From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84BCD21325C; Tue, 29 Apr 2025 13:04:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; cv=none; b=p9Tfecl2YqHoPajQO1glOYhV/hPNDkLIjkcWQIIX2iw5yFb6TdUIjTfov6VkzjbyvzN6i2VNYxPbvJRNqkYk3y5ADvfskvV4+cV/wJHWt2nLQedUaHz5FVmrqtqg4XxTHMqO5E5/PyIC0+aeGK0lCAGKhYromLvMgpQYQvgvg58= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; c=relaxed/simple; bh=d/NdlzD2KV2pF2aazqdTVXD1jSSYLt8dgjzDd7PvoPo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=P0UnnbS11tEtaitF4W3lQk1ZGOuXwQ2Nj2c9F4RX4j8CEAZ0thTICwsSeB/yTeL4dNIyGxor97O2lS4e1CVnITO+GmKMt1djm0OasOo6VKJ07hI29l27Dyt6oa5xNpjs6AaVgF/BGC3zaJtjmIDoFjFcouxA8aPqvvshcHkQhTg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=ndr5eUgV; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="ndr5eUgV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=d/NdlzD2KV2pF2aazqdTVXD1jSSYLt8dgjzDd7PvoPo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ndr5eUgVSV+gAn8uBtqf5gkqDazOK0n25l02cugLtcQTuqMr/LNpa6t6wzbfuMAjH 12Qulrdyx2c2aBEE5Yq6GwMxJfjD8udHNeMcCf4DwcNNIpMaOWa5/Pa3TCszUfVEud TJ/gfqJ/aj7cVBefjCJblpJsOrMKeMlWCvvIu+FQ= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:28 +0200 Subject: [PATCH v3 1/9] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-1-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=1136; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=d/NdlzD2KV2pF2aazqdTVXD1jSSYLt8dgjzDd7PvoPo=; b=xAYAenyFdE04MOoAyCY51VYJoTBGGcK4Soq/RQ+egxA1KIPa8xT21DSMBRyeZrix2b6b8RUK5 4oPcru3LJfZABty4/kT+0dOo2ZPe8NuL+rpxUHGjPov6s65d3wYcJWl X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= When CONFIG_MODULE_SIG is disabled set_module_sig_enforced() is defined as an empty stub, so the check is unnecessary. The specific configuration option for set_module_sig_enforced() is about to change and removing the check avoids some later churn. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Mimi Zohar --- This patch is not strictly necessary right now, but makes looking for usages of CONFIG_MODULE_SIG easier. --- arch/powerpc/kernel/ima_arch.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index b7029beed847dc0acf15b3edbdd7fe9e60626f24..690263bf4265c78331b5f306097= 543ce12ac7dbd 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -63,8 +63,7 @@ static const char *const secure_and_trusted_rules[] =3D { const char *const *arch_get_ima_policy(void) { if (is_ppc_secureboot_enabled()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); + set_module_sig_enforced(); =20 if (is_ppc_trustedboot_enabled()) return secure_and_trusted_rules; --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 217F12D29B7; Tue, 29 Apr 2025 13:04:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; cv=none; b=DxQxlCiDzgp1E23dpJy5tdo3GwM8OGjWGOw5HGhbOxvXb4hsAyCgEE5n6yewTrPrw+h6HLnXQ753ubWRW0GTBukoojg+qapSMqhXlG4X0jhfLeD4HRg9kyDJJj4K8TCitK34JNcYShhMGdGKWzPWyLHk7RlAHSb53OOOnS7xJ9A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; c=relaxed/simple; bh=1xKcF/fZBhfU3Lws3Lfk6rUfxpZo4l0csYGo9PaBtCc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=KjK+lEEYb8jjXew+HYlH4aRZUhu/CACMaqvgybTTC/mGrEapXt7x3ay02Tym5v0ZuB98wUQ70XUIxOAt5evUAtFunpT39ecNfqqfSHbLwuVWe6PWvGcc0Ga2BSeWWVmUcH7pJuzn79mg6yp/ppLIKnzmuJlGRr0Li5oQkT76irI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=eiah1WdL; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="eiah1WdL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=1xKcF/fZBhfU3Lws3Lfk6rUfxpZo4l0csYGo9PaBtCc=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=eiah1WdL2eKnsF7tQ414dNOZY13u6Gw2P3IfbaT/10ayiN3HQ8kS3E/T1C3+5ggRb QEGUilTpabghS1t6UmwPDRzXag/l+pAotCjlPOcc2hoD4PWZyCCR/8Elaucqny/daz fuTcdZeyUfEffjQMxcQzOZWNYyc7eoBO/Ny43d14= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:29 +0200 Subject: [PATCH v3 2/9] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-2-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=1247; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=1xKcF/fZBhfU3Lws3Lfk6rUfxpZo4l0csYGo9PaBtCc=; b=a13h5wSKAMY2UUgKVrcvnkrp4Fl9Me3K/4ZYxUABDz23YhoCDCM9pCfUmG0fTL+//hJo5AEVV PMuGwyrVySpBCThOG9GBIP02IHEMR+SD7/hVSngRiTx+1Er+YuGCw/9 X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= When configuration settings are disabled the guarded functions are defined as empty stubs, so the check is unnecessary. The specific configuration option for set_module_sig_enforced() is about to change and removing the checks avoids some later churn. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Mimi Zohar --- This patch is not strictly necessary right now, but makes looking for usages of CONFIG_MODULE_SIG easier. --- security/integrity/ima/ima_efi.