUG_INFO_BTF_MODULES
KBUILD_BUILTIN := y
+ifndef CONFIG_MODULE_HASHES
modules: vmlinux
endif
+endif
modules: modules_prepare
@@ -1981,7 +1983,11 @@ modules.order: $(build-dir)
# KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules.
# This is solely useful to speed up test compiles.
modules: modpost
-ifneq ($(KBUILD_MODPOST_NOFINAL),1)
+ifdef CONFIG_MODULE_HASHES
+ifeq ($(MODULE_HASHES_MODPOST_FINAL), 1)
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal
+endif
+else ifneq ($(KBUILD_MODPOST_NOFINAL),1)
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal
endif
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 8ca130af301f..d3846845e37b 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -508,6 +508,8 @@
\
PRINTK_INDEX \
\
+ MODULE_HASHES \
+ \
/* Kernel symbol table: Normal symbols */ \
__ksymtab : AT(ADDR(__ksymtab) - LOAD_OFFSET) { \
__start___ksymtab = .; \
@@ -918,6 +920,15 @@
#define PRINTK_INDEX
#endif
+#ifdef CONFIG_MODULE_HASHES
+#define MODULE_HASHES \
+ .module_hashes : AT(ADDR(.module_hashes) - LOAD_OFFSET) { \
+ KEEP(*(SORT(.module_hashes))) \
+ }
+#else
+#define MODULE_HASHES
+#endif
+
/*
* Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler.
* Otherwise, the type of .notes section would become PROGBITS instead of NOTES.
diff --git a/include/linux/module_hashes.h b/include/linux/module_hashes.h
new file mode 100644
index 000000000000..de61072627cc
--- /dev/null
+++ b/include/linux/module_hashes.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#ifndef _LINUX_MODULE_HASHES_H
+#define _LINUX_MODULE_HASHES_H
+
+#include <linux/compiler_attributes.h>
+#include <linux/types.h>
+#include <crypto/sha2.h>
+
+#define __module_hashes_section __section(".module_hashes")
+#define MODULE_HASHES_HASH_SIZE SHA256_DIGEST_SIZE
+
+struct module_hashes_proof {
+ __be32 pos;
+ u8 hash_sigs[][MODULE_HASHES_HASH_SIZE];
+} __packed;
+
+struct module_hashes_root {
+ u32 levels;
+ u8 hash[MODULE_HASHES_HASH_SIZE];
+};
+
+extern const struct module_hashes_root module_hashes_root;
+
+#endif /* _LINUX_MODULE_HASHES_H */
diff --git a/include/linux/module_signature.h b/include/linux/module_signature.h
index a45ce3b24403..3b510651830d 100644
--- a/include/linux/module_signature.h
+++ b/include/linux/module_signature.h
@@ -18,6 +18,7 @@ enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
+ PKEY_ID_MERKLE, /* Merkle proof for modules */
};
/*
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index db3b61fb3e73..c00ca830330c 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -271,7 +271,7 @@ config MODULE_SIG
inclusion into an initramfs that wants the module size reduced.
config MODULE_SIG_POLICY
- def_bool MODULE_SIG
+ def_bool MODULE_SIG || MODULE_HASHES
config MODULE_SIG_FORCE
bool "Require modules to be validly signed"
@@ -289,7 +289,7 @@ config MODULE_SIG_ALL
modules must be signed manually, using the scripts/sign-file tool.
comment "Do not forget to sign required modules with scripts/sign-file"
- depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
+ depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL && !MODULE_HASHES
choice
prompt "Hash algorithm to sign modules"
@@ -408,6 +408,23 @@ config MODULE_DECOMPRESS
If unsure, say N.
+config MODULE_HASHES
+ bool "Module hash validation"
+ depends on !MODULE_SIG_ALL
+ depends on !IMA_APPRAISE_MODSIG
+ select MODULE_SIG_FORMAT
+ select CRYPTO_LIB_SHA256
+ help
+ Validate modules by their hashes.
+ Only modules built together with the main kernel image can be
+ validated that way.
+
+ This is a reproducible-build compatible alternative to a build-time
+ generated module keyring, as enabled by
+ CONFIG_MODULE_SIG_KEY=certs/signing_key.pem.
+
+ Also see the warning in MODULE_SIG about stripping modules.
+
config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
bool "Allow loading of modules with missing namespace imports"
help
diff --git a/kernel/module/Makefile b/kernel/module/Makefile
index d9e8759a7b05..dd37aaf4a61a 100644
--- a/kernel/module/Makefile
+++ b/kernel/module/Makefile
@@ -25,3 +25,4 @@ obj-$(CONFIG_KGDB_KDB) += kdb.o
obj-$(CONFIG_MODVERSIONS) += version.o
obj-$(CONFIG_MODULE_UNLOAD_TAINT_TRACKING) += tracking.o
obj-$(CONFIG_MODULE_STATS) += stats.o
+obj-$(CONFIG_MODULE_HASHES) += hashes.o hashes_root.o
diff --git a/kernel/module/hashes.c b/kernel/module/hashes.c
new file mode 100644
index 000000000000..23ca9f66652f
--- /dev/null
+++ b/kernel/module/hashes.c
@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/* Module hash-based integrity checker
+ *
+ * Copyright (C) 2025 Thomas Weißschuh <linux@weissschuh.net>
+ * Copyright (C) 2025 Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+ */
+
+#define pr_fmt(fmt) "module/hash: " fmt
+
+#include <linux/module_hashes.h>
+#include <linux/module.h>
+#include <linux/unaligned.h>
+
+#include <crypto/sha2.h>
+
+#include "internal.h"
+
+static __init __maybe_unused int module_hashes_init(void)
+{
+ pr_debug("root: levels=%u hash=%*phN\n",
+ module_hashes_root.levels,
+ (int)sizeof(module_hashes_root.hash), module_hashes_root.hash);
+
+ return 0;
+}
+
+#if IS_ENABLED(CONFIG_MODULE_DEBUG)
+early_initcall(module_hashes_init);
+#endif
+
+static void hash_entry(const void *left, const void *right, void *out)
+{
+ struct sha256_ctx ctx;
+ u8 magic = 0x02;
+
+ sha256_init(&ctx);
+ sha256_update(&ctx, &magic, sizeof(magic));
+ sha256_update(&ctx, left, MODULE_HASHES_HASH_SIZE);
+ sha256_update(&ctx, right, MODULE_HASHES_HASH_SIZE);
+ sha256_final(&ctx, out);
+}
+
+static void hash_data(const void *d, size_t len, unsigned int pos, void *out)
+{
+ struct sha256_ctx ctx;
+ u8 magic = 0x01;
+ __be32 pos_be;
+
+ pos_be = cpu_to_be32(pos);
+
+ sha256_init(&ctx);
+ sha256_update(&ctx, &magic, sizeof(magic));
+ sha256_update(&ctx, (const u8 *)&pos_be, sizeof(pos_be));
+ sha256_update(&ctx, d, len);
+ sha256_final(&ctx, out);
+}
+
+static bool module_hashes_verify_proof(u32 pos, const u8 hash_sigs[][MODULE_HASHES_HASH_SIZE],
+ u8 *cur)
+{
+ for (unsigned int i = 0; i < module_hashes_root.levels; i++, pos >>= 1) {
+ if ((pos & 1) == 0)
+ hash_entry(cur, hash_sigs[i], cur);
+ else
+ hash_entry(hash_sigs[i], cur, cur);
+ }
+
+ return !memcmp(cur, module_hashes_root.hash, MODULE_HASHES_HASH_SIZE);
+}
+
+int module_hash_check(struct load_info *info, const u8 *sig, size_t sig_len)
+{
+ u8 modhash[MODULE_HASHES_HASH_SIZE];
+ const struct module_hashes_proof *proof;
+ size_t proof_size;
+ u32 pos;
+
+ proof_size = struct_size(proof, hash_sigs, module_hashes_root.levels);
+
+ if (sig_len != proof_size)
+ return -ENOPKG;
+
+ proof = (const struct module_hashes_proof *)sig;
