Commit 106a4ee2 authored by Rusty Russell's avatar Rusty Russell
Browse files

module: signature checking hook 



We do a very simple search for a particular string appended to the module
(which is cache-hot and about to be SHA'd anyway).  There's both a config
option and a boot parameter which control whether we accept or fail with
unsigned modules and modules that are signed with an unknown key.

If module signing is enabled, the kernel will be tainted if a module is
loaded that is unsigned or has a signature for which we don't have the
key.

(Useful feedback and tweaks by David Howells <dhowells@redhat.com>)

Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent c26fd69f

Documentation/kernel-parameters.txt

+6 −0
Original line number Diff line number Diff line
@@ -1582,6 +1582,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted. 
			log everything. Information is printed at KERN_DEBUG

			so loglevel=8 may also need to be specified.



	module.sig_enforce

			[KNL] When CONFIG_MODULE_SIG is set, this means that

			modules without (valid) signatures will fail to load.

			Note that if CONFIG_MODULE_SIG_ENFORCE is set, that

			is always true, so this option does nothing.



	mousedev.tap_time=

			[MOUSE] Maximum time between finger touching and

			leaving touchpad surface for touch to be considered

include/linux/module.h

+8 −0
Original line number Diff line number Diff line
@@ -21,6 +21,9 @@ 
#include <linux/percpu.h>

#include <asm/module.h>



/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */

#define MODULE_SIG_STRING "~Module signature appended~\n"



/* Not Yet Implemented */

#define MODULE_SUPPORTED_DEVICE(name)
@@ -260,6 +263,11 @@ struct module 
	const unsigned long *unused_gpl_crcs;

#endif



#ifdef CONFIG_MODULE_SIG

	/* Signature was verified. */

	bool sig_ok;

#endif



	/* symbols that will be GPL-only in the near future. */

	const struct kernel_symbol *gpl_future_syms;

	const unsigned long *gpl_future_crcs;

init/Kconfig

+14 −0
Original line number Diff line number Diff line
@@ -1585,6 +1585,20 @@ config MODULE_SRCVERSION_ALL 
	  the version).  With this option, such a "srcversion" field

	  will be created for all modules.  If unsure, say N.



config MODULE_SIG

	bool "Module signature verification"

	depends on MODULES

	help

	  Check modules for valid signatures upon load: the signature

	  is simply appended to the module. For more information see

	  Documentation/module-signing.txt.



config MODULE_SIG_FORCE

	bool "Require modules to be validly signed"

	depends on MODULE_SIG

	help

	  Reject unsigned modules or signed modules for which we don't have a

	  key.  Without this, such modules will simply taint the kernel.

endif # MODULES



config INIT_ALL_POSSIBLE

kernel/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -55,6 +55,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o 
obj-$(CONFIG_PROVE_LOCKING) += spinlock.o

obj-$(CONFIG_UID16) += uid16.o

obj-$(CONFIG_MODULES) += module.o

obj-$(CONFIG_MODULE_SIG) += module_signing.o

obj-$(CONFIG_KALLSYMS) += kallsyms.o

obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o

obj-$(CONFIG_KEXEC) += kexec.o

kernel/module-internal.h

0 → 100644
+13 −0
Original line number Diff line number Diff line 
/* Module internals

 *

 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public Licence

 * as published by the Free Software Foundation; either version

 * 2 of the Licence, or (at your option) any later version.

 */



extern int mod_verify_sig(const void *mod, unsigned long modlen,

			  const void *sig, unsigned long siglen);

CRA Git | Maintained and supported by SUSTech CRA and CCSE