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_= efi.c index 138029bfcce1e40ef37700c15e30909f6e9b4f2d..a35dd166ad47beb4a7d46cc3e8f= c604f57e03ecb 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] =3D { const char * const *arch_get_ima_policy(void) { if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); - if (IS_ENABLED(CONFIG_KEXEC_SIG)) - set_kexec_sig_enforced(); + set_module_sig_enforced(); + set_kexec_sig_enforced(); return sb_arch_rules; } return NULL; --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2176A2D29B4; Tue, 29 Apr 2025 13:04:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; cv=none; b=U0Wp1kKIQ8MnaUY6rRLO9TS4SiSLcjQkxBQ07jXjxu8d2l+JjKxcyOZh5UwHs0oLt/Iu7HjsECO4pAm4+iuOXm/ne49sAv/qSY3PVmRJe7J2fZjDRXMICVyhUC7W6ndk/Ism8zJC5Ye8jRlADeHVuQ1uKLGPp9oYU+HBAbduJsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; c=relaxed/simple; bh=BPjoQrBeSoxkcd82ei29z+rDIHsoHB5a3gcd8mm9ZwM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=EYd75IYxqgZCOkp/y+eoQ0fFf7GezaM2ter4+nkhFKcApZpCWcpQfrdJ+vZlvHUEkZptbLIhKdnDBdpobtMThLnJWshCDa/Osxtkt58NlJsJEZGdlklvwc9feal0LHqGfTR7YVL4Ub0zK6fJrmupg9KijHPTIs0qwbkyshRVYOY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=qndLv3n/; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="qndLv3n/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=BPjoQrBeSoxkcd82ei29z+rDIHsoHB5a3gcd8mm9ZwM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=qndLv3n/tGVvAOxnBFK/Of0mrIhDnL/+nnxiba6Ec5ZF6RxwCXcaPl7hS8GvOaXtl xouUfImN6EqV8HeXm/jn/NmYdPtWJ2aKGEPfo7ULaNPWetf3sa63MkxTvbcFrZfDCA FMutZ/ujBS+URG9esXI3QLMagSUwfztRF5yqsMRI= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:30 +0200 Subject: [PATCH v3 3/9] kbuild: add stamp file for vmlinux BTF data Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-3-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=2248; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=BPjoQrBeSoxkcd82ei29z+rDIHsoHB5a3gcd8mm9ZwM=; b=Sf43zO4gBrfx31A5hdbo/qArDl6dxz2venScmPhuBFyao5lOhmq3ejeZRkUW/+hQCvuE4MIpY QFZ7FUiGQmdDTtrQZZkd9s500lVKq3kBdQkA+vCyWrmomRtKxvFnbFt X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming module hashes functionality will build the modules in between the generation of the BTF data and the final link of vmlinux. Having a dependency from the modules on vmlinux would make this impossible as it would mean having a cyclic dependency. Break this cyclic dependency by introducing a new target. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.modfinal | 4 ++-- scripts/link-vmlinux.sh | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 542ba462ed3ec9607e0df10e26613a4c7ac318e8..5d01b553ec9a4565c8e5a6edd05= 665c409003bc1 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -52,8 +52,8 @@ if_changed_except =3D $(if $(call newer_prereqs_except,$(= 2))$(cmd-check), \ printf '%s\n' 'savedcmd_$@ :=3D $(make-cmd)' > $(dot-target).cmd, @:) =20 # Re-generate module BTFs if either module's .ko or vmlinux changed -%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/vmlinux) FORCE - +$(call if_changed_except,ld_ko_o,$(objtree)/vmlinux) +%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/.tmp_vmlinux_btf= .stamp) FORCE + +$(call if_changed_except,ld_ko_o,$(objtree)/.tmp_vmlinux_btf.stamp) ifdef CONFIG_DEBUG_INFO_BTF_MODULES +$(if $(newer-prereqs),$(call cmd,btf_ko)) endif diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 51367c2bfc21ef9a8ebbc30670b1edd220b571a3..5f060787ce3fbcbcfdca0c95789= d619e2a1c7b72 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -113,6 +113,7 @@ vmlinux_link() gen_btf() { local btf_data=3D${1}.btf.o + local btf_stamp=3D.tmp_vmlinux_btf.stamp =20 info BTF "${btf_data}" LLVM_OBJCOPY=3D"${OBJCOPY}" ${PAHOLE} -J ${PAHOLE_FLAGS} ${1} @@ -133,6 +134,11 @@ gen_btf() fi printf "${et_rel}" | dd of=3D"${btf_data}" conv=3Dnotrunc bs=3D1 seek=3D1= 6 status=3Dnone =20 + info STAMP $btf_stamp + if ! cmp --silent $btf_data $btf_stamp; then + cp $btf_data $btf_stamp + fi + btf_vmlinux_bin_o=3D${btf_data} } =20 --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22F2A130A54; Tue, 29 Apr 2025 13:04:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931888; cv=none; b=HOXZjSq86ZFUf0AA4jRXjtudwL30Bh7yO+APmfcz6EBrFSibTAQjfbjbr/f7Dfh/V9gPhfLtbU5UV4TbvdwkydJiN0+SrRyyoRTEDPeoOG4dhxwBOlmGMhuwgKJqzozuYPrXreJxipEijcsneb5glqjrHQdrXUTiUfCzJEb9WV0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931888; c=relaxed/simple; bh=T0fD62G5Xd9JAdE1vJEHi+5qJb4+xZfzKULQbTpVsYY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=R//bTQ00ZnS7Bah6XiuHkBL0EtnGwbiqXKrfgwzTh+p3zpPd3N3zmx75SdFMOESl/c+sgHSCCUFFakv1iWKJAkYoQXpStBInUql9+q8bqyymfK/A+YNm292EDHB/P6PKR0bccF+2+wdENyMFvNNnvNnTFgdZ1Aj7qEffnHqu+HA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=VYryOxdF; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="VYryOxdF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=T0fD62G5Xd9JAdE1vJEHi+5qJb4+xZfzKULQbTpVsYY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=VYryOxdFWiuicUrPjgyis2zuZL8HUMkxBtaWkvPWWMgwx6fNX77ASJjeDFDpfyYHw KlP9XfRkBQRLrRP6PSNRiZKXU1e4Esjb2A29aFuLPFeS3riZO9QVkA9NNt7hZLeydC NcnvAzHlpyrHYLn4kkg+67KDunNeKerUN6ll+XQs= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:31 +0200 Subject: [PATCH v3 4/9] kbuild: generate module BTF based on vmlinux.unstripped Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-4-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=1584; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=T0fD62G5Xd9JAdE1vJEHi+5qJb4+xZfzKULQbTpVsYY=; b=6lIaRg6590Hj4acqj1sln00p80ejNkYdhE8fd1gi5gYjFoau00uJEyqPoFekX25gQwNDezEKu qEQc0ld+MXaAAf2/mWACbl7TSFfJDcOGbkpMK55cb7w/QH1GfpEOqS8 X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming module hashes functionality will build the modules in between the generation of the BTF data and the final link of vmlinux. At this point vmlinux is not yet built and therefore can't be used for module BTF generation. vmlinux.unstripped however is usable and sufficient for BTF generation. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.modfinal | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 5d01b553ec9a4565c8e5a6edd05665c409003bc1..527f6b27baff9db94d31c15447d= e445a05bc0634 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -36,11 +36,11 @@ quiet_cmd_ld_ko_o =3D LD [M] $@ =20 quiet_cmd_btf_ko =3D BTF [M] $@ cmd_btf_ko =3D \ - if [ ! -f $(objtree)/vmlinux ]; then \ - printf "Skipping BTF generation for %s due to unavailability of vmlinux\= n" $@ 1>&2; \ + if [ ! -f $(objtree)/vmlinux.unstripped ]; then \ + printf "Skipping BTF generation for %s due to unavailability of vmlinux.= unstripped\n" $@ 1>&2; \ else \ - LLVM_OBJCOPY=3D"$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE= _FLAGS) --btf_base $(objtree)/vmlinux $@; \ - $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux $@; \ + LLVM_OBJCOPY=3D"$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE= _FLAGS) --btf_base $(objtree)/vmlinux.unstripped $@; \ + $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux.unstripped $@; \ fi; =20 # Same as newer-prereqs, but allows to exclude specified extra dependencies --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86F642135DD; Tue, 29 Apr 2025 13:04:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; cv=none; b=rYA8g/EZm/WR4lPU2dxw0n6K5r2ztK4xa2YDV6rzkxgIyi93gHk2BF3OdNSElRrAUlbf7/mPTRqL3Al4c+V/0PI8nsdvLTI/YuJIZC31lsGhGe1ugZTfT56q3sUMBk1/WqMDm2t61OXZWoydF6tfSECQrw9/7ZdjMdONbs6COcU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; c=relaxed/simple; bh=UCCJkeYdVSKNrm9L/l2LgArwTnkqToFIXrGQtz775hQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HUcIedCs4Q08POc4qPbckL2tsk38MlLHlnKDEtqBUaxEKNuvrm3/LY3NYQ0S5azbIVZnV4zSnUJBoDrMqmsLdi01Z0VBhCkBAzxDR+8MMue6fDidC3Z880kM11sUJPxdKE/tiEGMvU5hMQXU9Z8jvmqaODELyXoctpbyKVqC4eg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=InUYUEBx; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="InUYUEBx" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=UCCJkeYdVSKNrm9L/l2LgArwTnkqToFIXrGQtz775hQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=InUYUEBxzcaSdnkfyWEYs5gnGMDG+ZrErjBcXwVYAokpi9GEx8U1OAq8QYl2tMjVP 1ekrjrvh9Kq4zyyJzkto/U4Kn8QLoXereQhuqEhHhjjsu1IS7NMnfsLI/u0MH1f9jK qMLc+34JpYBUgNoLb0o6WFDZy5UfMXBeZPj/wmy4= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:32 +0200 Subject: [PATCH v3 5/9] module: Make module loading policy usable without MODULE_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-5-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=4529; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=UCCJkeYdVSKNrm9L/l2LgArwTnkqToFIXrGQtz775hQ=; b=FFTZUNwOflf9z+ryGT7IH9ClBV+Qgyns9jpZd219As5W1VpY2anGRlh//7RjRR1nc7E7upt8z nqLMla0XzUOAp/oDbt2x4NABjz1decy6MVywaUlDbU1LQpYgWKpemko X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The loading policy functionality will also be used by the hash-based module validation. Split it out from CONFIG_MODULE_SIG so it is usable by both. Signed-off-by: Thomas Wei=C3=9Fschuh --- include/linux/module.h | 8 ++++---- kernel/module/Kconfig | 6 +++++- kernel/module/main.c | 26 +++++++++++++++++++++++++- kernel/module/signing.c | 21 --------------------- 4 files changed, 34 insertions(+), 27 deletions(-) diff --git a/include/linux/module.h b/include/linux/module.h index d94b196d5a34e104d81308df4b150452eb96cdc9..68aa8bbd33acc84e013dc575ee8= 8bd4e3101f9f4 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -453,7 +453,7 @@ struct module { const u32 *gpl_crcs; bool using_gplonly_symbols; =20 -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY /* Signature was verified. */ bool sig_ok; #endif @@ -921,14 +921,14 @@ static inline bool retpoline_module_ok(bool has_retpo= line) } #endif =20 -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY bool is_module_sig_enforced(void); =20 static inline bool module_sig_ok(struct module *module) { return module->sig_ok; } -#else /* !CONFIG_MODULE_SIG */ +#else /* !CONFIG_MODULE_SIG_POLICY */ static inline bool is_module_sig_enforced(void) { return false; @@ -938,7 +938,7 @@ static inline bool module_sig_ok(struct module *module) { return true; } -#endif /* CONFIG_MODULE_SIG */ +#endif /* CONFIG_MODULE_SIG_POLICY */ =20 #if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS) int module_kallsyms_on_each_symbol(const char *modname, diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index c51f25538d0ea66e6486ad0be6684173cd0140b5..a3146e9378fcd3292a756a2a7ea= 5241524cbc408 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -265,9 +265,13 @@ config MODULE_SIG debuginfo strip done by some packagers (such as rpmbuild) and inclusion into an initramfs that wants the module size reduced. =20 +config MODULE_SIG_POLICY + def_bool y + depends on MODULE_SIG + config MODULE_SIG_FORCE bool "Require modules to be validly signed" - depends on MODULE_SIG + depends on MODULE_SIG_POLICY help Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel. diff --git a/kernel/module/main.c b/kernel/module/main.c index a2859dc3eea66ec19991e7e4afb5bbcae2c2d167..83c66205556fdde92152c131f1f= 58229c4f7f734 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2432,7 +2432,7 @@ static void module_augment_kernel_taints(struct modul= e *mod, struct load_info *i mod->name); add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); } -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY mod->sig_ok =3D info->sig_ok; if (!mod->sig_ok) { pr_notice_once("%s: module verification failed: signature " @@ -3808,3 +3808,27 @@ static int module_debugfs_init(void) } module_init(module_debugfs_init); #endif + +#ifdef CONFIG_MODULE_SIG_POLICY + +#undef MODULE_PARAM_PREFIX +#define MODULE_PARAM_PREFIX "module." + +static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +module_param(sig_enforce, bool_enable_only, 0644); + +/* + * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. + */ +bool is_module_sig_enforced(void) +{ + return sig_enforce; +} +EXPORT_SYMBOL(is_module_sig_enforced); + +void set_module_sig_enforced(void) +{ + sig_enforce =3D true; +} +#endif diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623d5d4e87d2f3d139d8620fb937579..e51920605da14771601327ea596= dad2e12400518 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -16,27 +16,6 @@ #include #include "internal.h" =20 -#undef MODULE_PARAM_PREFIX -#define MODULE_PARAM_PREFIX "module." - -static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -module_param(sig_enforce, bool_enable_only, 0644); - -/* - * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely - * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. - */ -bool is_module_sig_enforced(void) -{ - return sig_enforce; -} -EXPORT_SYMBOL(is_module_sig_enforced); - -void set_module_sig_enforced(void) -{ - sig_enforce =3D true; -} - /* * Verify the signature on a module. */ --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8859922AE76; Tue, 29 Apr 2025 13:04:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; cv=none; b=FDFHRS193GJCHyJf1+H0DPL42ICBd2TGtmi55HvnmVjOhuFosZhSqeJccctXoFq+jzenusazl6wvY93OgX2AN4rZQvvnNLg8VAntJRrA6v+FEs0FAqpBtxxz2fMUvLnLxxjPeBLoM7ZM0aNiGyl2k2X7fCWKBQ9li7xWmb/CD1I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; c=relaxed/simple; bh=uAWB6PT9KWFnBAMA3cbexNOM6gBbMJ+pc0ZLJPh/nCk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=oSKtpvqqmgK4JSwp3YY1LiVldt+YC3bz4oDI4qKEAfZkh+HMVC+RsK4KY67HG5oowV/l2EHxsFIAT8sCf8Jb1FMI+mLQQg2WTI8jk/C2IuFiLuuQy+d30DlnrK9QWrpIeSMmRaFzdaUzXpRSykwORhuYzEitD+REfodYGeyVK+A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=IP1DdbS6; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="IP1DdbS6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=uAWB6PT9KWFnBAMA3cbexNOM6gBbMJ+pc0ZLJPh/nCk=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=IP1DdbS6IzaBothHocjADf+qL4oAkLdiurq64F5MflZ0CZDa/lYpWrsml+742YHst iOyI0+5LcIsIS/W4HFdjoT/ntGDbtphulyydXha40XALs+kRmGLCiVLEfgRlEXd44i i3j7qFAN06WEqLbuj3qkp+iO8C4pKXai2Bd1HOA8= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:33 +0200 Subject: [PATCH v3 6/9] module: Move integrity checks into dedicated function Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-6-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=2744; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=uAWB6PT9KWFnBAMA3cbexNOM6gBbMJ+pc0ZLJPh/nCk=; b=iRF9YHFRJ0F5rufwXzvY22fLGkR188SEbIQOvxK8Ykc40lMoYTbbn3dxF8M1U6Io0VBFSQnub DLlawF/4eSbCgHUqpSnuVTwGNU8WrJh6r3nnQCGoXmCtSCexZ7mG2aR X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= With the addition of hash-based integrity checking, the configuration matrix is easier to represent in a dedicated function and with explicit usage of IS_ENABLED(). Drop the now unnecessary stub for module_sig_check(). Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/internal.h | 7 ------- kernel/module/main.c | 18 ++++++++++++++---- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 626cf8668a7eb9202fce13d631f39429a4fe0ace..42fbc53c6af66a1b531fcad0899= 7742d838eb481 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -325,14 +325,7 @@ int module_enable_text_rox(const struct module *mod); int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, char *secstrings, struct module *mod); =20 -#ifdef CONFIG_MODULE_SIG int module_sig_check(struct load_info *info, int flags); -#else /* !CONFIG_MODULE_SIG */ -static inline int module_sig_check(struct load_info *info, int flags) -{ - return 0; -} -#endif /* !CONFIG_MODULE_SIG */ =20 #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); diff --git a/kernel/module/main.c b/kernel/module/main.c index 83c66205556fdde92152c131f1f58229c4f7f734..0c88d443a3bc894b18a7aa230ca= df396e585c415 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3247,6 +3247,16 @@ static int early_mod_check(struct load_info *info, i= nt flags) return err; } =20 +static int module_integrity_check(struct load_info *info, int flags) +{ + int err =3D 0; + + if (IS_ENABLED(CONFIG_MODULE_SIG)) + err =3D module_sig_check(info, flags); + + return err; +} + /* * Allocate and load the module: note that size of section 0 is always * zero, and we rely on this for optional sections. @@ -3260,18 +3270,18 @@ static int load_module(struct load_info *info, cons= t char __user *uargs, char *after_dashes; =20 /* - * Do the signature check (if any) first. All that - * the signature check needs is info->len, it does + * Do the integrity checks (if any) first. All that + * they need is info->len, it does * not need any of the section info. That can be * set up later. This will minimize the chances * of a corrupt module causing problems before - * we even get to the signature check. + * we even get to the integrity check. * * The check will also adjust info->len by stripping * off the sig length at the end of the module, making * checks against info->len more correct. */ - err =3D module_sig_check(info, flags); + err =3D module_integrity_check(info, flags); if (err) goto free_copy; =20 --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8970B2D29C7; Tue, 29 Apr 2025 