+ pos = get_unaligned_be32(&proof->pos);
+
+ hash_data(info->hdr, info->len, pos, &modhash);
+
+ if (module_hashes_verify_proof(pos, proof->hash_sigs, modhash))
+ info->sig_ok = true;
+
+ return 0;
+}
diff --git a/kernel/module/hashes_root.c b/kernel/module/hashes_root.c
new file mode 100644
index 000000000000..1abfcd3aa679
--- /dev/null
+++ b/kernel/module/hashes_root.c
@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+#include <linux/module_hashes.h>
+
+/* Blank dummy data. Will be overridden by link-vmlinux.sh */
+const struct module_hashes_root module_hashes_root __module_hashes_section = {};
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index e2d49122c2a1..e22837d3ac76 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -338,6 +338,7 @@ void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
const char *secstrings);
int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len);
+int module_hash_check(struct load_info *info, const u8 *sig, size_t sig_len);
#ifdef CONFIG_DEBUG_KMEMLEAK
void kmemleak_load_module(const struct module *mod, const struct load_info *info);
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 2a28a0ece809..fa30b6387936 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3362,8 +3362,10 @@ static int module_integrity_check(struct load_info *info, int flags)
if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type == PKEY_ID_PKCS7) {
err = module_sig_check(info, sig, sig_len);
+ } else if (IS_ENABLED(CONFIG_MODULE_HASHES) && sig_type == PKEY_ID_MERKLE) {
+ err = module_hash_check(info, sig, sig_len);
} else {
- pr_err("module: not signed with expected PKCS#7 message\n");
+ pr_err("module: not signed with signature mechanism\n");
err = -ENOPKG;
}
diff --git a/scripts/.gitignore b/scripts/.gitignore
index 4215c2208f7e..8dad9b0d3b2d 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -5,6 +5,7 @@
/insert-sys-cert
/kallsyms
/module.lds
+/modules-merkle-tree
/recordmcount
/rustdoc_test_builder
/rustdoc_test_gen
diff --git a/scripts/Makefile b/scripts/Makefile
index 0941e5ce7b57..f539e4d93af7 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -11,6 +11,7 @@ hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) += rustdoc_test_builder
hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) += rustdoc_test_gen
+hostprogs-always-$(CONFIG_MODULE_HASHES) += modules-merkle-tree
hostprogs-always-$(CONFIG_TRACEPOINTS) += tracepoint-update
sorttable-objs := sorttable.o elf-parse.o
@@ -36,6 +37,8 @@ HOSTLDLIBS_sorttable = -lpthread
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
HOSTCFLAGS_sign-file.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
HOSTLDLIBS_sign-file = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
+HOSTCFLAGS_modules-merkle-tree.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
+HOSTLDLIBS_modules-merkle-tree = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
ifdef CONFIG_UNWINDER_ORC
ifeq ($(ARCH),x86_64)
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index 930db0524a0a..5b8e94170beb 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -63,7 +63,18 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES
endif
+$(call cmd,check_tracepoint)
+quiet_cmd_merkle = MERKLE $@
+ cmd_merkle = $(objtree)/scripts/modules-merkle-tree $@ .ko
+
+.tmp_module_hashes.c: $(modules:%.o=%.ko) $(objtree)/scripts/modules-merkle-tree FORCE
+ $(call cmd,merkle)
+
+ifdef CONFIG_MODULE_HASHES
+__modfinal: .tmp_module_hashes.c
+endif
+
targets += $(modules:%.o=%.ko) $(modules:%.o=%.mod.o) .module-common.o
+targets += $(modules:%.o=%.merkle) .tmp_module_hashes.c
# Add FORCE to the prerequisites of a target to force it to be always rebuilt.
# ---------------------------------------------------------------------------
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 9ba45e5b32b1..ba4343b40497 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -79,6 +79,12 @@ quiet_cmd_install = INSTALL $@
# as the options to the strip command.
ifdef INSTALL_MOD_STRIP
+ifdef CONFIG_MODULE_HASHES
+ifeq ($(KBUILD_EXTMOD),)
+$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive)
+endif
+endif
+
ifeq ($(INSTALL_MOD_STRIP),1)
strip-option := --strip-debug
else
@@ -116,6 +122,13 @@ quiet_cmd_sign :=
cmd_sign := :
endif
+ifeq ($(KBUILD_EXTMOD),)
+ifdef CONFIG_MODULE_HASHES
+quiet_cmd_sign = MERKLE [M] $@
+ cmd_sign = cat $(objtree)/$*.merkle >> $@
+endif
+endif
+
# Create necessary directories
$(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir)))
diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux
index cd788cac9d91..f4e38b953b01 100644
--- a/scripts/Makefile.vmlinux
+++ b/scripts/Makefile.vmlinux
@@ -78,6 +78,11 @@ ifdef CONFIG_BUILDTIME_TABLE_SORT
vmlinux.unstripped: scripts/sorttable
endif
+ifdef CONFIG_MODULE_HASHES
+vmlinux.unstripped: $(objtree)/scripts/modules-merkle-tree
+vmlinux.unstripped: modules.order
+endif
+
# vmlinux
# ---------------------------------------------------------------------------
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
index 8c98f8645a5c..bfeff1f5753d 100755
--- a/scripts/link-vmlinux.sh
+++ b/scripts/link-vmlinux.sh
@@ -103,7 +103,7 @@ vmlinux_link()
${ld} ${ldflags} -o ${output} \
${wl}--whole-archive ${objs} ${wl}--no-whole-archive \
${wl}--start-group ${libs} ${wl}--end-group \
- ${kallsymso} ${btf_vmlinux_bin_o} ${arch_vmlinux_o} ${ldlibs}
+ ${kallsymso} ${btf_vmlinux_bin_o} ${module_hashes_o} ${arch_vmlinux_o} ${ldlibs}
}
# generate .BTF typeinfo from DWARF debuginfo
@@ -212,6 +212,7 @@ fi
btf_vmlinux_bin_o=
kallsymso=
+module_hashes_o=
strip_debug=
generate_map=
@@ -315,6 +316,17 @@ if is_enabled CONFIG_BUILDTIME_TABLE_SORT; then
fi
fi
+if is_enabled CONFIG_MODULE_HASHES; then
+ info MAKE modules
+ ${MAKE} -f Makefile MODULE_HASHES_MODPOST_FINAL=1 modules
+ module_hashes_o=.tmp_module_hashes.o
+ info CC ${module_hashes_o}
+ ${CC} ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS} ${KBUILD_CFLAGS} \
+ ${KBUILD_CFLAGS_KERNEL} -fno-lto -c -o "${module_hashes_o}" ".tmp_module_hashes.c"
+ ${OBJCOPY} --dump-section .module_hashes=.tmp_module_hashes.bin ${module_hashes_o}
+ ${OBJCOPY} --update-section .module_hashes=.tmp_module_hashes.bin ${VMLINUX}
+fi
+
# step a (see comment above)
if is_enabled CONFIG_KALLSYMS; then
if ! cmp -s System.map "${kallsyms_sysmap}"; then
diff --git a/scripts/modules-merkle-tree.c b/scripts/modules-merkle-tree.c
new file mode 100644
index 000000000000..a6ec0e21213b
--- /dev/null
+++ b/scripts/modules-merkle-tree.c
@@ -0,0 +1,467 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Compute hashes for modules files and build a merkle tree.
