From: Aaron Tomlin <atomlin@redhat.com>
To: mcgrof@kernel.org, christophe.leroy@csgroup.eu, pmladek@suse.com
Cc: cl@linux.com, mbenes@suse.cz, akpm@linux-foundation.org,
jeyu@kernel.org, linux-kernel@vger.kernel.org,
linux-modules@vger.kernel.org, void@manifault.com,
atomlin@atomlin.com, allen.lkml@gmail.com, joe@perches.com,
msuchanek@suse.de, oleksandr@natalenko.name,
jason.wessel@windriver.com, daniel.thompson@linaro.org
Subject: [PATCH v9 07/14] module: Move extra signature support out of core code
Date: Mon, 28 Feb 2022 23:43:15 +0000 [thread overview]
Message-ID: <20220228234322.2073104-8-atomlin@redhat.com> (raw)
In-Reply-To: <20220228234322.2073104-1-atomlin@redhat.com>
No functional change.
This patch migrates additional module signature check
code from core module code into kernel/module/signing.c.
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Aaron Tomlin <atomlin@redhat.com>
---
kernel/module/internal.h | 9 +++++
kernel/module/main.c | 87 ----------------------------------------
kernel/module/signing.c | 77 +++++++++++++++++++++++++++++++++++
3 files changed, 86 insertions(+), 87 deletions(-)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index a6895bb5598a..d6f646a5da41 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -158,3 +158,12 @@ static inline int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
return 0;
}
#endif /* CONFIG_STRICT_MODULE_RWX */
+
+#ifdef CONFIG_MODULE_SIG
+int module_sig_check(struct load_info *info, int flags);
+#else /* !CONFIG_MODULE_SIG */
+static inline int module_sig_check(struct load_info *info, int flags)
+{
+ return 0;
+}
+#endif /* !CONFIG_MODULE_SIG */
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 5cd63f14b1ef..c63e10c61694 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -23,7 +23,6 @@
#include <linux/vmalloc.h>
#include <linux/elf.h>
#include <linux/proc_fs.h>
-#include <linux/security.h>
#include <linux/seq_file.h>
#include <linux/syscalls.h>
#include <linux/fcntl.h>
@@ -127,28 +126,6 @@ static void module_assert_mutex_or_preempt(void)
#endif
}
-#ifdef CONFIG_MODULE_SIG
-static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
-module_param(sig_enforce, bool_enable_only, 0644);
-
-void set_module_sig_enforced(void)
-{
- sig_enforce = true;
-}
-#else
-#define sig_enforce false
-#endif
-
-/*
- * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
- * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
- */
-bool is_module_sig_enforced(void)
-{
- return sig_enforce;
-}
-EXPORT_SYMBOL(is_module_sig_enforced);
-
/* Block module loading/unloading? */
int modules_disabled = 0;
core_param(nomodule, modules_disabled, bint, 0);
@@ -2569,70 +2546,6 @@ static inline void kmemleak_load_module(const struct module *mod,
}
#endif
-#ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info, int flags)
-{
- int err = -ENODATA;
- const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
- const char *reason;
- const void *mod = info->hdr;
- bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
- MODULE_INIT_IGNORE_VERMAGIC);
- /*
- * Do not allow mangled modules as a module with version information
- * removed is no longer the module that was signed.
- */
- if (!mangled_module &&
- info->len > markerlen &&
- memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
- /* We truncate the module to discard the signature */
- info->len -= markerlen;
- err = mod_verify_sig(mod, info);
- if (!err) {
- info->sig_ok = true;
- return 0;
- }
- }
-
- /*
- * We don't permit modules to be loaded into the trusted kernels
- * without a valid signature on them, but if we're not enforcing,
- * certain errors are non-fatal.
- */
- switch (err) {
- case -ENODATA:
- reason = "unsigned module";
- break;
- case -ENOPKG:
- reason = "module with unsupported crypto";
- break;
- case -ENOKEY:
- reason = "module with unavailable key";
- break;
-
- default:
- /*
- * All other errors are fatal, including lack of memory,
- * unparseable signatures, and signature check failures --
- * even if signatures aren't required.
- */
- return err;
- }
-
- if (is_module_sig_enforced()) {
- pr_notice("Loading of %s is rejected\n", reason);
- return -EKEYREJECTED;
- }
-
- return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
-}
-#else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info, int flags)
-{
- return 0;
-}
-#endif /* !CONFIG_MODULE_SIG */
-
static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr)
{
#if defined(CONFIG_64BIT)
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 8aeb6d2ee94b..85c8999dfecf 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -11,9 +11,29 @@
#include <linux/module_signature.h>
#include <linux/string.h>
#include <linux/verification.h>
+#include <linux/security.h>
#include <crypto/public_key.h>
+#include <uapi/linux/module.h>
#include "internal.h"
+static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+module_param(sig_enforce, bool_enable_only, 0644);
+
+/*
+ * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+ * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
+ */
+bool is_module_sig_enforced(void)
+{
+ return sig_enforce;
+}
+EXPORT_SYMBOL(is_module_sig_enforced);
+
+void set_module_sig_enforced(void)
+{
+ sig_enforce = true;
+}
+
/*
* Verify the signature on a module.
*/
@@ -43,3 +63,60 @@ int mod_verify_sig(const void *mod, struct load_info *info)
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
}
+
+int module_sig_check(struct load_info *info, int flags)
+{
+ int err = -ENODATA;
+ const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ const char *reason;
+ const void *mod = info->hdr;
+ bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
+ MODULE_INIT_IGNORE_VERMAGIC);
+ /*
+ * Do not allow mangled modules as a module with version information
+ * removed is no longer the module that was signed.
+ */
+ if (!mangled_module &&
+ info->len > markerlen &&
+ memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ /* We truncate the module to discard the signature */
+ info->len -= markerlen;
+ err = mod_verify_sig(mod, info);
+ if (!err) {
+ info->sig_ok = true;
+ return 0;
+ }
+ }
+
+ /*
+ * We don't permit modules to be loaded into the trusted kernels
+ * without a valid signature on them, but if we're not enforcing,
+ * certain errors are non-fatal.
+ */
+ switch (err) {
+ case -ENODATA:
+ reason = "unsigned module";
+ break;
+ case -ENOPKG:
+ reason = "module with unsupported crypto";
+ break;
+ case -ENOKEY:
+ reason = "module with unavailable key";
+ break;
+
+ default:
+ /*
+ * All other errors are fatal, including lack of memory,
+ * unparseable signatures, and signature check failures --
+ * even if signatures aren't required.
+ */
+ return err;
+ }
+
+ if (is_module_sig_enforced()) {
+ pr_notice("Loading of %s is rejected\n", reason);
+ return -EKEYREJECTED;
+ }
+
+ return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
+}
--
2.34.1
next prev parent reply other threads:[~2022-02-28 23:44 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 23:43 [PATCH v9 00/14] module: core code clean up Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 01/14] module: Move all into module/ Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 02/14] module: Simple refactor in preparation for split Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 03/14] module: Make internal.h and decompress.c more compliant Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 04/14] module: Move livepatch support to a separate file Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 05/14] module: Move latched RB-tree " Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 06/14] module: Move strict rwx " Aaron Tomlin
2022-02-28 23:43 ` Aaron Tomlin [this message]
2022-03-02 8:08 ` [PATCH v9 07/14] module: Move extra signature support out of core code Christophe Leroy
2022-03-02 13:33 ` Aaron Tomlin
2022-03-02 13:41 ` Christophe Leroy
2022-03-05 20:37 ` Aaron Tomlin
2022-03-06 17:46 ` Christophe Leroy
2022-03-07 9:38 ` Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 08/14] module: Move kmemleak support to a separate file Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 09/14] module: Move kallsyms support into " Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 10/14] module: kallsyms: Fix suspicious rcu usage Aaron Tomlin
2022-03-01 16:52 ` Aaron Tomlin
2022-03-02 17:02 ` Aaron Tomlin
2022-03-02 22:24 ` Luis Chamberlain
2022-02-28 23:43 ` [PATCH v9 11/14] module: Move procfs support into a separate file Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 12/14] module: Move sysfs " Aaron Tomlin
2022-02-28 23:43 ` [PATCH v9 13/14] module: Move kdb_modules list out of core code Aaron Tomlin
2022-03-02 16:19 ` Daniel Thompson
2022-03-02 16:26 ` Daniel Thompson
2022-03-02 20:31 ` Aaron Tomlin
2022-03-02 20:56 ` Christophe Leroy
2022-03-02 22:46 ` Luis Chamberlain
2022-03-03 10:44 ` Aaron Tomlin
2022-03-03 14:57 ` Luis Chamberlain
2022-03-03 13:37 ` Christoph Hellwig
2022-03-03 14:59 ` Daniel Thompson
2022-03-03 17:54 ` Christoph Hellwig
2022-03-03 18:16 ` Christophe Leroy
2022-03-03 19:00 ` Christoph Hellwig
2022-03-03 19:21 ` Luis Chamberlain
2022-03-04 11:12 ` Aaron Tomlin
2022-03-04 11:54 ` Daniel Thompson
2022-03-04 11:59 ` Aaron Tomlin
2022-03-03 12:55 ` Daniel Thompson
2022-02-28 23:43 ` [PATCH v9 14/14] module: Move version support into a separate file Aaron Tomlin
2022-03-01 0:21 ` [PATCH v9 00/14] module: core code clean up Luis Chamberlain
2022-03-01 7:07 ` Christophe Leroy
2022-03-01 16:00 ` Luis Chamberlain
2022-03-01 7:44 ` Christophe Leroy
2022-03-01 16:01 ` Luis Chamberlain
2022-03-01 17:15 ` Lucas De Marchi
2022-03-01 17:43 ` Christophe Leroy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228234322.2073104-8-atomlin@redhat.com \
--to=atomlin@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=allen.lkml@gmail.com \
--cc=atomlin@atomlin.com \
--cc=christophe.leroy@csgroup.eu \
--cc=cl@linux.com \
--cc=daniel.thompson@linaro.org \
--cc=jason.wessel@windriver.com \
--cc=jeyu@kernel.org \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mbenes@suse.cz \
--cc=mcgrof@kernel.org \
--cc=msuchanek@suse.de \
--cc=oleksandr@natalenko.name \
--cc=pmladek@suse.com \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).