13:04:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931892; cv=none; b=F6mzS2a8/rxVzNosuGE2rRiaWjt9jznYf8y9Y+jFX4SF0+7iba5h78M313bXvM3Q7Yftn+4UEqjguWUZJ4uqynxUeQVtA6EO96kPcvw9cN1ks/mUTqDR7wjK5UhXcAOd2PFwi1XODqpvtMr0inCRh6hukyD0+EFzJydRpTp/i5A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931892; c=relaxed/simple; bh=kmQUIW+5wYPfShUIrOsErGdMJNnQUWIZ+BIWQSkTJR8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pfKHsZaSZwZpmPPv9xyzAsXAakQT1fK6cJOXBqozSPGeUoQMW/K1GEKDcWGqLmhGflzyR+GxpJFTBU673qCw5Uk2a1z5mmJwBjNXYP5hcF8X6qD/dc/sKCxhXISvz9b4tc0voWvl3JLemexvxrxx9uytLojfn4b1wsC1z4CNMes= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=WtCigX7B; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="WtCigX7B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=kmQUIW+5wYPfShUIrOsErGdMJNnQUWIZ+BIWQSkTJR8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=WtCigX7BHHuvjnDxDfwmcSBeyBTCRfjxFnCfp2BR4OAm8h26gm2cA1/Y41MLSAFgt 1Lui6JugA7ZpyRc/IZB1OjD42wB3i+36XOrIwAmkctFHApWN8n8eNQWTRbRgCPvph3 brq4Vp0mkbXBZ/i62ncTuTb5J/ZgYF05LkJovw2Q= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:34 +0200 Subject: [PATCH v3 7/9] module: Move lockdown check into generic module loader Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-7-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=1576; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=kmQUIW+5wYPfShUIrOsErGdMJNnQUWIZ+BIWQSkTJR8=; b=UeBVXcH7NmJEkR+38OyjzyfoU04GJpL9A/GpeD8/tUNbtYa0RNhFf/oUemhiWfy3i/HNqh5wb 6448IhPkVJ2DZ12vw7Fz0/2aJ9GNQhLh065QNg6B4NkyTQK1vbDsDIR X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The lockdown check buried in module_sig_check() will not compose well with the introduction of hash-based module validation. Move it into module_integrity_check() which will work better. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/main.c | 6 +++++- kernel/module/signing.c | 3 +-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/module/main.c b/kernel/module/main.c index 0c88d443a3bc894b18a7aa230cadf396e585c415..1c353ece05fd1d2d709204e4d5f= a44ecb8832bfa 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3254,7 +3254,11 @@ static int module_integrity_check(struct load_info *= info, int flags) if (IS_ENABLED(CONFIG_MODULE_SIG)) err =3D module_sig_check(info, flags); =20 - return err; + if (err) + return err; + if (info->sig_ok) + return 0; + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); } =20 /* diff --git a/kernel/module/signing.c b/kernel/module/signing.c index e51920605da14771601327ea596dad2e12400518..029e1ef6f0e369fd48e8c81154b= 6c697ad7a6249 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -11,7 +11,6 @@ #include #include #include -#include #include #include #include "internal.h" @@ -100,5 +99,5 @@ int module_sig_check(struct load_info *info, int flags) return -EKEYREJECTED; } =20 - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + return 0; } --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B79632AE99; Tue, 29 Apr 2025 13:04:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; cv=none; b=ZDWN2h6YuV0hTmTJKrw2CNCZzQymy7lSJEFx3x+LMCUkXCygbyW18Ozj6k9WdPhAuzMiroVK37Nd80eZ+iJQbmi6CEH9WD+4LCiVkF2IwKALrT3dsqG4O42N2YS+TRi5VEj/qt2cfIq+u6LyF6TR2TvcwhDPKu+koZmYSp6egZw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931887; c=relaxed/simple; bh=7p5y09FCX6rw2O2dfz8EEXV5SO0K/mxanRFmD+rolvo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=hy2ugVhByKwO+6Q2a5Cr3BgOVkIeAApoFyHNFk2cICTwr0w1G58w2knl85QHxEp5TPugX/6Mzd6T/WbWxtI1qkXxj8PS2aut1w+KFjCfGv/w6xuQQ9DsuDo9VlFIJtVjHc7ruvIi+CiRpDOUguFqpUv7MbL8zD7AS/rXAlT6PQc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=jCf1FuP5; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="jCf1FuP5" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931874; bh=7p5y09FCX6rw2O2dfz8EEXV5SO0K/mxanRFmD+rolvo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=jCf1FuP5gkPtpI2J67ZEwvsoQWovshmPXIJgnAgTkBIjwpAX1cl+SlZVdP8lbK0lF dyNCKAmz3jl+cPZP+UYIYCLHB6RTBAWzuBWHjoztasuuiDcmPKcQ+dykBBrB4W2yan boTg8x/zKJ/cA9QTJECHOvJd+ozubnscwmhseds8= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:35 +0200 Subject: [PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-8-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=874; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=7p5y09FCX6rw2O2dfz8EEXV5SO0K/mxanRFmD+rolvo=; b=VEJ2A4fKzTy7xY465KgWvaT7a/7guBneskvjYaYxbUgOTu6Jt4JlWHRzWqSwnAXuU1vhyblv2 VlDWfdgx/weB5GXKilK4USPkNpBPaQ/yG+9tO8d+lkpC1G8W1BSe/He X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The new hash-based module integrity checking will also be able to satisfy the requirements of lockdown. Such an alternative is not representable with "select", so use "depends on" instead. Signed-off-by: Thomas Wei=C3=9Fschuh Acked-by: Paul Moore --- security/lockdown/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index e84ddf48401010bcc0829a32db58e6f12bfdedcb..155959205b8eac2c85897a8c4c8= b7ec471156706 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - select MODULE_SIG if MODULES + depends on !MODULES || MODULE_SIG help Build support for an LSM that enforces a coarse kernel lockdown behaviour. --=20 2.49.0 From nobody Mon Feb 9 06:32:42 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D75E42D29A7; Tue, 29 Apr 2025 