+ *
+ * Copyright (C) 2025 Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+ * Copyright (C) 2025 Thomas Weißschuh <linux@weissschuh.net>
+ *
+ */
+#define _GNU_SOURCE 1
+#include <arpa/inet.h>
+#include <err.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+#include "ssl-common.h"
+
+static int hash_size;
+static EVP_MD_CTX *ctx;
+
+struct module_signature {
+ uint8_t algo; /* Public-key crypto algorithm [0] */
+ uint8_t hash; /* Digest algorithm [0] */
+ uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
+ uint8_t signer_len; /* Length of signer's name [0] */
+ uint8_t key_id_len; /* Length of key identifier [0] */
+ uint8_t __pad[3];
+ uint32_t sig_len; /* Length of signature data */
+};
+
+#define PKEY_ID_MERKLE 3
+
+static const char magic_number[] = "~Module signature appended~\n";
+
+struct file_entry {
+ char *name;
+ unsigned int pos;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+};
+
+static struct file_entry *fh_list;
+static size_t num_files;
+
+struct leaf_hash {
+ unsigned char hash[EVP_MAX_MD_SIZE];
+};
+
+struct mtree {
+ struct leaf_hash **l;
+ unsigned int *entries;
+ unsigned int levels;
+};
+
+static inline void *xcalloc(size_t n, size_t size)
+{
+ void *p;
+
+ p = calloc(n, size);
+ if (!p)
+ errx(1, "Memory allocation failed");
+
+ return p;
+}
+
+static void *xmalloc(size_t size)
+{
+ void *p;
+
+ p = malloc(size);
+ if (!p)
+ errx(1, "Memory allocation failed");
+
+ return p;
+}
+
+static inline void *xreallocarray(void *oldp, size_t n, size_t size)
+{
+ void *p;
+
+ p = reallocarray(oldp, n, size);
+ if (!p)
+ errx(1, "Memory allocation failed");
+
+ return p;
+}
+
+static inline char *xasprintf(const char *fmt, ...)
+{
+ va_list ap;
+ char *strp;
+ int ret;
+
+ va_start(ap, fmt);
+ ret = vasprintf(&strp, fmt, ap);
+ va_end(ap);
+ if (ret == -1)
+ err(1, "Memory allocation failed");
+
+ return strp;
+}
+
+static unsigned int get_pow2(unsigned int val)
+{
+ return 31 - __builtin_clz(val);
+}
+
+static unsigned int roundup_pow2(unsigned int val)
+{
+ return 1 << (get_pow2(val - 1) + 1);
+}
+
+static unsigned int log2_roundup(unsigned int val)
+{
+ return get_pow2(roundup_pow2(val));
+}
+
+static void hash_data(void *p, unsigned int pos, size_t size, void *ret_hash)
+{
+ unsigned char magic = 0x01;
+ unsigned int pos_be;
+
+ pos_be = htonl(pos);
+
+ ERR(EVP_DigestInit_ex(ctx, NULL, NULL) != 1, "EVP_DigestInit_ex()");
+ ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) != 1, "EVP_DigestUpdate(magic)");
+ ERR(EVP_DigestUpdate(ctx, &pos_be, sizeof(pos_be)) != 1, "EVP_DigestUpdate(pos)");
+ ERR(EVP_DigestUpdate(ctx, p, size) != 1, "EVP_DigestUpdate(data)");
+ ERR(EVP_DigestFinal_ex(ctx, ret_hash, NULL) != 1, "EVP_DigestFinal_ex()");
+}
+
+static void hash_entry(void *left, void *right, void *ret_hash)
+{
+ int hash_size = EVP_MD_CTX_get_size_ex(ctx);
+ unsigned char magic = 0x02;
+
+ ERR(EVP_DigestInit_ex(ctx, NULL, NULL) != 1, "EVP_DigestInit_ex()");
+ ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) != 1, "EVP_DigestUpdate(magic)");
+ ERR(EVP_DigestUpdate(ctx, left, hash_size) != 1, "EVP_DigestUpdate(left)");
+ ERR(EVP_DigestUpdate(ctx, right, hash_size) != 1, "EVP_DigestUpdate(right)");
+ ERR(EVP_DigestFinal_ex(ctx, ret_hash, NULL) != 1, "EVP_DigestFinal_ex()");
+}
+
+static void hash_file(struct file_entry *fe)
+{
+ struct stat sb;
+ int fd, ret;
+ void *mem;
+
+ fd = open(fe->name, O_RDONLY);
+ if (fd < 0)
+ err(1, "Failed to open %s", fe->name);
+
+ ret = fstat(fd, &sb);
+ if (ret)
+ err(1, "Failed to stat %s", fe->name);
+
+ mem = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
+ close(fd);
+
+ if (mem == MAP_FAILED)
+ err(1, "Failed to mmap %s", fe->name);
+
+ hash_data(mem, fe->pos, sb.st_size, fe->hash);
+
+ munmap(mem, sb.st_size);
+}
+
+static struct mtree *build_merkle(struct file_entry *fh, size_t num)
+{
+ struct mtree *mt;
+ unsigned int le;
+
+ if (!num)
+ return NULL;
+
+ mt = xmalloc(sizeof(*mt));
+ mt->levels = log2_roundup(num);
+
+ mt->l = xcalloc(sizeof(*mt->l), mt->levels);
+
+ mt->entries = xcalloc(sizeof(*mt->entries), mt->levels);
+ le = num / 2;
+ if (num & 1)
+ le++;
+ mt->entries[0] = le;
+ mt->l[0] = xcalloc(sizeof(**mt->l), le);
+
+ /* First level of pairs */
+ for (unsigned int i = 0; i < num; i += 2) {
+ if (i == num - 1) {
+ /* Odd number of files, no pair. Hash with itself */
+ hash_entry(fh[i].hash, fh[i].hash, mt->l[0][i / 2].hash);
+ } else {
+ hash_entry(fh[i].hash, fh[i + 1].hash, mt->l[0][i / 2].hash);
+ }
+ }
+ for (unsigned int i = 1; i < mt->levels; i++) {
+ int odd = 0;
+
+ if (le & 1) {
+ le++;
+ odd++;
+ }
+
+ mt->entries[i] = le / 2;
+ mt->l[i] = xcalloc(sizeof(**mt->l), le);
+
+ for (unsigned int n = 0; n < le; n += 2) {
+ if (n == le - 2 && odd) {
+ /* Odd number of pairs, no pair. Hash with itself */
+ hash_entry(mt->l[i - 1][n].hash, mt->l[i - 1][n].hash,
+ mt->l[i][n / 2].hash);
+ } else {
+ hash_entry(mt->l[i - 1][n].hash, mt->l[i - 1][n + 1].hash,
+ mt->l[i][n / 2].hash);
+ }
+ }
+ le = mt->entries[i];
+ }
+ return mt;
+}
+
+static void free_mtree(struct mtree *mt)
+{
+ if (!mt)
+ return;
+
+ for (unsigned int i = 0; i < mt->levels; i++)
+ free(mt->l[i]);
+
+ free(mt->l);
+ free(mt->entries);
+ free(mt);
+}
+
+static void write_be_int(int fd, unsigned int v)
+{
+ unsigned int be_val = htonl(v);
+
+ if (write(fd, &be_val, sizeof(be_val)) != sizeof(be_val))
+ err(1, "Failed writing to file");
+}
+
+static void write_hash(int fd, const void *h)
+{
+ ssize_t wr;
+
+ wr = write(fd, h, hash_size);
+ if (wr != hash_size)
+ err(1, "Failed writing to file");
+}
+
+static void build_proof(struct mtree *mt, unsigned int n, int fd)
+{
+ unsigned char cur[EVP_MAX_MD_SIZE];
+ unsigned char tmp[EVP_MAX_MD_SIZE];
+ struct file_entry *fe, *fe_sib;
+
+ fe = &fh_list[n];
+
+ if ((n & 1) == 0) {
+ /* No pair, hash with itself */
+ if (n + 1 == num_files)
+ fe_sib = fe;
+ else
+ fe_sib = &fh_list[n + 1];
+ } else {
+ fe_sib = &fh_list[n - 1];
+ }
+ /* First comes the node position into the file */
+ write_be_int(fd, n);
+
+ if ((n & 1) == 0)
+ hash_entry(fe->hash, fe_sib->hash, cur);
+ else
+ hash_entry(fe_sib->hash, fe->hash, cur);
+
+ /* Next is the sibling hash, followed by hashes in the tree */
+ write_hash(fd, fe_sib->hash);
+
+ for (unsigned int i = 0; i < mt->levels - 1; i++) {
+ n >>= 1;
+ if ((n & 1) == 0) {
+ void *h;
+
+ /* No pair, hash with itself */
+ if (n + 1 == mt->entries[i])
+ h = cur;
+ else
+ h = mt->l[i][n + 1].hash;
+
+ hash_entry(cur, h, tmp);
+ write_hash(fd, h);
+ } else {
+ hash_entry(mt->l[i][n - 1].hash, cur, tmp);
+ write_hash(fd, mt->l[i][n - 1].hash);
+ }
+ memcpy(cur, tmp, hash_size);
+ }
+
+ /* After all that, the end hash should match the root hash */
+ if (memcmp(cur, mt->l[mt->levels - 1][0].hash, hash_size))
+ errx(1, "hash mismatch");
+}
+
+static void append_module_signature_magic(int fd, unsigned int sig_len)
+{
+ struct module_signature sig_info = {
+ .id_type = PKEY_ID_MERKLE,
+ .sig_len = htonl(sig_len),
+ };
+
+ if (write(fd, &sig_info, sizeof(sig_info)) < 0)
+ err(1, "write(sig_info) failed");
+
+ if (write(fd, &magic_number, sizeof(magic_number) - 1) < 0)
+ err(1, "write(magic_number) failed");
+}
+
+static void write_merkle_root(struct mtree *mt, const char *fp)
+{
+ char buf[1024];
+ unsigned int levels;
+ unsigned char *h;
+ FILE *f;
+
+ if (mt) {
+ levels = mt->levels;
+ h = mt->l[mt->levels - 1][0].hash;
+ } else {
+ levels = 0;
+ h = xcalloc(1, hash_size);
+ }
+
+ f = fopen(fp, "w");
+ if (!f)
+ err(1, "Failed to create %s", buf);
+
+ fprintf(f, "#include <linux/module_hashes.h>\n\n");
+ fprintf(f, "const struct module_hashes_root module_hashes_root __module_hashes_section = {\n");
+
+ fprintf(f, "\t.levels = %u,\n", levels);
+ fprintf(f, "\t.hash = {");
+ for (unsigned int i = 0; i < hash_size; i++) {
+ char *space = "";
+
+ if (!(i % 8))
+ fprintf(f, "\n\t\t");
+
+ if ((i + 1) % 8)
+ space = " ";
+
+ fprintf(f, "0x%02x,%s", h[i], space);
+ }
+ fprintf(f, "\n\t},");
+
+ fprintf(f, "\n};\n");
+ fclose(f);
+
+ if (!mt)
+ free(h);
+}
+
+static char *xstrdup_replace_suffix(const char *str, const char *new_suffix)
+{
+ const char *current_suffix;
+ size_t base_len;
+
+ current_suffix = strchr(str, '.');
+ if (!current_suffix)
+ errx(1, "No existing suffix in '%s'", str);
+
+ base_len = current_suffix - str;
+
+ return xasprintf("%.*s%s", (int)base_len, str, new_suffix);
+}
+
+static void read_modules_order(const char *fname, const char *suffix)
+{
+ char line[PATH_MAX];
+ FILE *in;
+
+ in = fopen(fname, "r");
+ if (!in)
+ err(1, "fopen(%s)", fname);
+
+ while (fgets(line, PATH_MAX, in)) {
+ struct file_entry *entry;
+
+ fh_list = xreallocarray(fh_list, num_files + 1, sizeof(*fh_list));
+ entry = &fh_list[num_files];
+
+ entry->pos = num_files;
+ entry->name = xstrdup_replace_suffix(line, suffix);
+ hash_file(entry);
+
+ num_files++;
+ }
+
+ fclose(in);
+}
+
+static __attribute__((noreturn))
+void format(void)
+{
+ fprintf(stderr,
+ "Usage: scripts/modules-merkle-tree <root definition>\n");
+ exit(2);
+}
+
+int main(int argc, char *argv[])
+{
+ const EVP_MD *hash_evp;
+ struct mtree *mt;
+
+ if (argc != 3)
+ format();
+
+ hash_evp = EVP_get_digestbyname("sha256");
+ ERR(!hash_evp, "EVP_get_digestbyname");
+
+ ctx = EVP_MD_CTX_new();
+ ERR(!ctx, "EVP_MD_CTX_new()");
+
+ hash_size = EVP_MD_get_size(hash_evp);
+ ERR(hash_size <= 0, "EVP_get_digestbyname");
+
+ if (EVP_DigestInit_ex(ctx, hash_evp, NULL) != 1)
+ ERR(1, "EVP_DigestInit_ex()");
+
+ read_modules_order("modules.order", argv[2]);
+
+ mt = build_merkle(fh_list, num_files);
+ write_merkle_root(mt, argv[1]);
+ for (unsigned int i = 0; i < num_files; i++) {
+ char *signame;
+ int fd;
+
+ signame = xstrdup_replace_suffix(fh_list[i].name, ".merkle");
+
+ fd = open(signame, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+ if (fd < 0)
+ err(1, "Can't create %s", signame);
+
+ build_proof(mt, i, fd);
+ append_module_signature_magic(fd, lseek(fd, 0, SEEK_CUR));
+ close(fd);
+ }
+
+ free_mtree(mt);
+ for (unsigned int i = 0; i < num_files; i++)
+ free(fh_list[i].name);
+ free(fh_list);
+
+ EVP_MD_CTX_free(ctx);
+ return 0;
+}
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index 155959205b8e..60b240e3ef1f 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -1,7 +1,7 @@
config SECURITY_LOCKDOWN_LSM
bool "Basic module for enforcing kernel lockdown"
depends on SECURITY
- depends on !MODULES || MODULE_SIG
+ depends on !MODULES || MODULE_SIG || MODULE_HASHES
help
Build support for an LSM that enforces a coarse kernel lockdown
behaviour.