13:04:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; cv=none; b=UXai3DBTUzRf1wYt4rFGYHAMudaT8AVFslwLvp9LXsaQJ66G0SCGk0NoSwFi8lHzIBjuh67CLSlUIAmH7r5r3clpJmzwoUrFebAZdHFfe5+ny4d/d0IO4AlUoIlIWgpc6Fg7c97P+WlQSNnIBGg5BwXbQ0lSiJAG0cZKLDMys60= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745931891; c=relaxed/simple; bh=l2dt6UnEWldajLPbUgoG/aPR9rbJ2ThISvj2I7Wsi9Q=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TTmOl9Fbyzyhwa70OJuYSqvTjYY5aZRGUavKs0eCMxM5oYngukD3Pvng2koemgp72AnFSCdysdhMnCeJrQG9O6LC/mPS+4GAdNhqoDKOmE0EvHr/WbBlGBSiafB/TRLjlKgoH2UAOq4a11XWDXwAvpcMkWy76aDqrVpCINHwNlA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=UOiQVgPr; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="UOiQVgPr" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1745931875; bh=l2dt6UnEWldajLPbUgoG/aPR9rbJ2ThISvj2I7Wsi9Q=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=UOiQVgPrIT3u4dsR01kf0pJC1XJC8mkPAcB0nLMFFlQTFZaxKHaR6KRMHUV8FyTIV M+jO1PRuMis+9kGlkSwDkVCEgKF3FQh2k1gklniv90JPfuLY9KbveiMXd3JcEEgw6W GxByvlLKPVIoA9Lgd4ikGVnue3WPZtbbKB/1E/S0= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 29 Apr 2025 15:04:36 +0200 Subject: [PATCH v3 9/9] module: Introduce hash-based integrity checking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250429-module-hashes-v3-9-00e9258def9e@weissschuh.net> References: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> In-Reply-To: <20250429-module-hashes-v3-0-00e9258def9e@weissschuh.net> To: Masahiro Yamada , Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Nicolas Schier Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1745931873; l=16340; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=l2dt6UnEWldajLPbUgoG/aPR9rbJ2ThISvj2I7Wsi9Q=; b=G6+C/ycUNVhyZQ01uIVjVykLd1AbePRl3V0+iox5JkKzd6+0VbbkDBFh0cPRoA7/9PVHLetGe OPNJKEtREraC0wuMXMEAoiPO6cHePh+1QloP9z1JuYsx26EeVxXPLFz X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The current signature-based module integrity checking has some drawbacks in combination with reproducible builds: Either the module signing key is generated at build time, which makes the build unreproducible, or a static key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a list of hashes of all modules built as part of the full kernel build into vmlinux. Non-builtin modules can be validated as before through signatures. Normally the .ko module files depend on a fully built vmlinux to be available for modpost validation and BTF generation. With CONFIG_MODULE_HASHES, vmlinux now depends on the modules to embed their hashes. This introduces a dependency cycle which does not work. Work around this by building the modules during link-vmlinux.sh, after vmlinux is complete enough for modpost and BTF but before the final module hashes are added to vmlinux. This mechanism increases the size of vmlinux by 32 bytes, one sha256 digest, per module. On a general-purpose distro kernel with ~6k modules this means a total increase of memory usage of ~200KiB. Signed-off-by: Thomas Wei=C3=9Fschuh --- .gitignore | 1 + Documentation/kbuild/reproducible-builds.rst | 5 ++- Makefile | 8 +++- include/asm-generic/vmlinux.lds.h | 11 ++++++ include/linux/module_hashes.h | 17 +++++++++ kernel/module/Kconfig | 17 ++++++++- kernel/module/Makefile | 1 + kernel/module/hashes.c | 56 ++++++++++++++++++++++++= ++++ kernel/module/internal.h | 1 + kernel/module/main.c | 5 ++- scripts/Makefile.modfinal | 6 +++ scripts/Makefile.modinst | 4 ++ scripts/Makefile.vmlinux | 5 +++ scripts/link-vmlinux.sh | 25 ++++++++++++- scripts/module-hashes.sh | 26 +++++++++++++ security/lockdown/Kconfig | 2 +- 16 files changed, 184 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index f2f63e47fb88686d5d5ab17d480c9301184134a9..ed55ce77be64a9769da7cc103ef= 56039648b8759 100644 --- a/.gitignore +++ b/.gitignore @@ -29,6 +29,7 @@ *.gz *.i *.ko +*.ko.hash *.lex.c *.ll *.lst diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/k= build/reproducible-builds.rst index a7762486c93fcd3eba08b836bed622a41e829e41..013265e9766c88e04fc775bbbb6= d3de90c7346e4 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -64,7 +64,10 @@ generate a different temporary key for each build, resul= ting in the modules being unreproducible. However, including a signing key with your source would presumably defeat the purpose of signing modules. =20 -One approach to this is to divide up the build process so that the +Instead ``CONFIG_MODULE_HASHES`` can be used to embed a static list +of valid modules to load. + +Another approach to this is to divide up the build process so that the unreproducible parts can be treated as sources: =20 1. Generate a persistent signing key. Add the certificate for the key diff --git a/Makefile b/Makefile index 38689a0c36052b4ea6541bff8b36048e9689578a..1d04a584d6993a33f7ceefa1bb5= 2727919bb83d0 100644 --- a/Makefile +++ b/Makefile @@ -1551,8 +1551,10 @@ endif # is an exception. ifdef CONFIG_DEBUG_INFO_BTF_MODULES KBUILD_BUILTIN :=3D 1 +ifndef CONFIG_MODULE_HASHES modules: vmlinux endif +endif =20 modules: modules_prepare =20 @@ -1933,7 +1935,11 @@ modules.order: $(build-dir) # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules. # This is solely useful to speed up test compiles. modules: modpost -ifneq ($(KBUILD_MODPOST_NOFINAL),1) +ifdef CONFIG_MODULE_HASHES +ifeq ($(MODULE_HASHES_MODPOST_FINAL), 1) + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal +endif +else ifneq ($(KBUILD_MODPOST_NOFINAL),1) $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal endif =20 diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinu= x.lds.h index 58a635a6d5bdf0c53c267c2a3d21a5ed8678ce73..b45b2950c443a62f6086ed20985= 1421c511e078b 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -490,6 +490,8 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELL= ER_CLANG) \ PRINTK_INDEX \ \ + MODULE_HASHES \ + \ /* Kernel symbol table: Normal symbols */ \ __ksymtab : AT(ADDR(__ksymtab) - LOAD_OFFSET) { \ __start___ksymtab =3D .; \ @@ -899,6 +901,15 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPEL= LER_CLANG) #define PRINTK_INDEX #endif =20 +#ifdef CONFIG_MODULE_HASHES +#define MODULE_HASHES \ + .module_hashes : AT(ADDR(.module_hashes) - LOAD_OFFSET) { \ + BOUNDED_SECTION_BY(.module_hashes, _module_hashes) \ + } +#else +#define MODULE_HASHES +#endif + /* * Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler. * Otherwise, the type of .notes section would become PROGBITS instead of = NOTES. diff --git a/include/linux/module_hashes.h b/include/linux/module_hashes.h new file mode 100644 index 0000000000000000000000000000000000000000..5f2f0546e3875e6bc73bdd53aeb= aada7371b7f79 --- /dev/null +++ b/include/linux/module_hashes.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _LINUX_MODULE_HASHES_H +#define _LINUX_MODULE_HASHES_H + +#include +#include +#include + +#define __module_hashes_section __section(".module_hashes") +#define MODULE_HASHES_HASH_SIZE SHA256_DIGEST_SIZE + +extern const u8 module_hashes[][MODULE_HASHES_HASH_SIZE]; + +extern const typeof(module_hashes[0]) __start_module_hashes, __stop_module= _hashes; + +#endif /* _LINUX_MODULE_HASHES_H */ diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index a3146e9378fcd3292a756a2a7ea5241524cbc408..54702f24ace4cbd18ffaa6cf7fd= b2936ebe8505d 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -267,7 +267,7 @@ config MODULE_SIG =20 config MODULE_SIG_POLICY def_bool y - depends on MODULE_SIG + depends on MODULE_SIG || MODULE_HASHES =20 config MODULE_SIG_FORCE bool "Require modules to be validly signed" @@ -404,6 +404,21 @@ config MODULE_DECOMPRESS =20 If unsure, say N. =20 +config MODULE_HASHES + bool "Module hash validation" + depends on $(success,openssl dgst -sha256 -binary /dev/null) + select CRYPTO_LIB_SHA256 + help + Validate modules by their hashes. + Only modules built together with the main kernel image can be + validated that way. + + This is a reproducible-build compatible alternative to a build-time + generated module keyring, as enabled by + CONFIG_MODULE_SIG_KEY=3Dcerts/signing_key.pem. + + Also see the warning in MODULE_SIG about stripping modules. + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/kernel/module/Makefile b/kernel/module/Makefile index d9e8759a7b05c2d716ab258ae3b55591f869cd52..b3c0bb7d327806726ab8a23d791= 513e1a0f92706 100644 --- a/kernel/module/Makefile +++ b/kernel/module/Makefile @@ -25,3 +25,4 @@ obj-$(CONFIG_KGDB_KDB) +=3D kdb.o obj-$(CONFIG_MODVERSIONS) +=3D version.o obj-$(CONFIG_MODULE_UNLOAD_TAINT_TRACKING) +=3D tracking.o obj-$(CONFIG_MODULE_STATS) +=3D stats.o +obj-$(CONFIG_MODULE_HASHES) +=3D hashes.o diff --git a/kernel/module/hashes.c b/kernel/module/hashes.c new file mode 100644 index 0000000000000000000000000000000000000000..67481b1bb24eb61d364e802d2ab= 019a9b7f07348 --- /dev/null +++ b/kernel/module/hashes.c @@ -0,0 +1,56 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* Module hash-based integrity checker + * + * Copyright (C) 2025 Thomas Wei=C3=9Fschuh + */ + +#define pr_fmt(fmt) "module/hash: " fmt + +#include +#include +#include +#include +#include "internal.h" + +static inline size_t module_hashes_count(void) +{ + return (__stop_module_hashes - __start_module_hashes) / MODULE_HASHES_HAS= H_SIZE; +} + +static __init __maybe_unused int module_hashes_init(void) +{ + size_t num_hashes =3D module_hashes_count(); + int num_width =3D num_hashes ? (intlog10(num_hashes) >> 24) + 1 : 0; + size_t i; + + pr_debug("Known hashes (%zu):\n", num_hashes); + + for (i =3D 0; i < num_hashes; i++) + pr_debug("%*zu %*phN\n", num_width, i, + (int)sizeof(module_hashes[i]), module_hashes[i]); + + return 0; +} + +#if IS_ENABLED(CONFIG_MODULE_DEBUG) +early_initcall(module_hashes_init); +#endif + +int module_hash_check(struct load_info *info, int flags) +{ + u8 digest[MODULE_HASHES_HASH_SIZE]; + size_t i; + + sha256((const u8 *)info->hdr, info->len, digest); + + for (i =3D 0; i < module_hashes_count(); i++) { + if (memcmp(module_hashes[i], digest, MODULE_HASHES_HASH_SIZE) =3D=3D 0) { + pr_debug("allow %*phN\n", (int)sizeof(digest), digest); + info->sig_ok =3D true; + return 0; + } + } + + pr_debug("block %*phN\n", (int)sizeof(digest), digest); + return -ENOKEY; +} diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 42fbc53c6af66a1b531fcad08997742d838eb481..f0ecf7761760cc01e8ec42cde1b= 5d491be0ee4e3 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -326,6 +326,7 @@ int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr= *sechdrs, char *secstrings, struct module *mod); =20 int module_sig_check(struct load_info *info, int flags); +int module_hash_check(struct load_info *info, int flags); =20 #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); diff --git a/kernel/module/main.c b/kernel/module/main.c index 1c353ece05fd1d2d709204e4d5fa44ecb8832bfa..0daf19b494d3748a6156d0cb4c8= eccfcff9154da 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3251,7 +3251,10 @@ static int module_integrity_check(struct load_info *= info, int flags) { int err =3D 0; =20 - if (IS_ENABLED(CONFIG_MODULE_SIG)) + if (IS_ENABLED(CONFIG_MODULE_HASHES)) + err =3D module_hash_check(info, flags); + + if (!info->sig_ok && IS_ENABLED(CONFIG_MODULE_SIG)) err =3D module_sig_check(info, flags); =20 if (err) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 527f6b27baff9db94d31c15447de445a05bc0634..cf915acba7ce457f4188415c1d8= 924922fcc3393 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -43,6 +43,9 @@ quiet_cmd_btf_ko =3D BTF [M] $@ $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux.unstripped $@; \ fi; =20 +quiet_cmd_cksum_ko =3D + cmd_cksum_ko =3D openssl dgst -sha256 -binary $@ > $@.hash + # Same as newer-prereqs, but allows to exclude specified extra dependencies newer_prereqs_except =3D $(filter-out $(PHONY) $(1),$?) =20 @@ -57,6 +60,9 @@ if_changed_except =3D $(if $(call newer_prereqs_except,$(= 2))$(cmd-check), \ ifdef CONFIG_DEBUG_INFO_BTF_MODULES +$(if $(newer-prereqs),$(call cmd,btf_ko)) endif +ifdef CONFIG_MODULE_HASHES + $(call cmd,cksum_ko) +endif =20 targets +=3D $(modules:%.o=3D%.ko) $(modules:%.o=3D%.mod.o) .module-common= .o =20 diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 1628198f3e8309845adb48d5dbf66b700f9b6ebb..b2e207bacbac9437955d361cab9= 1acdafaf8295f 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -79,6 +79,10 @@ quiet_cmd_install =3D INSTALL $@ # as the options to the strip command. ifdef INSTALL_MOD_STRIP =20 +ifdef CONFIG_MODULE_HASHES +$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +endif + ifeq ($(INSTALL_MOD_STRIP),1) strip-option :=3D --strip-debug else diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index b0a6cd5b818c9fe19d20f5ddf4908eb14b888ea9..0024a0de1f325daa21170b68a01= 7ebb35b2a630a 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -97,6 +97,11 @@ ifdef CONFIG_BUILDTIME_TABLE_SORT vmlinux: scripts/sorttable endif =20 +ifdef CONFIG_MODULE_HASHES +vmlinux: $(srctree)/scripts/module-hashes.sh +vmlinux: modules.order +endif + # module.builtin.ranges # ------------------------------------------------------------------------= --- ifdef CONFIG_BUILTIN_MODULE_RANGES diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 5f060787ce3fbcbcfdca0c95789d619e2a1c7b72..e60762f2a1655cb0acabd8fd7d5= 299ad5389796d 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -105,7 +105,7 @@ vmlinux_link() ${ld} ${ldflags} -o ${output} \ ${wl}--whole-archive ${objs} ${wl}--no-whole-archive \ ${wl}--start-group ${libs} ${wl}--end-group \ - ${kallsymso} ${btf_vmlinux_bin_o} ${arch_vmlinux_o} ${ldlibs} + ${kallsymso} ${btf_vmlinux_bin_o} ${module_hashes_o} ${arch_vmlinux_o} $= {ldlibs} } =20 # generate .BTF typeinfo from DWARF debuginfo @@ -214,6 +214,7 @@ fi =20 btf_vmlinux_bin_o=3D kallsymso=3D +module_hashes_o=3D strip_debug=3D generate_map=3D =20 @@ -222,6 +223,17 @@ if is_enabled CONFIG_KALLSYMS; then kallsyms .tmp_vmlinux0.syms .tmp_vmlinux0.kallsyms fi =20 +if is_enabled CONFIG_MODULE_HASHES; then + # At this point the hashes are still wrong. + # This step reserves the exact amount of space for the objcopy step + # after BTF generation. + ${srctree}/scripts/module-hashes.sh prealloc > .tmp_module_hashes.c + module_hashes_o=3D.tmp_module_hashes.o + info CC ${module_hashes_o} + ${CC} ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS} ${KBUILD_CFLAG= S} \ + ${KBUILD_CFLAGS_KERNEL} -c -o "${module_hashes_o}" ".tmp_module_hashes.c" +fi + if is_enabled CONFIG_KALLSYMS || is_enabled CONFIG_DEBUG_INFO_BTF; then =20 # The kallsyms linking does not need debug symbols, but the BTF does. @@ -310,6 +322,17 @@ if is_enabled CONFIG_BUILDTIME_TABLE_SORT; then fi fi =20 +if is_enabled CONFIG_MODULE_HASHES; then + info MAKE modules + ${MAKE} -f Makefile MODULE_HASHES_MODPOST_FINAL=3D1 modules + ${srctree}/scripts/module-hashes.sh > .tmp_module_hashes.c + info CC ${module_hashes_o} + ${CC} ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS} ${KBUILD_CFLAG= S} \ + ${KBUILD_CFLAGS_KERNEL} -fno-lto -c -o "${module_hashes_o}" ".tmp_module= _hashes.c" + ${OBJCOPY} --dump-section .module_hashes=3D.tmp_module_hashes.bin ${modul= e_hashes_o} + ${OBJCOPY} --update-section .module_hashes=3D.tmp_module_hashes.bin ${VML= INUX} +fi + # step a (see comment above) if is_enabled CONFIG_KALLSYMS; then if ! cmp -s System.map "${kallsyms_sysmap}"; then diff --git a/scripts/module-hashes.sh b/scripts/module-hashes.sh new file mode 100755 index 0000000000000000000000000000000000000000..120ce924105c51cdd7a704cbec7= e5fa356f9ce1a --- /dev/null +++ b/scripts/module-hashes.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0-or-later + +set -e +set -u +set -o pipefail + +prealloc=3D"${1:-}" + +echo "#include " +echo +echo "const u8 module_hashes[][MODULE_HASHES_HASH_SIZE] __module_hashes_se= ction =3D {" + +for mod in $(< modules.order); do + mod=3D"${mod/%.o/.ko}" + if [ "$prealloc" =3D "prealloc" ]; then + modhash=3D"" + else + modhash=3D"$(cat "$mod".hash | hexdump -v -e '"0x" 1/1 "%02x, "')" + fi + echo -e "\t/* $mod */" + echo -e "\t{ $modhash}," + echo +done + +echo "};" diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index 155959205b8eac2c85897a8c4c8b7ec471156706..60b240e3ef1f9609e3f3241befc= 0bbc7e4a3db74 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - depends on !MODULES || MODULE_SIG + depends on !MODULES || MODULE_SIG || MODULE_HASHES help Build support for an LSM that enforces a coarse kernel lockdown behaviour. --=20 2.49.0