--
2.52.0
^ permalink raw reply related
* Re: [PATCH v4 15/17] module: Introduce hash-based integrity checking
From: Sebastian Andrzej Siewior @ 2026-01-13 14:56 UTC (permalink / raw)
To: Thomas Weißschuh
Cc: Nathan Chancellor, Arnd Bergmann, Luis Chamberlain, Petr Pavlu,
Sami Tolvanen, Daniel Gomez, Paul Moore, James Morris,
Serge E. Hallyn, Jonathan Corbet, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Naveen N Rao, Mimi Zohar,
Roberto Sassu, Dmitry Kasatkin, Eric Snowberg, Nicolas Schier,
Daniel Gomez, Aaron Tomlin, Christophe Leroy (CS GROUP),
Nicolas Schier, Nicolas Bouchinet, Xiu Jianfeng,
Fabian Grünbichler, Arnout Engelen, Mattia Rizzolo, kpcyrd,
Christian Heusel, Câju Mihai-Drosi, linux-kbuild,
linux-kernel, linux-arch, linux-modules, linux-security-module,
linux-doc, linuxppc-dev, linux-integrity
In-Reply-To: <20260113-module-hashes-v4-15-0b932db9b56b@weissschuh.net>
On 2026-01-13 13:28:59 [+0100], Thomas Weißschuh wrote:
> --- /dev/null
> +++ b/scripts/modules-merkle-tree.c
> @@ -0,0 +1,467 @@
…
> +static void build_proof(struct mtree *mt, unsigned int n, int fd)
> +{
> + unsigned char cur[EVP_MAX_MD_SIZE];
> + unsigned char tmp[EVP_MAX_MD_SIZE];
This and a few other instances below could be optimized to avoid
hashing. I probably forgot to let you know.
-> https://git.kernel.org/pub/scm/linux/kernel/git/bigeasy/mtree-hashed-mods.git/commit/?id=10b565c123c731da37befe862de13678b7c54877
> + struct file_entry *fe, *fe_sib;
> +
> + fe = &fh_list[n];
> +
> + if ((n & 1) == 0) {
> + /* No pair, hash with itself */
> + if (n + 1 == num_files)
> + fe_sib = fe;
> + else
> + fe_sib = &fh_list[n + 1];
> + } else {
> + fe_sib = &fh_list[n - 1];
> + }
> + /* First comes the node position into the file */
> + write_be_int(fd, n);
> +
> + if ((n & 1) == 0)
> + hash_entry(fe->hash, fe_sib->hash, cur);
> + else
> + hash_entry(fe_sib->hash, fe->hash, cur);
> +
> + /* Next is the sibling hash, followed by hashes in the tree */
> + write_hash(fd, fe_sib->hash);
> +
> + for (unsigned int i = 0; i < mt->levels - 1; i++) {
> + n >>= 1;
> + if ((n & 1) == 0) {
> + void *h;
> +
> + /* No pair, hash with itself */
> + if (n + 1 == mt->entries[i])
> + h = cur;
> + else
> + h = mt->l[i][n + 1].hash;
> +
> + hash_entry(cur, h, tmp);
> + write_hash(fd, h);
> + } else {
> + hash_entry(mt->l[i][n - 1].hash, cur, tmp);
> + write_hash(fd, mt->l[i][n - 1].hash);
> + }
> + memcpy(cur, tmp, hash_size);
> + }
> +
> + /* After all that, the end hash should match the root hash */
> + if (memcmp(cur, mt->l[mt->levels - 1][0].hash, hash_size))
> + errx(1, "hash mismatch");
> +}
Sebastian
^ permalink raw reply
* [PATCH v2 1/2] Documentation/kbuild: Document gendwarfksyms build dependencies
From: Jihan LIN via B4 Relay @ 2026-01-14 11:47 UTC (permalink / raw)
To: Nathan Chancellor, Nicolas Schier, Jonathan Corbet, Miguel Ojeda,
Boqun Feng, Sami Tolvanen, Masahiro Yamada, Petr Pavlu
Cc: linux-modules, linux-kbuild, linux-doc, linux-kernel, Jihan LIN
In-Reply-To: <20260114-documents_gendwarfksyms-v2-0-297c98bd62c6@gmail.com>
From: Jihan LIN <linjh22s@gmail.com>
Although dependencies for gendwarfksyms were recently added to the
packaging rules [1-2], the corresponding documentation was missing.
Document the required build dependencies for gendwarfksyms, and
include a few examples for installing these dependencies on some
distributions.
[1] commit 657f96cb7c06 ("kbuild: deb-pkg: Add libdw-dev:native to
Build-Depends-Arch")
[2] commit 5bd6bdd0f76e ("kbuild: rpm-pkg: Add (elfutils-devel or
libdw-devel) to BuildRequires")
Signed-off-by: Jihan LIN <linjh22s@gmail.com>
---
Documentation/kbuild/gendwarfksyms.rst | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/Documentation/kbuild/gendwarfksyms.rst b/Documentation/kbuild/gendwarfksyms.rst
index ed366250a54eac3a72c2f529da94a9e803704ae4..0e153d13b052da6edcf65950739730c123cd49db 100644
--- a/Documentation/kbuild/gendwarfksyms.rst
+++ b/Documentation/kbuild/gendwarfksyms.rst
@@ -14,6 +14,29 @@ selected, **gendwarfksyms** is used instead to calculate symbol versions
from the DWARF debugging information, which contains the necessary
details about the final module ABI.
+Dependencies
+------------
+
+libelf, libdw and zlib are dependencies of gendwarfksyms.
+
+Here are a few examples for installing these dependencies:
+
+* Arch Linux and derivatives::
+
+ sudo pacman --needed -S zlib libelf
+
+* Debian, Ubuntu, and derivatives::
+
+ sudo apt install libelf-dev libdw-dev zlib1g-dev
+
+* Fedora and derivatives::
+
+ sudo dnf install elfutils-libelf-devel elfutils-devel zlib-devel
+
+* openSUSE and derivatives::
+
+ sudo zypper install libelf-devel libdw-devel zlib-devel
+
Usage
-----
--
2.51.0
^ permalink raw reply related
* [PATCH v2 2/2] Documentation/kbuild: gendwarfksyms: Style cleanup
From: Jihan LIN via B4 Relay @ 2026-01-14 11:47 UTC (permalink / raw)
To: Nathan Chancellor, Nicolas Schier, Jonathan Corbet, Miguel Ojeda,
Boqun Feng, Sami Tolvanen, Masahiro Yamada, Petr Pavlu
Cc: linux-modules, linux-kbuild, linux-doc, linux-kernel, Jihan LIN
In-Reply-To: <20260114-documents_gendwarfksyms-v2-0-297c98bd62c6@gmail.com>
From: Jihan LIN <linjh22s@gmail.com>
The indentation in gendwarfksyms.rst currently uses a mix of tabs and
spaces.
Convert all indentation to tabs, and match the usage output and code
examples with theirs references.
Suggested-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Jihan LIN <linjh22s@gmail.com>
---
Documentation/kbuild/gendwarfksyms.rst | 100 ++++++++++++++++-----------------
1 file changed, 50 insertions(+), 50 deletions(-)
diff --git a/Documentation/kbuild/gendwarfksyms.rst b/Documentation/kbuild/gendwarfksyms.rst
index 0e153d13b052da6edcf65950739730c123cd49db..fea8e87e14c62f579d320da5c2bfe139d50cd5a6 100644
--- a/Documentation/kbuild/gendwarfksyms.rst
+++ b/Documentation/kbuild/gendwarfksyms.rst
@@ -43,17 +43,17 @@ Usage
gendwarfksyms accepts a list of object files on the command line, and a
list of symbol names (one per line) in standard input::
- Usage: gendwarfksyms [options] elf-object-file ... < symbol-list
+ Usage: gendwarfksyms [options] elf-object-file ... < symbol-list
- Options:
- -d, --debug Print debugging information
- --dump-dies Dump DWARF DIE contents
- --dump-die-map Print debugging information about die_map changes
- --dump-types Dump type strings
- --dump-versions Dump expanded type strings used for symbol versions
- -s, --stable Support kABI stability features
- -T, --symtypes file Write a symtypes file
- -h, --help Print this message
+ Options:
+ -d, --debug Print debugging information
+ --dump-dies Dump DWARF DIE contents
+ --dump-die-map Print debugging information about die_map changes
+ --dump-types Dump type strings
+ --dump-versions Dump expanded type strings used for symbol versions
+ -s, --stable Support kABI stability features
+ -T, --symtypes file Write a symtypes file
+ -h, --help Print this message
Type information availability
@@ -69,9 +69,9 @@ TU where symbols are actually exported, gendwarfksyms adds a pointer
to exported symbols in the `EXPORT_SYMBOL()` macro using the following
macro::
- #define __GENDWARFKSYMS_EXPORT(sym) \
- static typeof(sym) *__gendwarfksyms_ptr_##sym __used \
- __section(".discard.gendwarfksyms") = &sym;
+ #define __GENDWARFKSYMS_EXPORT(sym) \
+ static typeof(sym) *__gendwarfksyms_ptr_##sym __used \
+ __section(".discard.gendwarfksyms") = &sym;
When a symbol pointer is found in DWARF, gendwarfksyms can use its
@@ -94,14 +94,14 @@ either a type reference or a symbol name. Type references have a
one-letter prefix followed by "#" and the name of the type. Four
reference types are supported::
- e#<type> = enum
- s#<type> = struct
- t#<type> = typedef
- u#<type> = union
+ e#<type> = enum
+ s#<type> = struct
+ t#<type> = typedef
+ u#<type> = union
Type names with spaces in them are wrapped in single quotes, e.g.::
- s#'core::result::Result<u8, core::num::error::ParseIntError>'
+ s#'core::result::Result<u8, core::num::error::ParseIntError>'
The rest of the line contains a type string. Unlike with genksyms that
produces C-style type strings, gendwarfksyms uses the same simple parsed
@@ -151,8 +151,8 @@ the rules. The fields are as follows:
The following helper macros, for example, can be used to specify rules
in the source code::
- #define ___KABI_RULE(hint, target, value) \
- static const char __PASTE(__gendwarfksyms_rule_, \
+ #define ___KABI_RULE(hint, target, value) \
+ static const char __PASTE(__gendwarfksyms_rule_, \
__COUNTER__)[] __used __aligned(1) \
__section(".discard.gendwarfksyms.kabi_rules") = \
"1\0" #hint "\0" target "\0" value
@@ -273,18 +273,18 @@ The rule fields are expected to be as follows:
Using the `__KABI_RULE` macro, this rule can be defined as::
- #define KABI_BYTE_SIZE(fqn, value) \
- __KABI_RULE(byte_size, fqn, value)
+ #define KABI_BYTE_SIZE(fqn, value) \
+ __KABI_RULE(byte_size, fqn, value)
Example usage::
struct s {
- /* Unchanged original members */
+ /* Unchanged original members */
unsigned long a;
- void *p;
+ void *p;
- /* Appended new members */
- KABI_IGNORE(0, unsigned long n);
+ /* Appended new members */
+ KABI_IGNORE(0, unsigned long n);
};
KABI_BYTE_SIZE(s, 16);
@@ -353,21 +353,21 @@ reserved member needs a unique name, but as the actual purpose is usually
not known at the time the space is reserved, for convenience, names that
start with `__kabi_` are left out when calculating symbol versions::
- struct s {
- long a;
- long __kabi_reserved_0; /* reserved for future use */
- };
+ struct s {
+ long a;
+ long __kabi_reserved_0; /* reserved for future use */
+ };
The reserved space can be taken into use by wrapping the member in a
union, which includes the original type and the replacement member::
- struct s {
- long a;
- union {
- long __kabi_reserved_0; /* original type */
- struct b b; /* replaced field */
- };
- };
+ struct s {
+ long a;
+ union {
+ long __kabi_reserved_0; /* original type */
+ struct b b; /* replaced field */
+ };
+ };
If the `__kabi_` naming scheme was used when reserving space, the name
of the first member of the union must start with `__kabi_reserved`. This
@@ -392,11 +392,11 @@ Predicting which structures will require changes during the support
timeframe isn't always possible, in which case one might have to resort
to placing new members into existing alignment holes::
- struct s {
- int a;
- /* a 4-byte alignment hole */
- unsigned long b;
- };
+ struct s {
+ int a;
+ /* a 4-byte alignment hole */
+ unsigned long b;
+ };
While this won't change the size of the data structure, one needs to
@@ -405,14 +405,14 @@ to reserved fields, this can be accomplished by wrapping the added
member to a union where one of the fields has a name starting with
`__kabi_ignored`::
- struct s {
- int a;
- union {
- char __kabi_ignored_0;
- int n;
- };
- unsigned long b;
- };
+ struct s {
+ int a;
+ union {
+ char __kabi_ignored_0;
+ int n;
+ };
+ unsigned long b;
+ };
With **--stable**, both versions produce the same symbol version. The
examples include a `KABI_IGNORE` macro to simplify the code.
--
2.51.0
^ permalink raw reply related
* [PATCH v2 0/2] gendwarfksyms: Document build dependencies
From: Jihan LIN via B4 Relay @ 2026-01-14 11:47 UTC (permalink / raw)
To: Nathan Chancellor, Nicolas Schier, Jonathan Corbet, Miguel Ojeda,
Boqun Feng, Sami Tolvanen, Masahiro Yamada, Petr Pavlu
Cc: linux-modules, linux-kbuild, linux-doc, linux-kernel, Jihan LIN
Hi,
I found there is no documentation for build dependencies in gendwarfksyms
while digging into Rust drivers. Though Yuli added libdw-dev to the build
dependencies for packaging [1], it seems that there is no documentation
about it.
This series documents the build dependencies of gendwarfksyms, adds a few
examples for installing these dependencies on some distributions and
introduces indentation style cleanup as suggested.
[1]: https://lore.kernel.org/all/79C925DCE2E963FF+20250422104927.144252-1-wangyuli@uniontech.com/
Signed-off-by: Jihan LIN <linjh22s@gmail.com>
---
Changes in v2:
- Fix style for section 'Dependencies'.
- Introduce a new patch to clean up indentation in gendwarfksyms.rst.
- Link to v1: https://lore.kernel.org/r/20260108-documents_gendwarfksyms-v1-1-52b1f9c38c70@gmail.com
---
Jihan LIN (2):
Documentation/kbuild: Document gendwarfksyms build dependencies
Documentation/kbuild: gendwarfksyms: Style cleanup
Documentation/kbuild/gendwarfksyms.rst | 123 +++++++++++++++++++--------------
1 file changed, 73 insertions(+), 50 deletions(-)
---
base-commit: b71e635feefc852405b14620a7fc58c4c80c0f73
change-id: 20260105-documents_gendwarfksyms-9f88e4a7ad2f
Best regards,
--
Jihan LIN <linjh22s@gmail.com>
^ permalink raw reply
* [PATCH 0/2] Improve handling of the __klp_{objects,funcs} sections in modules
From: Petr Pavlu @ 2026-01-14 12:29 UTC (permalink / raw)
To: Josh Poimboeuf, Jiri Kosina, Miroslav Benes, Petr Mladek,
Joe Lawrence
Cc: Luis Chamberlain, Petr Pavlu, Daniel Gomez, Sami Tolvanen,
Aaron Tomlin, Peter Zijlstra, live-patching, linux-modules,
linux-kernel
Petr Pavlu (2):
livepatch: Fix having __klp_objects relics in non-livepatch modules
livepatch: Free klp_{object,func}_ext data after initialization
include/linux/livepatch.h | 3 +++
kernel/livepatch/core.c | 21 +++++++++++++++++++++
scripts/livepatch/init.c | 17 ++++++-----------
scripts/module.lds.S | 9 ++-------
tools/objtool/check.c | 2 +-
tools/objtool/include/objtool/klp.h | 10 +++++-----
tools/objtool/klp-diff.c | 2 +-
7 files changed, 39 insertions(+), 25 deletions(-)
base-commit: f0b9d8eb98dfee8d00419aa07543bdc2c1a44fb1
--
2.52.0
^ permalink raw reply
* [PATCH 1/2] livepatch: Fix having __klp_objects relics in non-livepatch modules
From: Petr Pavlu @ 2026-01-14 12:29 UTC (permalink / raw)
To: Josh Poimboeuf, Jiri Kosina, Miroslav Benes, Petr Mladek,
Joe Lawrence
Cc: Luis Chamberlain, Petr Pavlu, Daniel Gomez, Sami Tolvanen,
Aaron Tomlin, Peter Zijlstra, live-patching, linux-modules,
linux-kernel
In-Reply-To: <20260114123056.2045816-1-petr.pavlu@suse.com>
The linker script scripts/module.lds.S specifies that all input
__klp_objects sections should be consolidated into an output section of
the same name, and start/stop symbols should be created to enable
scripts/livepatch/init.c to locate this data.
This start/stop pattern is not ideal for modules because the symbols are
created even if no __klp_objects input sections are present.
Consequently, a dummy __klp_objects section also appears in the
resulting module. This unnecessarily pollutes non-livepatch modules.
Instead, since modules are relocatable files, the usual method for
locating consolidated data in a module is to read its section table.
This approach avoids the aforementioned problem.
The klp_modinfo already stores a copy of the entire section table with
the final addresses. Introduce a helper function that
scripts/livepatch/init.c can call to obtain the location of the
__klp_objects section from this data.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
---
include/linux/livepatch.h | 3 +++
kernel/livepatch/core.c | 20 ++++++++++++++++++++
scripts/livepatch/init.c | 17 ++++++-----------
scripts/module.lds.S | 7 +------
4 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h
index 772919e8096a..ca90adbe89ed 100644
--- a/include/linux/livepatch.h
+++ b/include/linux/livepatch.h
@@ -175,6 +175,9 @@ int klp_enable_patch(struct klp_patch *);
int klp_module_coming(struct module *mod);
void klp_module_going(struct module *mod);
+struct klp_object_ext *klp_build_locate_init_objects(const struct module *mod,
+ unsigned int *nr_objs);
+
void klp_copy_process(struct task_struct *child);
void klp_update_patch_state(struct task_struct *task);
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 9917756dae46..4e0ac47b3623 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -1356,6 +1356,26 @@ void klp_module_going(struct module *mod)
mutex_unlock(&klp_mutex);
}
+struct klp_object_ext *klp_build_locate_init_objects(const struct module *mod,
+ unsigned int *nr_objs)
+{
+ struct klp_modinfo *info = mod->klp_info;
+
+ for (int i = 1; i < info->hdr.e_shnum; i++) {
+ Elf_Shdr *shdr = &info->sechdrs[i];
+
+ if (strcmp(info->secstrings + shdr->sh_name, "__klp_objects"))
+ continue;
+
+ *nr_objs = shdr->sh_size / sizeof(struct klp_object_ext);
+ return (struct klp_object_ext *)shdr->sh_addr;
+ }
+
+ *nr_objs = 0;
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(klp_build_locate_init_objects);
+
static int __init klp_init(void)
{
klp_root_kobj = kobject_create_and_add("livepatch", kernel_kobj);
diff --git a/scripts/livepatch/init.c b/scripts/livepatch/init.c
index 2274d8f5a482..23e037d6de19 100644
--- a/scripts/livepatch/init.c
+++ b/scripts/livepatch/init.c
@@ -9,19 +9,16 @@
#include <linux/slab.h>
#include <linux/livepatch.h>
-extern struct klp_object_ext __start_klp_objects[];
-extern struct klp_object_ext __stop_klp_objects[];
-
static struct klp_patch *patch;
static int __init livepatch_mod_init(void)
{
+ struct klp_object_ext *obj_exts;
struct klp_object *objs;
unsigned int nr_objs;
int ret;
- nr_objs = __stop_klp_objects - __start_klp_objects;
-
+ obj_exts = klp_build_locate_init_objects(THIS_MODULE, &nr_objs);
if (!nr_objs) {
pr_err("nothing to patch!\n");
ret = -EINVAL;
@@ -41,7 +38,7 @@ static int __init livepatch_mod_init(void)
}
for (int i = 0; i < nr_objs; i++) {
- struct klp_object_ext *obj_ext = __start_klp_objects + i;
+ struct klp_object_ext *obj_ext = obj_exts + i;
struct klp_func_ext *funcs_ext = obj_ext->funcs;
unsigned int nr_funcs = obj_ext->nr_funcs;
struct klp_func *funcs = objs[i].funcs;
@@ -90,12 +87,10 @@ static int __init livepatch_mod_init(void)
static void __exit livepatch_mod_exit(void)
{
- unsigned int nr_objs;
-
- nr_objs = __stop_klp_objects - __start_klp_objects;
+ struct klp_object *obj;
- for (int i = 0; i < nr_objs; i++)
- kfree(patch->objs[i].funcs);
+ klp_for_each_object_static(patch, obj)
+ kfree(obj->funcs);
kfree(patch->objs);
kfree(patch);
diff --git a/scripts/module.lds.S b/scripts/module.lds.S
index 3037d5e5527c..383d19beffb4 100644
--- a/scripts/module.lds.S
+++ b/scripts/module.lds.S
@@ -35,12 +35,7 @@ SECTIONS {
__patchable_function_entries : { *(__patchable_function_entries) }
__klp_funcs 0: ALIGN(8) { KEEP(*(__klp_funcs)) }
-
- __klp_objects 0: ALIGN(8) {
- __start_klp_objects = .;
- KEEP(*(__klp_objects))
- __stop_klp_objects = .;
- }
+ __klp_objects 0: ALIGN(8) { KEEP(*(__klp_objects)) }
#ifdef CONFIG_ARCH_USES_CFI_TRAPS
__kcfi_traps : { KEEP(*(.kcfi_traps)) }
--
2.52.0
^ permalink raw reply related
* [PATCH 2/2] livepatch: Free klp_{object,func}_ext data after initialization
From: Petr Pavlu @ 2026-01-14 12:29 UTC (permalink / raw)
To: Josh Poimboeuf, Jiri Kosina, Miroslav Benes, Petr Mladek,
Joe Lawrence
Cc: Luis Chamberlain, Petr Pavlu, Daniel Gomez, Sami Tolvanen,
Aaron Tomlin, Peter Zijlstra, live-patching, linux-modules,
linux-kernel
In-Reply-To: <20260114123056.2045816-1-petr.pavlu@suse.com>
The klp_object_ext and klp_func_ext data, which are stored in the
__klp_objects and __klp_funcs sections, respectively, are not needed
after they are used to create the actual klp_object and klp_func
instances. This operation is implemented by the init function in
scripts/livepatch/init.c.
Prefix the two sections with ".init" so they are freed after the module
is initializated.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
---
kernel/livepatch/core.c | 3 ++-
scripts/module.lds.S | 4 ++--
tools/objtool/check.c | 2 +-
tools/objtool/include/objtool/klp.h | 10 +++++-----
tools/objtool/klp-diff.c | 2 +-
5 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 4e0ac47b3623..3621a7c1b737 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -1364,7 +1364,8 @@ struct klp_object_ext *klp_build_locate_init_objects(const struct module *mod,
for (int i = 1; i < info->hdr.e_shnum; i++) {
Elf_Shdr *shdr = &info->sechdrs[i];
- if (strcmp(info->secstrings + shdr->sh_name, "__klp_objects"))
+ if (strcmp(info->secstrings + shdr->sh_name,
+ ".init.klp_objects"))
continue;
*nr_objs = shdr->sh_size / sizeof(struct klp_object_ext);
diff --git a/scripts/module.lds.S b/scripts/module.lds.S
index 383d19beffb4..054ef99e8288 100644
--- a/scripts/module.lds.S
+++ b/scripts/module.lds.S
@@ -34,8 +34,8 @@ SECTIONS {
__patchable_function_entries : { *(__patchable_function_entries) }
- __klp_funcs 0: ALIGN(8) { KEEP(*(__klp_funcs)) }
- __klp_objects 0: ALIGN(8) { KEEP(*(__klp_objects)) }
+ .init.klp_funcs 0 : ALIGN(8) { KEEP(*(.init.klp_funcs)) }
+ .init.klp_objects 0 : ALIGN(8) { KEEP(*(.init.klp_objects)) }
#ifdef CONFIG_ARCH_USES_CFI_TRAPS
__kcfi_traps : { KEEP(*(.kcfi_traps)) }
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 3f7999317f4d..933868ee3beb 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -4761,7 +4761,7 @@ static int validate_ibt(struct objtool_file *file)
!strcmp(sec->name, "__bug_table") ||
!strcmp(sec->name, "__ex_table") ||
!strcmp(sec->name, "__jump_table") ||
- !strcmp(sec->name, "__klp_funcs") ||
+ !strcmp(sec->name, ".init.klp_funcs") ||
!strcmp(sec->name, "__mcount_loc") ||
!strcmp(sec->name, ".llvm.call-graph-profile") ||
!strcmp(sec->name, ".llvm_bb_addr_map") ||
diff --git a/tools/objtool/include/objtool/klp.h b/tools/objtool/include/objtool/klp.h
index ad830a7ce55b..e32e5e8bc631 100644
--- a/tools/objtool/include/objtool/klp.h
+++ b/tools/objtool/include/objtool/klp.h
@@ -6,12 +6,12 @@
#define SHN_LIVEPATCH 0xff20
/*
- * __klp_objects and __klp_funcs are created by klp diff and used by the patch
- * module init code to build the klp_patch, klp_object and klp_func structs
- * needed by the livepatch API.
+ * .init.klp_objects and .init.klp_funcs are created by klp diff and used by the
+ * patch module init code to build the klp_patch, klp_object and klp_func
+ * structs needed by the livepatch API.
*/
-#define KLP_OBJECTS_SEC "__klp_objects"
-#define KLP_FUNCS_SEC "__klp_funcs"
+#define KLP_OBJECTS_SEC ".init.klp_objects"
+#define KLP_FUNCS_SEC ".init.klp_funcs"
/*
* __klp_relocs is an intermediate section which are created by klp diff and
diff --git a/tools/objtool/klp-diff.c b/tools/objtool/klp-diff.c
index 4d1f9e9977eb..fd64d5e3c3b6 100644
--- a/tools/objtool/klp-diff.c
+++ b/tools/objtool/klp-diff.c
@@ -1439,7 +1439,7 @@ static int clone_special_sections(struct elfs *e)
}
/*
- * Create __klp_objects and __klp_funcs sections which are intermediate
+ * Create .init.klp_objects and .init.klp_funcs sections which are intermediate
* sections provided as input to the patch module's init code for building the
* klp_patch, klp_object and klp_func structs for the livepatch API.
*/
--
2.52.0
^ permalink raw reply related
* Re: [PATCH RFC v3 02/15] rust: add new ThisModule trait and THIS_MODULE impl
From: Petr Pavlu @ 2026-01-14 14:26 UTC (permalink / raw)
To: Kari Argillander
Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Alexandre Courbot, Greg Kroah-Hartman,
rust-for-linux, linux-kernel, linux-modules, Luis Chamberlain,
Daniel Gomez, Sami Tolvanen, Aaron Tomlin
In-Reply-To: <20260110-this_module_fix-v3-2-97a3d9c14e8b@gmail.com>
On 1/10/26 4:08 PM, Kari Argillander wrote:
> To make clear separation between module crates and kernel crate we
> introduce ThisModule trait which is meant to be used by kernel space.
> THIS_MODULE is meant to be used by modules. So kernel create will be
> unable to even accidentally use THIS_MODULE.
>
> As ThisModule is trait we can pass that around in const context. This is
> needed so that we can read ownership information in const context when
> we create example file_operations structs for modules.
>
> New ThisModule will also eventually replace kernel::ModuleMetadata trait
> and for this reason it also have NAME field.
>
> To make transition smooth use mod this_module so we can have two
> ThisModule same time. Also some functionality is added to THIS_MODULE
> temporarily so that we do not have to change everything at once.
>
> Also docs examples will need THIS_MODULE so also define that in docs.
>
> Signed-off-by: Kari Argillander <kari.argillander@gmail.com>
Is this pattern common in other Rust code in the kernel? The situation
on the C side is that THIS_MODULE is a variable of the module struct. On
the Rust side, it is currently quite similar, with THIS_MODULE being a
variable of the ThisModule struct/wrapper. The patch shifts this and
makes THIS_MODULE a type that implements the ThisModule trait.
Naively, it seems somewhat confusing to me, coming mostly from the C
side and expecting THIS_MODULE to be a variable.
I'd like to understand this better. Would enabling const_refs_to_static
alone be sufficient, or is it necessary to make THIS_MODULE a type for
this to work? Should we be concerned that this new model could confuse
people, or do you think it actually simplifies things? Does making the
functions generic on ThisModule impact code size in any significant way,
or could it in the future?
--
Thanks,
Petr
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox