From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2149238F225; Tue, 13 Jan 2026 12:37:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307867; cv=none; b=JE85qp0j3he9c4Gk37vpzdnnTgtptqU6t+ABu+9PPwHL3wU6ByhQfg2gx6IC8LR3RQGr5SHvcazwSUs4ggcT7p/vU2UOAU3szcrkGFnDC5FhkZmSorJmfrQKCYuYeXN8jpKJjTUyTLIAPEv/AE7amcNRqdHNzwvaiNmkh7Nv/q8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307867; c=relaxed/simple; bh=3mMY1GM1VQS8nWhP55kjhRmx1RnZj3EJmp3vjjgzg8M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=b0zVOnlEvyDXwXDmmy5movXenHs4Yge/6PyZ35V9jpWIMCHd/QOVpIMvBky8hkZP4C/k/ilAqZHbTQSIKulbopqBIl1fP4muyGHcRT2bZVnSFmohpEa8KsxNhS98DmsWbJzPLKdtRmGe8BIAbDjLq9vxDUxeaK3Eq3OfC74Rydc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=rKo9Ainu; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="rKo9Ainu" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307859; bh=3mMY1GM1VQS8nWhP55kjhRmx1RnZj3EJmp3vjjgzg8M=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=rKo9Ainu3XohS3vDOhDSBVDMKqoArsw3k6VH6Rq2OcD6WPWA0c6vsb0GoDtVSXluv sgo/XicYHPxC7xBe5EgzHnfehmzjKt4EAac0PhhkT1cn/koDo8ejH70xmQx3KomGYL /OfN167o6WiGNK2fmRsgBoWzSVQABRqeZL7Ntj6U= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:45 +0100 Subject: [PATCH v4 01/17] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-1-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , Coiby Xu , kernel test robot X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=2701; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=LKgyKjITAXJ1z3S+DyfR5AT2mA+k6KdtH/VMhlJUCys=; b=5Saf759AOy7OgxG9vCafXOFEi9YsNl9IxQ4NXimYkvoPD101bf62Qlcvkk3kzegkDK+79KIxZ R78B0PNlMSPDAG06hzuwwcndV6Fs1j6RV8THFOsAFuXJ+B/Q/fJxYAR X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= From: Coiby Xu Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=3Dn e.g. [1], it can lead to a linking error, ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_me= asurement': security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined refe= rence to `set_module_sig_enforced' This happens because the actual implementation of set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the function declaration and the empty stub definition are tied to CONFIG_MODULES. So bind set_module_sig_enforced to CONFIG_MODULE_SIG instead. This allows (future) users to call set_module_sig_enforced directly without the "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard. Note this issue hasn't caused a real problem because all current callers of set_module_sig_enforced e.g. security/integrity/ima/ima_efi.c use "if IS_ENABLED(CONFIG_MODULE_SIG)" safeguard. [1] https://lore.kernel.org/lkml/20250928030358.3873311-1-coxu@redhat.com/ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202510030029.VRKgik99-lkp@int= el.com/ Reviewed-by: Aaron Tomlin Reviewed-by: Daniel Gomez Signed-off-by: Coiby Xu Signed-off-by: Sami Tolvanen --- From modules/modules-next --- include/linux/module.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/linux/module.h b/include/linux/module.h index d80c3ea57472..f288ca5cd95b 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -770,8 +770,6 @@ static inline bool is_livepatch_module(struct module *m= od) #endif } =20 -void set_module_sig_enforced(void); - void module_for_each_mod(int(*func)(struct module *mod, void *data), void = *data); =20 #else /* !CONFIG_MODULES... */ @@ -866,10 +864,6 @@ static inline bool module_requested_async_probing(stru= ct module *module) } =20 =20 -static inline void set_module_sig_enforced(void) -{ -} - /* Dereference module function descriptor */ static inline void *dereference_module_function_descriptor(struct module *mod, void *ptr) @@ -925,6 +919,8 @@ static inline bool retpoline_module_ok(bool has_retpoli= ne) #ifdef CONFIG_MODULE_SIG bool is_module_sig_enforced(void); =20 +void set_module_sig_enforced(void); + static inline bool module_sig_ok(struct module *module) { return module->sig_ok; @@ -935,6 +931,10 @@ static inline bool is_module_sig_enforced(void) return false; } =20 +static inline void set_module_sig_enforced(void) +{ +} + static inline bool module_sig_ok(struct module *module) { return true; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B327B2556E; Tue, 13 Jan 2026 12:37:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307865; cv=none; b=Y8gBB9FSTRvRH1DvDUnZgUBCDRRaDI4+JEkZTlnF3heuNxyfeoHElBbp2YL2of+sWPj5hAxkkz/V4bef2t29tQB63yomSEo64RdOtl555X8QjlMIMRDULshkoqdYMMb7uV+i8MLLlkv9A49kKw7QPr5+mUy2s0T/i/msD3QQN+A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307865; c=relaxed/simple; bh=C8ZnR8aqoKvJkB4QCMCRFoAe/2le+A5GtPBqy+Qa43c=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QaSttpviYd6F/JgvNPZGJefSEe3dJXdYsuqBqbzkxbVJ5SBrXcB7ZYOU/QaPkcMPraxh+uWuYX/hBPXdqnI9GNn0Qc4Z9EwprFzi5jAWO48QvahKBSfxM2PoyZXMPhZtii2XVc4TxuU8U9q07yIYgCqkrG4T7h2zRop1zSvIRYQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=R9PUdq/6; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="R9PUdq/6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307859; bh=C8ZnR8aqoKvJkB4QCMCRFoAe/2le+A5GtPBqy+Qa43c=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=R9PUdq/6C+yJVnO0ybvezWnXHMQKPKihc6b7mgRo1Ui/aV55w+gpn8aorgG2O0rN1 vtIBjPzynlpD6eesPKHWZ1oMERg8xbGy6qq+7yhu1l/iaJpRglA2TfWK7jquq3STNn ovi55oV7d0liWgCuciPaYvSpgyHVHyg8xLH8qSqs= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:46 +0100 Subject: [PATCH v4 02/17] powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-2-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=965; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=C8ZnR8aqoKvJkB4QCMCRFoAe/2le+A5GtPBqy+Qa43c=; b=fOyWYKhWQ+jNMEiBfpyKRDrc+eKQtmdIHJd/6KYHr3QI2V48g5JUNn51K2jsWWbdtlvyanJM1 DKPnRJ2YqXVDVwecDFNjFeR+uDRGpALqpNP0f/cmiRLFo1HmKIbz5Hm X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= When CONFIG_MODULE_SIG is disabled set_module_sig_enforced() is defined as an empty stub, so the check is unnecessary. The specific configuration option for set_module_sig_enforced() is about to change and removing the check avoids some later churn. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Aaron Tomlin Reviewed-by: Nicolas Schier --- arch/powerpc/kernel/ima_arch.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index b7029beed847..690263bf4265 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -63,8 +63,7 @@ static const char *const secure_and_trusted_rules[] =3D { const char *const *arch_get_ima_policy(void) { if (is_ppc_secureboot_enabled()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); + set_module_sig_enforced(); =20 if (is_ppc_trustedboot_enabled()) return secure_and_trusted_rules; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 755B438A28E; Tue, 13 Jan 2026 12:37:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307866; cv=none; b=YqnzGoxvUI46dqQ5IFQsHsHM4sPfl7wf/+qf1W+EDbIV6x4NzO8P7ixU2p8wrPoT9vgnaBC4XLCjl0omENfGXVK7VFQNFv+DUyl+OYd3iDDnPbDOpnlYPPt+3muu5NfiLYymrbYcXmCOjUf52O1ZDhltXSIxOzraVz+iy+gLKV8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307866; c=relaxed/simple; bh=cH9hJBEevnJ49scFzUyUrs+duB8iThavsLBCgzxemds=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Deq0KnchX4QfI5187BAtuE5iq1ikbvIsSEdRQws5xGgbNmZs+KHMVpDlZhwdYnP+AUD8WWomH50eitYq81AtaRbgJcryeB8W9YpIt0kktHnyrGgbf5BcYL+dezdvspbeStbi/HjN9Os3lv4JwC7M1P5eyOXPjsFjX3Gyh7NKPFU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=m5ECJ6X/; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="m5ECJ6X/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=cH9hJBEevnJ49scFzUyUrs+duB8iThavsLBCgzxemds=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=m5ECJ6X/QaGYYVd8gwsKPP3oGytpVyG0r3Uure3LqKvDfD7fS93swFK2vKC7qzTnO zFYbmk4LuDfRARPYZL9g9jAh2pluAJo1Spu3BdNBCB4MygUV9lYuGjf6mh3vf9gxTp x7hqYzB44ciHVigcRi1d+0nk8Ev05d0JMTMoOKLo= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:47 +0100 Subject: [PATCH v4 03/17] ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-3-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=1076; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=cH9hJBEevnJ49scFzUyUrs+duB8iThavsLBCgzxemds=; b=CON7x2gCVyCQfJTzLvPSJLu+RVHaHl90Rmo7S6bsrPvzOetmH8vys3eBJrk7ccHlghC7itUU1 0QyuXSdksdyD+ykU1MTXaHxR9OmHct0jSB8PawQ2bRSqkoOkmuG6Y9X X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= When configuration settings are disabled the guarded functions are defined as empty stubs, so the check is unnecessary. The specific configuration option for set_module_sig_enforced() is about to change and removing the checks avoids some later churn. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Aaron Tomlin Reviewed-by: Nicolas Schier --- security/integrity/ima/ima_efi.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_= efi.c index 138029bfcce1..a35dd166ad47 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -68,10 +68,8 @@ static const char * const sb_arch_rules[] =3D { const char * const *arch_get_ima_policy(void) { if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { - if (IS_ENABLED(CONFIG_MODULE_SIG)) - set_module_sig_enforced(); - if (IS_ENABLED(CONFIG_KEXEC_SIG)) - set_kexec_sig_enforced(); + set_module_sig_enforced(); + set_kexec_sig_enforced(); return sb_arch_rules; } return NULL; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B241B38FF1A; Tue, 13 Jan 2026 12:37:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; cv=none; b=kim8t7sNuPFkRN/rfrn0pXMqHS88/ZuDuXB6QqYwX1An4qsXNn1NfbOJnl+N1BcGyGMIcZYvfi8ANmkkWauCAatvDr01Da4PpAuk5zJWt6m8gS9uh0xatDzGF8tagX/eNNCR/jnp14m38me/1prEpOsmO8yc8ag+s7hOoLBSCtM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; c=relaxed/simple; bh=s0y09ejJrfvI6BDYjzt+p3QqNUHYOG0PUerqb17chAU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OByGE0OiU8jcgTjHJTJMIcg8VpFsiV+jIqWsUbxFfSCOrptEiA/fADpNL9rzVrZ4ioGqalKkhjko9IP3z6nAY2j0b01QVrU1I4oRNW98tY0/Sdi1DMAHvEVVDf1ZttnIDQ7pXlh3zvVHoayz0CIA8YYG6tb9Vt6rIanCeLP0aiI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=nykdCqRX; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="nykdCqRX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=s0y09ejJrfvI6BDYjzt+p3QqNUHYOG0PUerqb17chAU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=nykdCqRXMQEPNNVhqI4IMkhiOVHlWWTvYcRj6i/WpHHMJuriU0oAdA6iaFR0bxyCp RqnMAFimntilzRwbpGFb977FfLmG7lTw2tkOB7UXSOpSKEZ4eUzY5XEw2iK3gIXums KLNufKaP8k/iv8PG/rUfSk4ssFbwf0H+NXhvUH2g= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:48 +0100 Subject: [PATCH v4 04/17] module: Make mod_verify_sig() static Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-4-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=1228; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=s0y09ejJrfvI6BDYjzt+p3QqNUHYOG0PUerqb17chAU=; b=uwg0wFTAu3Q06NkGGP+SClBTEtm6t/P9IPUONWe98bNwGb9YkRYeWkqllddS3Jy0aw5RpuMhA a43F4kdpYaJAlRRI+ZcWb/HGQ+OCDraXpoYd0EBmq25H2uVLsqPNyev X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= It is not used outside of signing.c. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Aaron Tomlin Reviewed-by: Nicolas Schier --- kernel/module/internal.h | 1 - kernel/module/signing.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 618202578b42..e68fbcd60c35 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -119,7 +119,6 @@ struct module_use { struct module *source, *target; }; =20 -int mod_verify_sig(const void *mod, struct load_info *info); int try_to_force_load(struct module *mod, const char *reason); bool find_symbol(struct find_symbol_arg *fsa); struct module *find_module_all(const char *name, size_t len, bool even_unf= ormed); diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..fe3f51ac6199 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -40,7 +40,7 @@ void set_module_sig_enforced(void) /* * Verify the signature on a module. */ -int mod_verify_sig(const void *mod, struct load_info *info) +static int mod_verify_sig(const void *mod, struct load_info *info) { struct module_signature ms; size_t sig_len, modlen =3D info->len; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C10338F252; Tue, 13 Jan 2026 12:37:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307868; cv=none; b=djYiWvhzEKieTxGVJd356uzT7sFI0pFL/lFHQonJR4qEmQchC8ru6z8dMLM5EBJcdNH6MpO9oUa50stDufwT40YqHaQeVFQs2339FAWLg5bQkMAMIRiN6ijj8AiPFzEjd1o/aGbpzl+lbUZm0ppiTVWLTV1MQDlJVFnR10uJMIU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307868; c=relaxed/simple; bh=jMY1zKU+259Wp+a3wq7CZ+K7/FJMp48oaCmjQIniFCk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=D/3yDX28/N2Wpqfq52VHlwq7D/6QI59NxXYmVKOkqGLOnuD7g1dAXTUARC1TGh2g6Iw2p0+FaSYbBlmIhWArjqal6e9yIRUMP0ylfxpXeJykx/5NFRBCR44XeTEU6kyNppvPcJZsLYKhjqSvgKJxNn64HjIbVoIKwsfdB8jW/hA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=mSKhjy2c; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="mSKhjy2c" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=jMY1zKU+259Wp+a3wq7CZ+K7/FJMp48oaCmjQIniFCk=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=mSKhjy2cG0SoILQv6Sr5rIyz5sWn5E0wLY3SYbLLDS9EqPxMJhvK5dceTJALZmcP6 IJkkOs4Z59ynVOtBwrDVgxIv2mk6V5U9lnCDBdvLQ8fszOFsxgyMUabiC78EePjOKs izVG9zxTIbRTSmJkQHf/uqmX6k7wqCIvs2VkWc/k= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:49 +0100 Subject: [PATCH v4 05/17] module: Switch load_info::len to size_t Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-5-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=1455; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=jMY1zKU+259Wp+a3wq7CZ+K7/FJMp48oaCmjQIniFCk=; b=DVDR4kzvvUtq8+nWgk5cczzRSYZuy7YfCXuw3SJMcR55420EdKvv7LI9IbT3Q+CEQVjFib1SB YS60h4NLSKWBX+FrCbwVXvEXOnGXehLwzKKNc6JZZOu+013x24N04AZ X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= Switching the types will make some later changes cleaner. size_t is also the semantically correct type for this field. As both 'size_t' and 'unsigned int' are always the same size, this should be risk-free. Signed-off-by: Thomas Wei=C3=9Fschuh Acked-by: Nicolas Schier --- kernel/module/internal.h | 2 +- kernel/module/main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index e68fbcd60c35..037fbb3b7168 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -66,7 +66,7 @@ struct load_info { /* pointer to module in temporary copy, freed at end of load_module() */ struct module *mod; Elf_Ehdr *hdr; - unsigned long len; + size_t len; Elf_Shdr *sechdrs; char *secstrings, *strtab; unsigned long symoffs, stroffs, init_typeoffs, core_typeoffs; diff --git a/kernel/module/main.c b/kernel/module/main.c index 710ee30b3bea..a88f95a13e06 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1838,7 +1838,7 @@ static int validate_section_offset(const struct load_= info *info, Elf_Shdr *shdr) static int elf_validity_ehdr(const struct load_info *info) { if (info->len < sizeof(*(info->hdr))) { - pr_err("Invalid ELF header len %lu\n", info->len); + pr_err("Invalid ELF header len %zu\n", info->len); return -ENOEXEC; } if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) !=3D 0) { --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0068D38E5F1; Tue, 13 Jan 2026 12:37:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307875; cv=none; b=atG6cychtFTHt07oNHLVMJeDBC+V+Tv5rSPsTAqtvK2yam3fiPH37Ty0HrAi4eJBXhF5/oAfmZBO7w+xtA2I4kVqyzk/H4gaU5mMnIwSKhjVnezuVbz8TK0vcgmELZoGHqrXk53AXp8YFbAJNZ9QJao8piLZk0ye1b/TsnbKPDs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307875; c=relaxed/simple; bh=ffsEg3AzeAOjcEOKQgQ3fDyvlrqj0lZ8Wi7Qp/6UEEQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LjZAieF9t65Y31kMN4St+Y9zPJfg/+dGStmKZUd4wjtzTWOb2Lr7CBN/rPxtFpl76Kx//bFgTXUe+oTqm3/g+89HaUgIZCjLP3gIV4HgiaswROPa+c8i0JkhsvwV1u+RkPFbaO2tszJzQl//33bu26Bg5hlrfWLdw0dhHS+3HHo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=IYN9eaFO; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="IYN9eaFO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=ffsEg3AzeAOjcEOKQgQ3fDyvlrqj0lZ8Wi7Qp/6UEEQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=IYN9eaFOHeqMdGkaTGB+TVa+imZW+KJUTkVyaop8E7fOAlzwCN4yYsDEsaCUKMvJb BJ7+ic09FhUq56ePuK99CKjQ1kPB5mB/3SA0LORNRAOl75FlxxZsJAFWdv6uc+Is5a jSr+kStLLuMEj2vMFjoKX/2WZjWeuYceLKDQ3AOM= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:50 +0100 Subject: [PATCH v4 06/17] kbuild: add stamp file for vmlinux BTF data Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-6-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=2136; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=ffsEg3AzeAOjcEOKQgQ3fDyvlrqj0lZ8Wi7Qp/6UEEQ=; b=b4EDQNJ82epRfEGaJ/hp28TeOBgtAEcqVjtkr3ZVEIkCclYbVB5JmexdIWsJA9Fnwm23h6Qpt k9oimKRiUl5DMEFJmFf+vUyh81OfbtZAcHsW0m3IjftklL33x2aCRzb X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming module hashes functionality will build the modules in between the generation of the BTF data and the final link of vmlinux. Having a dependency from the modules on vmlinux would make this impossible as it would mean having a cyclic dependency. Break this cyclic dependency by introducing a new target. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Nicolas Schier --- scripts/Makefile.modfinal | 4 ++-- scripts/link-vmlinux.sh | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 149e12ff5700..adfef1e002a9 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -56,8 +56,8 @@ if_changed_except =3D $(if $(call newer_prereqs_except,$(= 2))$(cmd-check), \ printf '%s\n' 'savedcmd_$@ :=3D $(make-cmd)' > $(dot-target).cmd, @:) =20 # Re-generate module BTFs if either module's .ko or vmlinux changed -%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/vmlinux) FORCE - +$(call if_changed_except,ld_ko_o,$(objtree)/vmlinux) +%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/.tmp_vmlinux_btf= .stamp) FORCE + +$(call if_changed_except,ld_ko_o,$(objtree)/.tmp_vmlinux_btf.stamp) ifdef CONFIG_DEBUG_INFO_BTF_MODULES +$(if $(newer-prereqs),$(call cmd,btf_ko)) endif diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 4ab44c73da4d..8c98f8645a5c 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -111,6 +111,7 @@ vmlinux_link() gen_btf() { local btf_data=3D${1}.btf.o + local btf_stamp=3D.tmp_vmlinux_btf.stamp =20 info BTF "${btf_data}" LLVM_OBJCOPY=3D"${OBJCOPY}" ${PAHOLE} -J ${PAHOLE_FLAGS} ${1} @@ -131,6 +132,11 @@ gen_btf() fi printf "${et_rel}" | dd of=3D"${btf_data}" conv=3Dnotrunc bs=3D1 seek=3D1= 6 status=3Dnone =20 + info STAMP $btf_stamp + if ! cmp --silent $btf_data $btf_stamp; then + cp $btf_data $btf_stamp + fi + btf_vmlinux_bin_o=3D${btf_data} } =20 --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DF8438F947; Tue, 13 Jan 2026 12:37:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307870; cv=none; b=NSRc+K3tYkCevOYCpNh/p3mMNseensKUPggl0mCy1I5GAcc3wuKORNcixY/Qct9D9LSYf0i42rMfP06udQei+QoP+IMWbe7v+kxkS9sz7tgwjoEiFhzEWOxyuwTm7p8UUw609ynqD507OtMMRZkVP/B2H8ND+ATe1Wcce9kQcFQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307870; c=relaxed/simple; bh=JwM9XO7r7ZwPZmNYUvzPqz3+qo59nyUUWymAQNZfvpo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LjTnndfZYy3vJoH74fgvXJINb51kTH6AhVKzEuEgDKKDEJ5fFBwayKCrBUnQ71omhGapmGEvdolezDk8sR6gehG/tGsFgD762+Q0QEBUoluvegJumOmJiiRpylcqEIukyZwCIjgW9f5GWlQSmwqwzbW5BEN/unnGHnMhFB2lv6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=l9994pIG; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="l9994pIG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=JwM9XO7r7ZwPZmNYUvzPqz3+qo59nyUUWymAQNZfvpo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=l9994pIGKwmExvE4gCFwYJW8YrkjrNZSltVWgoZ9dwmLszngXobPMLnFy4MM+XzKw oZ4dkOSX7fmw7biNWd8XPq82MZT9vnWWdszYXSYPq4h1aPT8NbRBIc6A3k3LRWNAW5 4J3J4GA0Fp4GIdhYnyAHXqWxjgGyzj+Kq+0uzvx0= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:51 +0100 Subject: [PATCH v4 07/17] kbuild: generate module BTF based on vmlinux.unstripped Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-7-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=1527; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=JwM9XO7r7ZwPZmNYUvzPqz3+qo59nyUUWymAQNZfvpo=; b=g6Ey3pXzp3Z5/IG+TMiYkH+ibJrOnrhRN1yTqeSUxErPazBTG67wvilm9r1m2g0DvKyRqsGVX +0CeXumvNPNCwwSRSpBSpnfmI9vv05PLlcldegrpKZHEQFBGXa5BnO1 X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming module hashes functionality will build the modules in between the generation of the BTF data and the final link of vmlinux. At this point vmlinux is not yet built and therefore can't be used for module BTF generation. vmlinux.unstripped however is usable and sufficient for BTF generation. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Nicolas Schier # kbuild --- scripts/Makefile.modfinal | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index adfef1e002a9..930db0524a0a 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -40,11 +40,11 @@ quiet_cmd_ld_ko_o =3D LD [M] $@ =20 quiet_cmd_btf_ko =3D BTF [M] $@ cmd_btf_ko =3D \ - if [ ! -f $(objtree)/vmlinux ]; then \ - printf "Skipping BTF generation for %s due to unavailability of vmlinux\= n" $@ 1>&2; \ + if [ ! -f $(objtree)/vmlinux.unstripped ]; then \ + printf "Skipping BTF generation for %s due to unavailability of vmlinux.= unstripped\n" $@ 1>&2; \ else \ - LLVM_OBJCOPY=3D"$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE= _FLAGS) --btf_base $(objtree)/vmlinux $@; \ - $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux $@; \ + LLVM_OBJCOPY=3D"$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) $(MODULE_PAHOLE= _FLAGS) --btf_base $(objtree)/vmlinux.unstripped $@; \ + $(RESOLVE_BTFIDS) -b $(objtree)/vmlinux.unstripped $@; \ fi; =20 # Same as newer-prereqs, but allows to exclude specified extra dependencies --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35EA63904CB; Tue, 13 Jan 2026 12:37:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; cv=none; b=epV6CouOiNIzYPw/O2jSF5Zv7b01GpDlrj4sy/y1eP8akB2zVeHsEBvg33aHPR68ccmVbeAINA40flqKTG1Ne0d8bOhlNsbTq3rZVl6veUeH9gwG8SrQGWQoBI7ab5m9lxQtl6CcsHNG3NaSGtbxy5Ezx/KMscMw8g0UGQ1y4WI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; c=relaxed/simple; bh=CQhD/KGKFcEkKh29q46LO6yIz88u0jgba+z/o0psTK8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=mJ/BPxk2oYqsi/cfIM9VfUlnjAkdZn/2SVNqaVmFtuy3HteQcPR4XAslp3k0aeB1BV1No/hB1oS7n4eh8o6GNynF3FWIfWbnku7itBQ1zeT2oeOvznFpHa1rhairb+hBNshWz652xQchq4aThP58E+KKr7AiVl+h1UPBC+Cx890= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=SQt5bsbc; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="SQt5bsbc" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=CQhD/KGKFcEkKh29q46LO6yIz88u0jgba+z/o0psTK8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=SQt5bsbcTnZS6yVdJ+LbYNoNhZEev1knGv0MjS71iiJfYlcuZyQ0aclRnK2Kr2PEq pavJTbLtAToGXld4GXml/FzTK76fJkWiqqk/Kz8PX+XPWi3Lxu2deHodM7LlKElFYY diHZjbVi1BV4pnlweGQP0Xpvny06OHosoDM+JiQE= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:52 +0100 Subject: [PATCH v4 08/17] module: Deduplicate signature extraction Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-8-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=6766; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=CQhD/KGKFcEkKh29q46LO6yIz88u0jgba+z/o0psTK8=; b=Lgwo+6a5vIb8KpZTzvY+IyZL0lz4STVveaUDYDrKMqidgIHufGS8BuIXNHMAXiv7IHzs4yXTq YDRiGJTfok3AifwJoS+EQEosFVHWUVaOei8HsTi+t5sMgtnUNgIVDKo X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The logic to extract the signature bits from a module file are duplicated between the module core and IMA modsig appraisal. Unify the implementation. Signed-off-by: Thomas Wei=C3=9Fschuh --- include/linux/module_signature.h | 4 +-- kernel/module/signing.c | 52 +++++++--------------------------= ---- kernel/module_signature.c | 41 +++++++++++++++++++++++++++-- security/integrity/ima/ima_modsig.c | 24 ++++------------- 4 files changed, 56 insertions(+), 65 deletions(-) diff --git a/include/linux/module_signature.h b/include/linux/module_signat= ure.h index 7eb4b00381ac..186a55effa30 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -40,7 +40,7 @@ struct module_signature { __be32 sig_len; /* Length of signature data */ }; =20 -int mod_check_sig(const struct module_signature *ms, size_t file_len, - const char *name); +int mod_split_sig(const void *buf, size_t *buf_len, bool mangled, + size_t *sig_len, const u8 **sig, const char *name); =20 #endif /* _LINUX_MODULE_SIGNATURE_H */ diff --git a/kernel/module/signing.c b/kernel/module/signing.c index fe3f51ac6199..6d64c0d18d0a 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -37,54 +37,22 @@ void set_module_sig_enforced(void) sig_enforce =3D true; } =20 -/* - * Verify the signature on a module. - */ -static int mod_verify_sig(const void *mod, struct load_info *info) -{ - struct module_signature ms; - size_t sig_len, modlen =3D info->len; - int ret; - - pr_devel("=3D=3D>%s(,%zu)\n", __func__, modlen); - - if (modlen <=3D sizeof(ms)) - return -EBADMSG; - - memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); - - ret =3D mod_check_sig(&ms, modlen, "module"); - if (ret) - return ret; - - sig_len =3D be32_to_cpu(ms.sig_len); - modlen -=3D sig_len + sizeof(ms); - info->len =3D modlen; - - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); -} - int module_sig_check(struct load_info *info, int flags) { - int err =3D -ENODATA; - const unsigned long markerlen =3D sizeof(MODULE_SIG_STRING) - 1; + int err; const char *reason; const void *mod =3D info->hdr; + size_t sig_len; + const u8 *sig; bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | MODULE_INIT_IGNORE_VERMAGIC); - /* - * Do not allow mangled modules as a module with version information - * removed is no longer the module that was signed. - */ - if (!mangled_module && - info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) =3D= =3D 0) { - /* We truncate the module to discard the signature */ - info->len -=3D markerlen; - err =3D mod_verify_sig(mod, info); + + err =3D mod_split_sig(info->hdr, &info->len, mangled_module, &sig_len, &s= ig, "module"); + if (!err) { + err =3D verify_pkcs7_signature(mod, info->len, sig, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); if (!err) { info->sig_ok =3D true; return 0; diff --git a/kernel/module_signature.c b/kernel/module_signature.c index 00132d12487c..b2384a73524c 100644 --- a/kernel/module_signature.c +++ b/kernel/module_signature.c @@ -8,6 +8,7 @@ =20 #include #include +#include #include #include =20 @@ -18,8 +19,8 @@ * @file_len: Size of the file to which @ms is appended. * @name: What is being checked. Used for error messages. */ -int mod_check_sig(const struct module_signature *ms, size_t file_len, - const char *name) +static int mod_check_sig(const struct module_signature *ms, size_t file_le= n, + const char *name) { if (be32_to_cpu(ms->sig_len) >=3D file_len - sizeof(*ms)) return -EBADMSG; @@ -44,3 +45,39 @@ int mod_check_sig(const struct module_signature *ms, siz= e_t file_len, =20 return 0; } + +int mod_split_sig(const void *buf, size_t *buf_len, bool mangled, + size_t *sig_len, const u8 **sig, const char *name) +{ + const unsigned long markerlen =3D sizeof(MODULE_SIG_STRING) - 1; + struct module_signature ms; + size_t modlen =3D *buf_len; + int ret; + + /* + * Do not allow mangled modules as a module with version information + * removed is no longer the module that was signed. + */ + if (!mangled && + *buf_len > markerlen && + memcmp(buf + modlen - markerlen, MODULE_SIG_STRING, markerlen) =3D=3D= 0) { + /* We truncate the module to discard the signature */ + modlen -=3D markerlen; + } + + if (modlen <=3D sizeof(ms)) + return -EBADMSG; + + memcpy(&ms, buf + (modlen - sizeof(ms)), sizeof(ms)); + + ret =3D mod_check_sig(&ms, modlen, name); + if (ret) + return ret; + + *sig_len =3D be32_to_cpu(ms.sig_len); + modlen -=3D *sig_len + sizeof(ms); + *buf_len =3D modlen; + *sig =3D buf + modlen; + + return 0; +} diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/i= ma_modsig.c index 3265d744d5ce..a57342d39b07 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -40,44 +40,30 @@ struct modsig { int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, struct modsig **modsig) { - const size_t marker_len =3D strlen(MODULE_SIG_STRING); - const struct module_signature *sig; + size_t buf_len_sz =3D buf_len; struct modsig *hdr; size_t sig_len; - const void *p; + const u8 *sig; int rc; =20 - if (buf_len <=3D marker_len + sizeof(*sig)) - return -ENOENT; - - p =3D buf + buf_len - marker_len; - if (memcmp(p, MODULE_SIG_STRING, marker_len)) - return -ENOENT; - - buf_len -=3D marker_len; - sig =3D (const struct module_signature *)(p - sizeof(*sig)); - - rc =3D mod_check_sig(sig, buf_len, func_tokens[func]); + rc =3D mod_split_sig(buf, &buf_len_sz, true, &sig_len, &sig, func_tokens[= func]); if (rc) return rc; =20 - sig_len =3D be32_to_cpu(sig->sig_len); - buf_len -=3D sig_len + sizeof(*sig); - /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ hdr =3D kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL); if (!hdr) return -ENOMEM; =20 hdr->raw_pkcs7_len =3D sig_len; - hdr->pkcs7_msg =3D pkcs7_parse_message(buf + buf_len, sig_len); + hdr->pkcs7_msg =3D pkcs7_parse_message(sig, sig_len); if (IS_ERR(hdr->pkcs7_msg)) { rc =3D PTR_ERR(hdr->pkcs7_msg); kfree(hdr); return rc; } =20 - memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); + memcpy(hdr->raw_pkcs7, sig, sig_len); =20 /* We don't know the hash algorithm yet. */ hdr->hash_algo =3D HASH_ALGO__LAST; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E24338F949; Tue, 13 Jan 2026 12:37:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307869; cv=none; b=l16mkiScI8nd72udbg7pjsF+d6b3OzHHxxy+QQMweSDGIqWQOzfJjx4A6uNxy3IFwrD6jbva5M7dHmvwa+UeZJ89xgfhc3zkoaXEjTLn7PlAuQWyKLRwF9RrF+ZkhklrMurUxL3Tpit7T5XHgJtYS0xSQ+6Qc5UHUPfqhguw67o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307869; c=relaxed/simple; bh=RQorPXdehc0KFlqVrNkkJBX1mt3mTv1fVMoaXkJK8y4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Qkmg3LirYWB4Gnxe9G9nWpe5ceSt8LKgYfUnRYoTQgdC+X/JpV0OHm+dZnmOq0LiTj25Ol6L03stDi6TExy29rb4ukB1VsInxhreZDPERPmp3t/U+RXe8B4hMVKAAkpmaDFphH1xoxW1ucBsNisILmyBjZ4LRzLcZ30PD722PSM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=HwDx8m4k; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="HwDx8m4k" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=RQorPXdehc0KFlqVrNkkJBX1mt3mTv1fVMoaXkJK8y4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=HwDx8m4kObuifJBptBij52FLs34CPIIwX0xZpecEN5CqtV9olIVM9LXNj5gpwh0Ho /HaJ/RxPerSH90uzujx1NA7LceH+4B6fZrIjkmSGwkTtSSausH7LGDM6WMKY9+4/br B1k0esnoVH1KvnghToW1IMmOshsIHHDSe7fg14vQ= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:53 +0100 Subject: [PATCH v4 09/17] module: Make module loading policy usable without MODULE_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-9-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=4367; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=RQorPXdehc0KFlqVrNkkJBX1mt3mTv1fVMoaXkJK8y4=; b=bVQw49emaM/5dAN8H/yxv1X4vVfg9hhJGkglV3b67z3dydC0IttJbKNfzZjvOz3Ub6EGRVvEt UrMAvueLp52AuJq9oN9Lqy/g0nC0FQ+3kHN45id2hyRhNiNoqIDYOrI X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The loading policy functionality will also be used by the hash-based module validation. Split it out from CONFIG_MODULE_SIG so it is usable by both. Signed-off-by: Thomas Wei=C3=9Fschuh --- include/linux/module.h | 8 ++++---- kernel/module/Kconfig | 5 ++++- kernel/module/main.c | 26 +++++++++++++++++++++++++- kernel/module/signing.c | 21 --------------------- 4 files changed, 33 insertions(+), 27 deletions(-) diff --git a/include/linux/module.h b/include/linux/module.h index f288ca5cd95b..f9601cba47cd 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -444,7 +444,7 @@ struct module { const u32 *gpl_crcs; bool using_gplonly_symbols; =20 -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY /* Signature was verified. */ bool sig_ok; #endif @@ -916,7 +916,7 @@ static inline bool retpoline_module_ok(bool has_retpoli= ne) } #endif =20 -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY bool is_module_sig_enforced(void); =20 void set_module_sig_enforced(void); @@ -925,7 +925,7 @@ static inline bool module_sig_ok(struct module *module) { return module->sig_ok; } -#else /* !CONFIG_MODULE_SIG */ +#else /* !CONFIG_MODULE_SIG_POLICY */ static inline bool is_module_sig_enforced(void) { return false; @@ -939,7 +939,7 @@ static inline bool module_sig_ok(struct module *module) { return true; } -#endif /* CONFIG_MODULE_SIG */ +#endif /* CONFIG_MODULE_SIG_POLICY */ =20 #if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS) int module_kallsyms_on_each_symbol(const char *modname, diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index e8bb2c9d917e..db3b61fb3e73 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -270,9 +270,12 @@ config MODULE_SIG debuginfo strip done by some packagers (such as rpmbuild) and inclusion into an initramfs that wants the module size reduced. =20 +config MODULE_SIG_POLICY + def_bool MODULE_SIG + config MODULE_SIG_FORCE bool "Require modules to be validly signed" - depends on MODULE_SIG + depends on MODULE_SIG_POLICY help Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel. diff --git a/kernel/module/main.c b/kernel/module/main.c index a88f95a13e06..4442397a9f92 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2541,7 +2541,7 @@ static void module_augment_kernel_taints(struct modul= e *mod, struct load_info *i mod->name); add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); } -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_SIG_POLICY mod->sig_ok =3D info->sig_ok; if (!mod->sig_ok) { pr_notice_once("%s: module verification failed: signature " @@ -3921,3 +3921,27 @@ static int module_debugfs_init(void) } module_init(module_debugfs_init); #endif + +#ifdef CONFIG_MODULE_SIG_POLICY + +#undef MODULE_PARAM_PREFIX +#define MODULE_PARAM_PREFIX "module." + +static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +module_param(sig_enforce, bool_enable_only, 0644); + +/* + * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. + */ +bool is_module_sig_enforced(void) +{ + return sig_enforce; +} +EXPORT_SYMBOL(is_module_sig_enforced); + +void set_module_sig_enforced(void) +{ + sig_enforce =3D true; +} +#endif diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 6d64c0d18d0a..66d90784de89 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -16,27 +16,6 @@ #include #include "internal.h" =20 -#undef MODULE_PARAM_PREFIX -#define MODULE_PARAM_PREFIX "module." - -static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -module_param(sig_enforce, bool_enable_only, 0644); - -/* - * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely - * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. - */ -bool is_module_sig_enforced(void) -{ - return sig_enforce; -} -EXPORT_SYMBOL(is_module_sig_enforced); - -void set_module_sig_enforced(void) -{ - sig_enforce =3D true; -} - int module_sig_check(struct load_info *info, int flags) { int err; --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B10B138FF19; Tue, 13 Jan 2026 12:37:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307870; cv=none; b=EC53QKvuW3Z85B34lwactcD3rFb9O4qB8lr4IBSigNgKMeAWmImiXy5aouBouiFRTd3osfF/CgdpwvvdXMe8hA/JvdiSPTCb5U+hjsN3VhcryU0n4WHguxQvuNcx2zSIYA7If371XyCIPzRM8OUSxPbGft336v7RLPsfxhYHZZg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307870; c=relaxed/simple; bh=hAtUMf8ROTvpdShxHkvsJpyhYnZ3QmMAbWJii+OYDwI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=AAx9I0b5DZ8CUN9rKSyr9eJVQVoXStmRkMApW+XmTW7QSl1c02UAV7neW/PXKEUlDrLG/FlUCcLE5y1Chxgwnsw99xlBSuGcchKlDDmCHOlmTGiH1HVltDNDCUR8xNMPpy/kzWOZDrAT8bn1RV6UR5JnUQ+tL00bllfKnCmoRgg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=nLeIsvEx; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="nLeIsvEx" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=hAtUMf8ROTvpdShxHkvsJpyhYnZ3QmMAbWJii+OYDwI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=nLeIsvExC5+X5jR6mAuQuUN5tW0dQT0O9VUluGpThGtpwWNvj7wLGe1zG9lReHHvI hwMd35xOpaV/hNwcgnmzKnO9zXPRicy3RX0put7fcX7WmnvfIMfrmMAF6Pfbc5BgRX JFuK5TPWUz4zYhDfTrtoepW83gPOIG5P+CCCuaMQ= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:54 +0100 Subject: [PATCH v4 10/17] module: Move integrity checks into dedicated function Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-10-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=2653; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=hAtUMf8ROTvpdShxHkvsJpyhYnZ3QmMAbWJii+OYDwI=; b=TYnqLgErqQEviRfBX9IuT27Me3D9lspxMjCYygzqKNWOCT0fixqKr0JI61UfvKcHMaW/fOJGy mWucsr0K+t7BOii4UjO7tGT63L3saYtdlekPsdi1BZX7jaOghA6L1t0 X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= With the addition of hash-based integrity checking, the configuration matrix is easier to represent in a dedicated function and with explicit usage of IS_ENABLED(). Drop the now unnecessary stub for module_sig_check(). Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/internal.h | 7 ------- kernel/module/main.c | 18 ++++++++++++++---- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 037fbb3b7168..e053c29a5d08 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -337,14 +337,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, c= onst Elf_Shdr *sechdrs, void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, const char *secstrings); =20 -#ifdef CONFIG_MODULE_SIG int module_sig_check(struct load_info *info, int flags); -#else /* !CONFIG_MODULE_SIG */ -static inline int module_sig_check(struct load_info *info, int flags) -{ - return 0; -} -#endif /* !CONFIG_MODULE_SIG */ =20 #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); diff --git a/kernel/module/main.c b/kernel/module/main.c index 4442397a9f92..9c570078aa9c 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3344,6 +3344,16 @@ static int early_mod_check(struct load_info *info, i= nt flags) return err; } =20 +static int module_integrity_check(struct load_info *info, int flags) +{ + int err =3D 0; + + if (IS_ENABLED(CONFIG_MODULE_SIG)) + err =3D module_sig_check(info, flags); + + return err; +} + /* * Allocate and load the module: note that size of section 0 is always * zero, and we rely on this for optional sections. @@ -3357,18 +3367,18 @@ static int load_module(struct load_info *info, cons= t char __user *uargs, char *after_dashes; =20 /* - * Do the signature check (if any) first. All that - * the signature check needs is info->len, it does + * Do the integrity checks (if any) first. All that + * they need is info->len, it does * not need any of the section info. That can be * set up later. This will minimize the chances * of a corrupt module causing problems before - * we even get to the signature check. + * we even get to the integrity check. * * The check will also adjust info->len by stripping * off the sig length at the end of the module, making * checks against info->len more correct. */ - err =3D module_sig_check(info, flags); + err =3D module_integrity_check(info, flags); if (err) goto free_copy; =20 --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E1C93904D8; Tue, 13 Jan 2026 12:37:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; cv=none; b=qSlq2aFnpX0swG2fK/DxSfIzedYplvQYBy9ZtfSP2gtDj7KotMlEqm6//LcdI3VJUK9nTc+ZI7iieVX04gH6W8C5VXgClOxodD9rNfNAp+mYEbORQ2t+lCPKsqhYQgg3jqU/G0b3jZ0cUTVXtwsNzof83dyc202dO9H8YaW2Mb8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307871; c=relaxed/simple; bh=AQXwlX52KxlPEn4u0pj+ZozDxqAQgmwa0bwnrtMfO2o=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=n8adqeqzcQ1VVJRQNgmA8PC1HbEOu1XeLZ9pRP2ykYHEJ8LhBUIgJG/lyw3VHdhE8TCwaYFMOQN4uBJr9MGvxVaMXp6/6gNV9Rvh12WCH6jFkscXpHIXVa8YB+QXL9I5t/rmT1iduYsPcUylJOSqqsP69vtJWm3wimwIMqgGKDk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=c11joj4q; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="c11joj4q" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307860; bh=AQXwlX52KxlPEn4u0pj+ZozDxqAQgmwa0bwnrtMfO2o=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=c11joj4qS+McPfr25fP7A7kNvS54i2wodhNwGm8BF8MCHBCTbxTURec2JoyZDdRLa Kw17+gExC9oSprSJCnNAf0nQsgFYPfgN6utQbd3WSPey3DtHOjtQxfI3MZ2PKPf3+h eArjJN7G84s4hKv5pQDHE51Nz9g0vsrfcVsPQXdw= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:55 +0100 Subject: [PATCH v4 11/17] module: Move lockdown check into generic module loader Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-11-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=1463; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=AQXwlX52KxlPEn4u0pj+ZozDxqAQgmwa0bwnrtMfO2o=; b=6Vy1azrI605whNaZMGmixiJa2Dmq7kFxo81sevB94fs40VlaNg6/O/Qz3rsQ10vnnq984b5K0 ZZT91klbjx1D5nQcLz0zpYHmdyhSDmffrqm+1UCDCPp4hIbzpVmoMks X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The lockdown check buried in module_sig_check() will not compose well with the introduction of hash-based module validation. Move it into module_integrity_check() which will work better. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/main.c | 6 +++++- kernel/module/signing.c | 3 +-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/module/main.c b/kernel/module/main.c index 9c570078aa9c..c09b25c0166a 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3351,7 +3351,11 @@ static int module_integrity_check(struct load_info *= info, int flags) if (IS_ENABLED(CONFIG_MODULE_SIG)) err =3D module_sig_check(info, flags); =20 - return err; + if (err) + return err; + if (info->sig_ok) + return 0; + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); } =20 /* diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 66d90784de89..8a5f66389116 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -11,7 +11,6 @@ #include #include #include -#include #include #include #include "internal.h" @@ -68,5 +67,5 @@ int module_sig_check(struct load_info *info, int flags) return -EKEYREJECTED; } =20 - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); + return 0; } --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E9583904DE; Tue, 13 Jan 2026 12:37:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; cv=none; b=RTmimWMVKfxXk4zXiYLHG47bnaBU2yhB9C5MLCaQgN72stTQY6waq+qOsViehefEiOCZtQoaTeXiZ4cN9EAZs6O40Ok+Fs6i5bOHw8GAOGzjZBMKKtjLE3VhTi8PajWpBMO0OuRmnCfrlXzeimV0dzFE0twnVDcqLvhXQmj3+Gc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; c=relaxed/simple; bh=mjGdw2yxzWxgtsTNEl1bBGcD2Uicfy0x+S+3g1xrhKs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=IUqZMOzqnhhFFfBnEw7r6WY8f1DOvGls1MuM3g8+Tdj/Avi5xfufA3yGptkUMoqV5weU8xtJH1vl9bTnlxcaf1mELbvsG4xjFUTwDtm5TJx3WD8OwDRR3wjcCh7MEkkVskRL43zICWthSGh0NTDTWscQegmTuXm8Oa9YT/AONNw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=WFMGTKFM; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="WFMGTKFM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=mjGdw2yxzWxgtsTNEl1bBGcD2Uicfy0x+S+3g1xrhKs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=WFMGTKFMSCsakSKivcHT5zu72mKHJYU+l6hZ0Ds8YZP6nlir5oVmNph2sjIDlclnG +y3O47iXttG/2e2trcAME/dynWcEVSqoRVgGfwQn4M071eJAIdD7sx4q2lIzsfxZ8h SEtYLkde87SzPAkZ9Mq72QmsJzaGe7nQdHrm0Q20= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:56 +0100 Subject: [PATCH v4 12/17] module: Move signature splitting up Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-12-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=3025; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=mjGdw2yxzWxgtsTNEl1bBGcD2Uicfy0x+S+3g1xrhKs=; b=awMfsURUOFCD2iZVVxJ0L7EbCCDNlOcWxUEUE7J742mmPYLUEoPlh9tuteXrcLXkmbAsJ5IEp W8BKKGMM5JdC9G+RCkMV/mRthjFNtlf97D2xKTMLMHkvxfe/OH8pPvq X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The signature splitting will also be used by CONFIG_MODULE_HASHES. Move it up the callchain, so the result can be reused. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/internal.h | 2 +- kernel/module/main.c | 13 ++++++++++++- kernel/module/signing.c | 21 +++++++-------------- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index e053c29a5d08..e2d49122c2a1 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -337,7 +337,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, co= nst Elf_Shdr *sechdrs, void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, const char *secstrings); =20 -int module_sig_check(struct load_info *info, int flags); +int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len= ); =20 #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); diff --git a/kernel/module/main.c b/kernel/module/main.c index c09b25c0166a..d65bc300a78c 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3346,10 +3346,21 @@ static int early_mod_check(struct load_info *info, = int flags) =20 static int module_integrity_check(struct load_info *info, int flags) { + bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | + MODULE_INIT_IGNORE_VERMAGIC); + size_t sig_len; + const u8 *sig; int err =3D 0; =20 + if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) { + err =3D mod_split_sig(info->hdr, &info->len, mangled_module, + &sig_len, &sig, "module"); + if (err) + return err; + } + if (IS_ENABLED(CONFIG_MODULE_SIG)) - err =3D module_sig_check(info, flags); + err =3D module_sig_check(info, sig, sig_len); =20 if (err) return err; diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 8a5f66389116..86164761cac7 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -15,26 +15,19 @@ #include #include "internal.h" =20 -int module_sig_check(struct load_info *info, int flags) +int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len) { int err; const char *reason; const void *mod =3D info->hdr; - size_t sig_len; - const u8 *sig; - bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | - MODULE_INIT_IGNORE_VERMAGIC); =20 - err =3D mod_split_sig(info->hdr, &info->len, mangled_module, &sig_len, &s= ig, "module"); + err =3D verify_pkcs7_signature(mod, info->len, sig, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); if (!err) { - err =3D verify_pkcs7_signature(mod, info->len, sig, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); - if (!err) { - info->sig_ok =3D true; - return 0; - } + info->sig_ok =3D true; + return 0; } =20 /* --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B9443904F9; Tue, 13 Jan 2026 12:37:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307872; cv=none; b=As1rXW0pcCi9b74IBpJXc4LonhWtVZoGJ0nC9k6L1L6qMQcwDRnFK8zm3Jg9rQ5ww4bKtuTUpTRXjW8z0Y3gK//dB1Rdvojoq428VbN3kNCWFtdmuuY9N7eILZ5lmllPoLe1fkom0tGFa7gGuujJImQZFHzj2uSacy/VwR/uiKU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307872; c=relaxed/simple; bh=wiGilzlJGxFjaan6NlKlyZZaDBA2UKvl/XF2WjjMx6k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eNMXLXshANoftsrPSY6ya/fTNkifGGccM1wJnGO+uUOahdod3ot4EtyY6oFA3g5HGmxfxZHX/F7RXKhopVcJ4B5CmDz9DIB2ZQNevW0CNXlL+uYktpW4v8m7/9GJEr/x596zDvd4C5YDEq8Z+SwJtMy15S89Xm4IxWrZ7KD654U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=YE+kQagF; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="YE+kQagF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=wiGilzlJGxFjaan6NlKlyZZaDBA2UKvl/XF2WjjMx6k=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=YE+kQagFKh9daN0RxItnnroaDWonJFctrKTeWMvLqOvMs2i9t3IWQMf9nRQyJDNRJ HSv4PhKj7Vdtix8kAjUS93d/J4s1s75KZcejQntz3rSuVvDFQkV9CEca7KfYBa1uf3 On97uSNgCluCpj+piU3wGzomnlrPzTzs1KtBdfVc= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:57 +0100 Subject: [PATCH v4 13/17] module: Report signature type to users Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-13-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=4866; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=wiGilzlJGxFjaan6NlKlyZZaDBA2UKvl/XF2WjjMx6k=; b=KAsSSKg1Ln9puX/5OxsRVwQb8QTjxUUu8XwkrwtE72rnkyqXNI+EKOqMaGUlcezXU7vfnPPeu YgXgsZUuxtnBrtSgolQua8rPA0Kqtl5vge+JPQPk7zeD40eqoowxPTw X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming CONFIG_MODULE_HASHES will introduce a signature type. This needs to be handled by callers differently than PKCS7 signatures. Report the signature type to the caller and let them verify it. Signed-off-by: Thomas Wei=C3=9Fschuh --- include/linux/module_signature.h | 2 +- kernel/module/main.c | 9 +++++++-- kernel/module_signature.c | 14 ++++---------- security/integrity/ima/ima_modsig.c | 8 +++++++- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/include/linux/module_signature.h b/include/linux/module_signat= ure.h index 186a55effa30..a45ce3b24403 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -41,6 +41,6 @@ struct module_signature { }; =20 int mod_split_sig(const void *buf, size_t *buf_len, bool mangled, - size_t *sig_len, const u8 **sig, const char *name); + enum pkey_id_type *sig_type, size_t *sig_len, const u8 **sig, const ch= ar *name); =20 #endif /* _LINUX_MODULE_SIGNATURE_H */ diff --git a/kernel/module/main.c b/kernel/module/main.c index d65bc300a78c..2a28a0ece809 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3348,19 +3348,24 @@ static int module_integrity_check(struct load_info = *info, int flags) { bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | MODULE_INIT_IGNORE_VERMAGIC); + enum pkey_id_type sig_type; size_t sig_len; const u8 *sig; int err =3D 0; =20 if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) { err =3D mod_split_sig(info->hdr, &info->len, mangled_module, - &sig_len, &sig, "module"); + &sig_type, &sig_len, &sig, "module"); if (err) return err; } =20 - if (IS_ENABLED(CONFIG_MODULE_SIG)) + if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type =3D=3D PKEY_ID_PKCS7) { err =3D module_sig_check(info, sig, sig_len); + } else { + pr_err("module: not signed with expected PKCS#7 message\n"); + err =3D -ENOPKG; + } =20 if (err) return err; diff --git a/kernel/module_signature.c b/kernel/module_signature.c index b2384a73524c..8e0ac9906c9c 100644 --- a/kernel/module_signature.c +++ b/kernel/module_signature.c @@ -19,18 +19,11 @@ * @file_len: Size of the file to which @ms is appended. * @name: What is being checked. Used for error messages. */ -static int mod_check_sig(const struct module_signature *ms, size_t file_le= n, - const char *name) +static int mod_check_sig(const struct module_signature *ms, size_t file_le= n, const char *name) { if (be32_to_cpu(ms->sig_len) >=3D file_len - sizeof(*ms)) return -EBADMSG; =20 - if (ms->id_type !=3D PKEY_ID_PKCS7) { - pr_err("%s: not signed with expected PKCS#7 message\n", - name); - return -ENOPKG; - } - if (ms->algo !=3D 0 || ms->hash !=3D 0 || ms->signer_len !=3D 0 || @@ -38,7 +31,7 @@ static int mod_check_sig(const struct module_signature *m= s, size_t file_len, ms->__pad[0] !=3D 0 || ms->__pad[1] !=3D 0 || ms->__pad[2] !=3D 0) { - pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n", + pr_err("%s: signature info has unexpected non-zero params\n", name); return -EBADMSG; } @@ -47,7 +40,7 @@ static int mod_check_sig(const struct module_signature *m= s, size_t file_len, } =20 int mod_split_sig(const void *buf, size_t *buf_len, bool mangled, - size_t *sig_len, const u8 **sig, const char *name) + enum pkey_id_type *sig_type, size_t *sig_len, const u8 **sig, const ch= ar *name) { const unsigned long markerlen =3D sizeof(MODULE_SIG_STRING) - 1; struct module_signature ms; @@ -74,6 +67,7 @@ int mod_split_sig(const void *buf, size_t *buf_len, bool = mangled, if (ret) return ret; =20 + *sig_type =3D ms.id_type; *sig_len =3D be32_to_cpu(ms.sig_len); modlen -=3D *sig_len + sizeof(ms); *buf_len =3D modlen; diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/i= ma_modsig.c index a57342d39b07..a05008324a10 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -41,15 +41,21 @@ int ima_read_modsig(enum ima_hooks func, const void *bu= f, loff_t buf_len, struct modsig **modsig) { size_t buf_len_sz =3D buf_len; + enum pkey_id_type sig_type; struct modsig *hdr; size_t sig_len; const u8 *sig; int rc; =20 - rc =3D mod_split_sig(buf, &buf_len_sz, true, &sig_len, &sig, func_tokens[= func]); + rc =3D mod_split_sig(buf, &buf_len_sz, true, &sig_type, &sig_len, &sig, f= unc_tokens[func]); if (rc) return rc; =20 + if (sig_type !=3D PKEY_ID_PKCS7) { + pr_err("%s: not signed with expected PKCS#7 message\n", func_tokens[func= ]); + return -ENOPKG; + } + /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ hdr =3D kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL); if (!hdr) --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 643DE3921C2; Tue, 13 Jan 2026 12:37:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307872; cv=none; b=OJigXrdUbf06Td9swvoV69A3CrspTY/TJvGBHGIgQ2PekhF1hb0raeO8pg43eofRez3zIXNIy/FfyAV7NzdQea7b2zSDqqmpFHCiUNs7wTPVk/AEzp66GE1cB9ZcPjaYvDRhvvDHMGdh8TPzCLgGerGoyPoMRhbUCkub7tiYPk4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307872; c=relaxed/simple; bh=NC/OO27F4y33AwnsUK1UgiJc9IBnwzGy7eK0nVFHjZg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XLEoJqDfTLUXJHEJJVRVjV/DuqpMQmz/otyKbgsApCv/IEGYZhiC0jHqcyUHL7IS+3oufcy83ISp+rZqrM7qF4XiNbaDQLeVAtJNp0PwSwMka07itDxbvAMVSGTCO6Aq/QkOZaSBcf5QdWmwhK9+PWWewn6QgGVbYpgCbrCbG28= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=AgYCI5R9; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="AgYCI5R9" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=NC/OO27F4y33AwnsUK1UgiJc9IBnwzGy7eK0nVFHjZg=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=AgYCI5R9LpSoJyTXMvTIAgayIlcVm6fKXJaMRcPNzD6ZChkkhpsmCspHhyvT/wRt0 r2A2sYDAv+HV4VO9S6NhvDe82s4Iq1jpUM2q/EUwPywnwUH/HUqYIeveQ6kcj/QULj pwxGDBSlpXCztDFg/YCdbKX9Kcxw35OQdzp+Tn/c= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:58 +0100 Subject: [PATCH v4 14/17] lockdown: Make the relationship to MODULE_SIG a dependency Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-14-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=818; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=NC/OO27F4y33AwnsUK1UgiJc9IBnwzGy7eK0nVFHjZg=; b=whnyma/h0t/rLvPiiVgW2QazugD64J2qmm54nGxJEUn52D2Uhg93xQhjG9IWw62Wsy/Kck9gG NGxmuX36RlYD9QmNa4U/SZm822fXAG+a85BnQRjLyq6/k6I3VNwuzEA X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The new hash-based module integrity checking will also be able to satisfy the requirements of lockdown. Such an alternative is not representable with "select", so use "depends on" instead. Signed-off-by: Thomas Wei=C3=9Fschuh --- security/lockdown/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index e84ddf484010..155959205b8e 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - select MODULE_SIG if MODULES + depends on !MODULES || MODULE_SIG help Build support for an LSM that enforces a coarse kernel lockdown behaviour. --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EC19392B69; Tue, 13 Jan 2026 12:37:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307876; cv=none; b=jKq8KPSv6vpmwj51CUL0isniDq0AcOv/tigNT6H4gWv5UOqWcFUxOO78V4OAn/kFLO+f4pMcst0MQNel8Mwmfa2qIQzv74plp4k+wZU7SrYOKFULoXSS0fXFdpXp00MOXnDEISefhmvaPweK4J20IbigxZVnGIuIo2Bjt9hhsYE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307876; c=relaxed/simple; bh=uo+q0Kly5GHHRWNz1xrlmWkaJngnhqqDNyjrM//3gk0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Sq4dCuHn0iAjcJgm+WzNi+S4xpvl9LQSQFonEB5A67YkGOEYkobI738L03+MGhjEVB8MCqVErD5OzXYAW+N6grdf07B7pz6yRTtSo1BnVOoIwAcz/ggS0lI+YHjay4Zqlb1hg+zzurk6UcKczMvuNbobrBG6GFN57H+24RNzcX4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=JwVKXFZL; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="JwVKXFZL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=uo+q0Kly5GHHRWNz1xrlmWkaJngnhqqDNyjrM//3gk0=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=JwVKXFZLPBs+ylq0NvDxhxOJKa58/cuTZWVVmmtPGDFAKYVzzGy/ECPZatwGeZGxY faQ0rlz1UfqJa4V9eTPur9m37t9/5Gvlyc0myMUYEVS0iNuHSIRGKI64jVi/JsrkgH VSRuZjthINCWGS1P78FYvDWfLZTn15z/5biOKaSc= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:28:59 +0100 Subject: [PATCH v4 15/17] module: Introduce hash-based integrity checking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-15-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=29909; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=uo+q0Kly5GHHRWNz1xrlmWkaJngnhqqDNyjrM//3gk0=; b=hPEF8hnXHOEblo9e+HAcNRJQPPn2o0qLgEGbV2wEXG/dm26PgZy1+2gjPO0eTGbGcvH3v/iNv IU8IUZFTe8hASLEjeChDWs4urXLWVSEf4pugIwmr/c/eUx2N2J0yHem X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. The goal is to reach bit-for-bit reproducibility. Excluding certain parts of the build output from the reproducibility analysis would be error-prone and force each downstream consumer to introduce new tooling. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a merkle tree root of all modules built as part of the full kernel build into vmlinux. Non-builtin modules can be validated as before through signatures. Normally the .ko module files depend on a fully built vmlinux to be available for modpost validation and BTF generation. With CONFIG_MODULE_HASHES, vmlinux now depends on the modules to build a merkle tree. This introduces a dependency cycle which is impossible to satisfy. Work around this by building the modules during link-vmlinux.sh, after vmlinux is complete enough for modpost and BTF but before the final module hashes are The PKCS7 format which is used for regular module signatures can not represent Merkle proofs, so a new kind of module signature is introduced. As this signature type is only ever used for builtin modules, no compatibility issues can arise. Signed-off-by: Thomas Wei=C3=9Fschuh --- .gitignore | 1 + Documentation/kbuild/reproducible-builds.rst | 5 +- Makefile | 8 +- include/asm-generic/vmlinux.lds.h | 11 + include/linux/module_hashes.h | 25 ++ include/linux/module_signature.h | 1 + kernel/module/Kconfig | 21 +- kernel/module/Makefile | 1 + kernel/module/hashes.c | 92 ++++++ kernel/module/hashes_root.c | 6 + kernel/module/internal.h | 1 + kernel/module/main.c | 4 +- scripts/.gitignore | 1 + scripts/Makefile | 3 + scripts/Makefile.modfinal | 11 + scripts/Makefile.modinst | 13 + scripts/Makefile.vmlinux | 5 + scripts/link-vmlinux.sh | 14 +- scripts/modules-merkle-tree.c | 467 +++++++++++++++++++++++= ++++ security/lockdown/Kconfig | 2 +- 20 files changed, 685 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 3a7241c941f5..299c54083672 100644 --- a/.gitignore +++ b/.gitignore @@ -35,6 +35,7 @@ *.lz4 *.lzma *.lzo +*.merkle *.mod *.mod.c *.o diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/k= build/reproducible-builds.rst index 96d208e578cd..bfde81e47b2d 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -82,7 +82,10 @@ generate a different temporary key for each build, resul= ting in the modules being unreproducible. However, including a signing key with your source would presumably defeat the purpose of signing modules. =20 -One approach to this is to divide up the build process so that the +Instead ``CONFIG_MODULE_HASHES`` can be used to embed a static list +of valid modules to load. + +Another approach to this is to divide up the build process so that the unreproducible parts can be treated as sources: =20 1. Generate a persistent signing key. Add the certificate for the key diff --git a/Makefile b/Makefile index e404e4767944..841772a5a260 100644 --- a/Makefile +++ b/Makefile @@ -1588,8 +1588,10 @@ endif # is an exception. ifdef CONFIG_DEBUG_INFO_BTF_MODULES KBUILD_BUILTIN :=3D y +ifndef CONFIG_MODULE_HASHES modules: vmlinux endif +endif =20 modules: modules_prepare =20 @@ -1981,7 +1983,11 @@ modules.order: $(build-dir) # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules. # This is solely useful to speed up test compiles. modules: modpost -ifneq ($(KBUILD_MODPOST_NOFINAL),1) +ifdef CONFIG_MODULE_HASHES +ifeq ($(MODULE_HASHES_MODPOST_FINAL), 1) + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal +endif +else ifneq ($(KBUILD_MODPOST_NOFINAL),1) $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal endif =20 diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinu= x.lds.h index 8ca130af301f..d3846845e37b 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -508,6 +508,8 @@ \ PRINTK_INDEX \ \ + MODULE_HASHES \ + \ /* Kernel symbol table: Normal symbols */ \ __ksymtab : AT(ADDR(__ksymtab) - LOAD_OFFSET) { \ __start___ksymtab =3D .; \ @@ -918,6 +920,15 @@ #define PRINTK_INDEX #endif =20 +#ifdef CONFIG_MODULE_HASHES +#define MODULE_HASHES \ + .module_hashes : AT(ADDR(.module_hashes) - LOAD_OFFSET) { \ + KEEP(*(SORT(.module_hashes))) \ + } +#else +#define MODULE_HASHES +#endif + /* * Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler. * Otherwise, the type of .notes section would become PROGBITS instead of = NOTES. diff --git a/include/linux/module_hashes.h b/include/linux/module_hashes.h new file mode 100644 index 000000000000..de61072627cc --- /dev/null +++ b/include/linux/module_hashes.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _LINUX_MODULE_HASHES_H +#define _LINUX_MODULE_HASHES_H + +#include +#include +#include + +#define __module_hashes_section __section(".module_hashes") +#define MODULE_HASHES_HASH_SIZE SHA256_DIGEST_SIZE + +struct module_hashes_proof { + __be32 pos; + u8 hash_sigs[][MODULE_HASHES_HASH_SIZE]; +} __packed; + +struct module_hashes_root { + u32 levels; + u8 hash[MODULE_HASHES_HASH_SIZE]; +}; + +extern const struct module_hashes_root module_hashes_root; + +#endif /* _LINUX_MODULE_HASHES_H */ diff --git a/include/linux/module_signature.h b/include/linux/module_signat= ure.h index a45ce3b24403..3b510651830d 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -18,6 +18,7 @@ enum pkey_id_type { PKEY_ID_PGP, /* OpenPGP generated key ID */ PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ + PKEY_ID_MERKLE, /* Merkle proof for modules */ }; =20 /* diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index db3b61fb3e73..c00ca830330c 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -271,7 +271,7 @@ config MODULE_SIG inclusion into an initramfs that wants the module size reduced. =20 config MODULE_SIG_POLICY - def_bool MODULE_SIG + def_bool MODULE_SIG || MODULE_HASHES =20 config MODULE_SIG_FORCE bool "Require modules to be validly signed" @@ -289,7 +289,7 @@ config MODULE_SIG_ALL modules must be signed manually, using the scripts/sign-file tool. =20 comment "Do not forget to sign required modules with scripts/sign-file" - depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL + depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL && !MODULE_HASHES =20 choice prompt "Hash algorithm to sign modules" @@ -408,6 +408,23 @@ config MODULE_DECOMPRESS =20 If unsure, say N. =20 +config MODULE_HASHES + bool "Module hash validation" + depends on !MODULE_SIG_ALL + depends on !IMA_APPRAISE_MODSIG + select MODULE_SIG_FORMAT + select CRYPTO_LIB_SHA256 + help + Validate modules by their hashes. + Only modules built together with the main kernel image can be + validated that way. + + This is a reproducible-build compatible alternative to a build-time + generated module keyring, as enabled by + CONFIG_MODULE_SIG_KEY=3Dcerts/signing_key.pem. + + Also see the warning in MODULE_SIG about stripping modules. + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/kernel/module/Makefile b/kernel/module/Makefile index d9e8759a7b05..dd37aaf4a61a 100644 --- a/kernel/module/Makefile +++ b/kernel/module/Makefile @@ -25,3 +25,4 @@ obj-$(CONFIG_KGDB_KDB) +=3D kdb.o obj-$(CONFIG_MODVERSIONS) +=3D version.o obj-$(CONFIG_MODULE_UNLOAD_TAINT_TRACKING) +=3D tracking.o obj-$(CONFIG_MODULE_STATS) +=3D stats.o +obj-$(CONFIG_MODULE_HASHES) +=3D hashes.o hashes_root.o diff --git a/kernel/module/hashes.c b/kernel/module/hashes.c new file mode 100644 index 000000000000..23ca9f66652f --- /dev/null +++ b/kernel/module/hashes.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* Module hash-based integrity checker + * + * Copyright (C) 2025 Thomas Wei=C3=9Fschuh + * Copyright (C) 2025 Sebastian Andrzej Siewior + */ + +#define pr_fmt(fmt) "module/hash: " fmt + +#include +#include +#include + +#include + +#include "internal.h" + +static __init __maybe_unused int module_hashes_init(void) +{ + pr_debug("root: levels=3D%u hash=3D%*phN\n", + module_hashes_root.levels, + (int)sizeof(module_hashes_root.hash), module_hashes_root.hash); + + return 0; +} + +#if IS_ENABLED(CONFIG_MODULE_DEBUG) +early_initcall(module_hashes_init); +#endif + +static void hash_entry(const void *left, const void *right, void *out) +{ + struct sha256_ctx ctx; + u8 magic =3D 0x02; + + sha256_init(&ctx); + sha256_update(&ctx, &magic, sizeof(magic)); + sha256_update(&ctx, left, MODULE_HASHES_HASH_SIZE); + sha256_update(&ctx, right, MODULE_HASHES_HASH_SIZE); + sha256_final(&ctx, out); +} + +static void hash_data(const void *d, size_t len, unsigned int pos, void *o= ut) +{ + struct sha256_ctx ctx; + u8 magic =3D 0x01; + __be32 pos_be; + + pos_be =3D cpu_to_be32(pos); + + sha256_init(&ctx); + sha256_update(&ctx, &magic, sizeof(magic)); + sha256_update(&ctx, (const u8 *)&pos_be, sizeof(pos_be)); + sha256_update(&ctx, d, len); + sha256_final(&ctx, out); +} + +static bool module_hashes_verify_proof(u32 pos, const u8 hash_sigs[][MODUL= E_HASHES_HASH_SIZE], + u8 *cur) +{ + for (unsigned int i =3D 0; i < module_hashes_root.levels; i++, pos >>=3D = 1) { + if ((pos & 1) =3D=3D 0) + hash_entry(cur, hash_sigs[i], cur); + else + hash_entry(hash_sigs[i], cur, cur); + } + + return !memcmp(cur, module_hashes_root.hash, MODULE_HASHES_HASH_SIZE); +} + +int module_hash_check(struct load_info *info, const u8 *sig, size_t sig_le= n) +{ + u8 modhash[MODULE_HASHES_HASH_SIZE]; + const struct module_hashes_proof *proof; + size_t proof_size; + u32 pos; + + proof_size =3D struct_size(proof, hash_sigs, module_hashes_root.levels); + + if (sig_len !=3D proof_size) + return -ENOPKG; + + proof =3D (const struct module_hashes_proof *)sig; + pos =3D get_unaligned_be32(&proof->pos); + + hash_data(info->hdr, info->len, pos, &modhash); + + if (module_hashes_verify_proof(pos, proof->hash_sigs, modhash)) + info->sig_ok =3D true; + + return 0; +} diff --git a/kernel/module/hashes_root.c b/kernel/module/hashes_root.c new file mode 100644 index 000000000000..1abfcd3aa679 --- /dev/null +++ b/kernel/module/hashes_root.c @@ -0,0 +1,6 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include + +/* Blank dummy data. Will be overridden by link-vmlinux.sh */ +const struct module_hashes_root module_hashes_root __module_hashes_section= =3D {}; diff --git a/kernel/module/internal.h b/kernel/module/internal.h index e2d49122c2a1..e22837d3ac76 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -338,6 +338,7 @@ void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf= _Shdr *sechdrs, const char *secstrings); =20 int module_sig_check(struct load_info *info, const u8 *sig, size_t sig_len= ); +int module_hash_check(struct load_info *info, const u8 *sig, size_t sig_le= n); =20 #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); diff --git a/kernel/module/main.c b/kernel/module/main.c index 2a28a0ece809..fa30b6387936 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3362,8 +3362,10 @@ static int module_integrity_check(struct load_info *= info, int flags) =20 if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type =3D=3D PKEY_ID_PKCS7) { err =3D module_sig_check(info, sig, sig_len); + } else if (IS_ENABLED(CONFIG_MODULE_HASHES) && sig_type =3D=3D PKEY_ID_ME= RKLE) { + err =3D module_hash_check(info, sig, sig_len); } else { - pr_err("module: not signed with expected PKCS#7 message\n"); + pr_err("module: not signed with signature mechanism\n"); err =3D -ENOPKG; } =20 diff --git a/scripts/.gitignore b/scripts/.gitignore index 4215c2208f7e..8dad9b0d3b2d 100644 --- a/scripts/.gitignore +++ b/scripts/.gitignore @@ -5,6 +5,7 @@ /insert-sys-cert /kallsyms /module.lds +/modules-merkle-tree /recordmcount /rustdoc_test_builder /rustdoc_test_gen diff --git a/scripts/Makefile b/scripts/Makefile index 0941e5ce7b57..f539e4d93af7 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,6 +11,7 @@ hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) +=3D sign-f= ile hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) +=3D insert-sys-cert hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) +=3D rustdoc_test_builder hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) +=3D rustdoc_test_gen +hostprogs-always-$(CONFIG_MODULE_HASHES) +=3D modules-merkle-tree hostprogs-always-$(CONFIG_TRACEPOINTS) +=3D tracepoint-update =20 sorttable-objs :=3D sorttable.o elf-parse.o @@ -36,6 +37,8 @@ HOSTLDLIBS_sorttable =3D -lpthread HOSTCFLAGS_asn1_compiler.o =3D -I$(srctree)/include HOSTCFLAGS_sign-file.o =3D $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2>= /dev/null) HOSTLDLIBS_sign-file =3D $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /de= v/null || echo -lcrypto) +HOSTCFLAGS_modules-merkle-tree.o =3D $(shell $(HOSTPKG_CONFIG) --cflags li= bcrypto 2> /dev/null) +HOSTLDLIBS_modules-merkle-tree =3D $(shell $(HOSTPKG_CONFIG) --libs libcry= pto 2> /dev/null || echo -lcrypto) =20 ifdef CONFIG_UNWINDER_ORC ifeq ($(ARCH),x86_64) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 930db0524a0a..5b8e94170beb 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -63,7 +63,18 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES endif +$(call cmd,check_tracepoint) =20 +quiet_cmd_merkle =3D MERKLE $@ + cmd_merkle =3D $(objtree)/scripts/modules-merkle-tree $@ .ko + +.tmp_module_hashes.c: $(modules:%.o=3D%.ko) $(objtree)/scripts/modules-mer= kle-tree FORCE + $(call cmd,merkle) + +ifdef CONFIG_MODULE_HASHES +__modfinal: .tmp_module_hashes.c +endif + targets +=3D $(modules:%.o=3D%.ko) $(modules:%.o=3D%.mod.o) .module-common= .o +targets +=3D $(modules:%.o=3D%.merkle) .tmp_module_hashes.c =20 # Add FORCE to the prerequisites of a target to force it to be always rebu= ilt. # ------------------------------------------------------------------------= --- diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 9ba45e5b32b1..ba4343b40497 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -79,6 +79,12 @@ quiet_cmd_install =3D INSTALL $@ # as the options to the strip command. ifdef INSTALL_MOD_STRIP =20 +ifdef CONFIG_MODULE_HASHES +ifeq ($(KBUILD_EXTMOD),) +$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +endif +endif + ifeq ($(INSTALL_MOD_STRIP),1) strip-option :=3D --strip-debug else @@ -116,6 +122,13 @@ quiet_cmd_sign :=3D cmd_sign :=3D : endif =20 +ifeq ($(KBUILD_EXTMOD),) +ifdef CONFIG_MODULE_HASHES +quiet_cmd_sign =3D MERKLE [M] $@ + cmd_sign =3D cat $(objtree)/$*.merkle >> $@ +endif +endif + # Create necessary directories $(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir))) =20 diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index cd788cac9d91..f4e38b953b01 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -78,6 +78,11 @@ ifdef CONFIG_BUILDTIME_TABLE_SORT vmlinux.unstripped: scripts/sorttable endif =20 +ifdef CONFIG_MODULE_HASHES +vmlinux.unstripped: $(objtree)/scripts/modules-merkle-tree +vmlinux.unstripped: modules.order +endif + # vmlinux # ------------------------------------------------------------------------= --- =20 diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 8c98f8645a5c..bfeff1f5753d 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -103,7 +103,7 @@ vmlinux_link() ${ld} ${ldflags} -o ${output} \ ${wl}--whole-archive ${objs} ${wl}--no-whole-archive \ ${wl}--start-group ${libs} ${wl}--end-group \ - ${kallsymso} ${btf_vmlinux_bin_o} ${arch_vmlinux_o} ${ldlibs} + ${kallsymso} ${btf_vmlinux_bin_o} ${module_hashes_o} ${arch_vmlinux_o} $= {ldlibs} } =20 # generate .BTF typeinfo from DWARF debuginfo @@ -212,6 +212,7 @@ fi =20 btf_vmlinux_bin_o=3D kallsymso=3D +module_hashes_o=3D strip_debug=3D generate_map=3D =20 @@ -315,6 +316,17 @@ if is_enabled CONFIG_BUILDTIME_TABLE_SORT; then fi fi =20 +if is_enabled CONFIG_MODULE_HASHES; then + info MAKE modules + ${MAKE} -f Makefile MODULE_HASHES_MODPOST_FINAL=3D1 modules + module_hashes_o=3D.tmp_module_hashes.o + info CC ${module_hashes_o} + ${CC} ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS} ${KBUILD_CFLAG= S} \ + ${KBUILD_CFLAGS_KERNEL} -fno-lto -c -o "${module_hashes_o}" ".tmp_module= _hashes.c" + ${OBJCOPY} --dump-section .module_hashes=3D.tmp_module_hashes.bin ${modul= e_hashes_o} + ${OBJCOPY} --update-section .module_hashes=3D.tmp_module_hashes.bin ${VML= INUX} +fi + # step a (see comment above) if is_enabled CONFIG_KALLSYMS; then if ! cmp -s System.map "${kallsyms_sysmap}"; then diff --git a/scripts/modules-merkle-tree.c b/scripts/modules-merkle-tree.c new file mode 100644 index 000000000000..a6ec0e21213b --- /dev/null +++ b/scripts/modules-merkle-tree.c @@ -0,0 +1,467 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Compute hashes for modules files and build a merkle tree. + * + * Copyright (C) 2025 Sebastian Andrzej Siewior + * Copyright (C) 2025 Thomas Wei=C3=9Fschuh + * + */ +#define _GNU_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include "ssl-common.h" + +static int hash_size; +static EVP_MD_CTX *ctx; + +struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ + uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */ + uint8_t signer_len; /* Length of signer's name [0] */ + uint8_t key_id_len; /* Length of key identifier [0] */ + uint8_t __pad[3]; + uint32_t sig_len; /* Length of signature data */ +}; + +#define PKEY_ID_MERKLE 3 + +static const char magic_number[] =3D "~Module signature appended~\n"; + +struct file_entry { + char *name; + unsigned int pos; + unsigned char hash[EVP_MAX_MD_SIZE]; +}; + +static struct file_entry *fh_list; +static size_t num_files; + +struct leaf_hash { + unsigned char hash[EVP_MAX_MD_SIZE]; +}; + +struct mtree { + struct leaf_hash **l; + unsigned int *entries; + unsigned int levels; +}; + +static inline void *xcalloc(size_t n, size_t size) +{ + void *p; + + p =3D calloc(n, size); + if (!p) + errx(1, "Memory allocation failed"); + + return p; +} + +static void *xmalloc(size_t size) +{ + void *p; + + p =3D malloc(size); + if (!p) + errx(1, "Memory allocation failed"); + + return p; +} + +static inline void *xreallocarray(void *oldp, size_t n, size_t size) +{ + void *p; + + p =3D reallocarray(oldp, n, size); + if (!p) + errx(1, "Memory allocation failed"); + + return p; +} + +static inline char *xasprintf(const char *fmt, ...) +{ + va_list ap; + char *strp; + int ret; + + va_start(ap, fmt); + ret =3D vasprintf(&strp, fmt, ap); + va_end(ap); + if (ret =3D=3D -1) + err(1, "Memory allocation failed"); + + return strp; +} + +static unsigned int get_pow2(unsigned int val) +{ + return 31 - __builtin_clz(val); +} + +static unsigned int roundup_pow2(unsigned int val) +{ + return 1 << (get_pow2(val - 1) + 1); +} + +static unsigned int log2_roundup(unsigned int val) +{ + return get_pow2(roundup_pow2(val)); +} + +static void hash_data(void *p, unsigned int pos, size_t size, void *ret_ha= sh) +{ + unsigned char magic =3D 0x01; + unsigned int pos_be; + + pos_be =3D htonl(pos); + + ERR(EVP_DigestInit_ex(ctx, NULL, NULL) !=3D 1, "EVP_DigestInit_ex()"); + ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) !=3D 1, "EVP_DigestUpdat= e(magic)"); + ERR(EVP_DigestUpdate(ctx, &pos_be, sizeof(pos_be)) !=3D 1, "EVP_DigestUpd= ate(pos)"); + ERR(EVP_DigestUpdate(ctx, p, size) !=3D 1, "EVP_DigestUpdate(data)"); + ERR(EVP_DigestFinal_ex(ctx, ret_hash, NULL) !=3D 1, "EVP_DigestFinal_ex()= "); +} + +static void hash_entry(void *left, void *right, void *ret_hash) +{ + int hash_size =3D EVP_MD_CTX_get_size_ex(ctx); + unsigned char magic =3D 0x02; + + ERR(EVP_DigestInit_ex(ctx, NULL, NULL) !=3D 1, "EVP_DigestInit_ex()"); + ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) !=3D 1, "EVP_DigestUpdat= e(magic)"); + ERR(EVP_DigestUpdate(ctx, left, hash_size) !=3D 1, "EVP_DigestUpdate(left= )"); + ERR(EVP_DigestUpdate(ctx, right, hash_size) !=3D 1, "EVP_DigestUpdate(rig= ht)"); + ERR(EVP_DigestFinal_ex(ctx, ret_hash, NULL) !=3D 1, "EVP_DigestFinal_ex()= "); +} + +static void hash_file(struct file_entry *fe) +{ + struct stat sb; + int fd, ret; + void *mem; + + fd =3D open(fe->name, O_RDONLY); + if (fd < 0) + err(1, "Failed to open %s", fe->name); + + ret =3D fstat(fd, &sb); + if (ret) + err(1, "Failed to stat %s", fe->name); + + mem =3D mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); + close(fd); + + if (mem =3D=3D MAP_FAILED) + err(1, "Failed to mmap %s", fe->name); + + hash_data(mem, fe->pos, sb.st_size, fe->hash); + + munmap(mem, sb.st_size); +} + +static struct mtree *build_merkle(struct file_entry *fh, size_t num) +{ + struct mtree *mt; + unsigned int le; + + if (!num) + return NULL; + + mt =3D xmalloc(sizeof(*mt)); + mt->levels =3D log2_roundup(num); + + mt->l =3D xcalloc(sizeof(*mt->l), mt->levels); + + mt->entries =3D xcalloc(sizeof(*mt->entries), mt->levels); + le =3D num / 2; + if (num & 1) + le++; + mt->entries[0] =3D le; + mt->l[0] =3D xcalloc(sizeof(**mt->l), le); + + /* First level of pairs */ + for (unsigned int i =3D 0; i < num; i +=3D 2) { + if (i =3D=3D num - 1) { + /* Odd number of files, no pair. Hash with itself */ + hash_entry(fh[i].hash, fh[i].hash, mt->l[0][i / 2].hash); + } else { + hash_entry(fh[i].hash, fh[i + 1].hash, mt->l[0][i / 2].hash); + } + } + for (unsigned int i =3D 1; i < mt->levels; i++) { + int odd =3D 0; + + if (le & 1) { + le++; + odd++; + } + + mt->entries[i] =3D le / 2; + mt->l[i] =3D xcalloc(sizeof(**mt->l), le); + + for (unsigned int n =3D 0; n < le; n +=3D 2) { + if (n =3D=3D le - 2 && odd) { + /* Odd number of pairs, no pair. Hash with itself */ + hash_entry(mt->l[i - 1][n].hash, mt->l[i - 1][n].hash, + mt->l[i][n / 2].hash); + } else { + hash_entry(mt->l[i - 1][n].hash, mt->l[i - 1][n + 1].hash, + mt->l[i][n / 2].hash); + } + } + le =3D mt->entries[i]; + } + return mt; +} + +static void free_mtree(struct mtree *mt) +{ + if (!mt) + return; + + for (unsigned int i =3D 0; i < mt->levels; i++) + free(mt->l[i]); + + free(mt->l); + free(mt->entries); + free(mt); +} + +static void write_be_int(int fd, unsigned int v) +{ + unsigned int be_val =3D htonl(v); + + if (write(fd, &be_val, sizeof(be_val)) !=3D sizeof(be_val)) + err(1, "Failed writing to file"); +} + +static void write_hash(int fd, const void *h) +{ + ssize_t wr; + + wr =3D write(fd, h, hash_size); + if (wr !=3D hash_size) + err(1, "Failed writing to file"); +} + +static void build_proof(struct mtree *mt, unsigned int n, int fd) +{ + unsigned char cur[EVP_MAX_MD_SIZE]; + unsigned char tmp[EVP_MAX_MD_SIZE]; + struct file_entry *fe, *fe_sib; + + fe =3D &fh_list[n]; + + if ((n & 1) =3D=3D 0) { + /* No pair, hash with itself */ + if (n + 1 =3D=3D num_files) + fe_sib =3D fe; + else + fe_sib =3D &fh_list[n + 1]; + } else { + fe_sib =3D &fh_list[n - 1]; + } + /* First comes the node position into the file */ + write_be_int(fd, n); + + if ((n & 1) =3D=3D 0) + hash_entry(fe->hash, fe_sib->hash, cur); + else + hash_entry(fe_sib->hash, fe->hash, cur); + + /* Next is the sibling hash, followed by hashes in the tree */ + write_hash(fd, fe_sib->hash); + + for (unsigned int i =3D 0; i < mt->levels - 1; i++) { + n >>=3D 1; + if ((n & 1) =3D=3D 0) { + void *h; + + /* No pair, hash with itself */ + if (n + 1 =3D=3D mt->entries[i]) + h =3D cur; + else + h =3D mt->l[i][n + 1].hash; + + hash_entry(cur, h, tmp); + write_hash(fd, h); + } else { + hash_entry(mt->l[i][n - 1].hash, cur, tmp); + write_hash(fd, mt->l[i][n - 1].hash); + } + memcpy(cur, tmp, hash_size); + } + + /* After all that, the end hash should match the root hash */ + if (memcmp(cur, mt->l[mt->levels - 1][0].hash, hash_size)) + errx(1, "hash mismatch"); +} + +static void append_module_signature_magic(int fd, unsigned int sig_len) +{ + struct module_signature sig_info =3D { + .id_type =3D PKEY_ID_MERKLE, + .sig_len =3D htonl(sig_len), + }; + + if (write(fd, &sig_info, sizeof(sig_info)) < 0) + err(1, "write(sig_info) failed"); + + if (write(fd, &magic_number, sizeof(magic_number) - 1) < 0) + err(1, "write(magic_number) failed"); +} + +static void write_merkle_root(struct mtree *mt, const char *fp) +{ + char buf[1024]; + unsigned int levels; + unsigned char *h; + FILE *f; + + if (mt) { + levels =3D mt->levels; + h =3D mt->l[mt->levels - 1][0].hash; + } else { + levels =3D 0; + h =3D xcalloc(1, hash_size); + } + + f =3D fopen(fp, "w"); + if (!f) + err(1, "Failed to create %s", buf); + + fprintf(f, "#include \n\n"); + fprintf(f, "const struct module_hashes_root module_hashes_root __module_h= ashes_section =3D {\n"); + + fprintf(f, "\t.levels =3D %u,\n", levels); + fprintf(f, "\t.hash =3D {"); + for (unsigned int i =3D 0; i < hash_size; i++) { + char *space =3D ""; + + if (!(i % 8)) + fprintf(f, "\n\t\t"); + + if ((i + 1) % 8) + space =3D " "; + + fprintf(f, "0x%02x,%s", h[i], space); + } + fprintf(f, "\n\t},"); + + fprintf(f, "\n};\n"); + fclose(f); + + if (!mt) + free(h); +} + +static char *xstrdup_replace_suffix(const char *str, const char *new_suffi= x) +{ + const char *current_suffix; + size_t base_len; + + current_suffix =3D strchr(str, '.'); + if (!current_suffix) + errx(1, "No existing suffix in '%s'", str); + + base_len =3D current_suffix - str; + + return xasprintf("%.*s%s", (int)base_len, str, new_suffix); +} + +static void read_modules_order(const char *fname, const char *suffix) +{ + char line[PATH_MAX]; + FILE *in; + + in =3D fopen(fname, "r"); + if (!in) + err(1, "fopen(%s)", fname); + + while (fgets(line, PATH_MAX, in)) { + struct file_entry *entry; + + fh_list =3D xreallocarray(fh_list, num_files + 1, sizeof(*fh_list)); + entry =3D &fh_list[num_files]; + + entry->pos =3D num_files; + entry->name =3D xstrdup_replace_suffix(line, suffix); + hash_file(entry); + + num_files++; + } + + fclose(in); +} + +static __attribute__((noreturn)) +void format(void) +{ + fprintf(stderr, + "Usage: scripts/modules-merkle-tree \n"); + exit(2); +} + +int main(int argc, char *argv[]) +{ + const EVP_MD *hash_evp; + struct mtree *mt; + + if (argc !=3D 3) + format(); + + hash_evp =3D EVP_get_digestbyname("sha256"); + ERR(!hash_evp, "EVP_get_digestbyname"); + + ctx =3D EVP_MD_CTX_new(); + ERR(!ctx, "EVP_MD_CTX_new()"); + + hash_size =3D EVP_MD_get_size(hash_evp); + ERR(hash_size <=3D 0, "EVP_get_digestbyname"); + + if (EVP_DigestInit_ex(ctx, hash_evp, NULL) !=3D 1) + ERR(1, "EVP_DigestInit_ex()"); + + read_modules_order("modules.order", argv[2]); + + mt =3D build_merkle(fh_list, num_files); + write_merkle_root(mt, argv[1]); + for (unsigned int i =3D 0; i < num_files; i++) { + char *signame; + int fd; + + signame =3D xstrdup_replace_suffix(fh_list[i].name, ".merkle"); + + fd =3D open(signame, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd < 0) + err(1, "Can't create %s", signame); + + build_proof(mt, i, fd); + append_module_signature_magic(fd, lseek(fd, 0, SEEK_CUR)); + close(fd); + } + + free_mtree(mt); + for (unsigned int i =3D 0; i < num_files; i++) + free(fh_list[i].name); + free(fh_list); + + EVP_MD_CTX_free(ctx); + return 0; +} diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index 155959205b8e..60b240e3ef1f 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - depends on !MODULES || MODULE_SIG + depends on !MODULES || MODULE_SIG || MODULE_HASHES help Build support for an LSM that enforces a coarse kernel lockdown behaviour. --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40FCB3921F8; Tue, 13 Jan 2026 12:37:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; cv=none; b=IcWnoyIiknrpldNDPBYEmTEDmar7gTEqqdyufPib+Ewo7v6JuXte6F7vmZhK6jrF6cUgBLmjQB0M3hdh+7/eYqlYnSL7+r7FmyTtS3DroR50ugJU3ItgqhFHnvLK5D2mczADlk5nl6mDqlmtI+ivbhR9VLZCI6xoS8iuHoLi8mo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; c=relaxed/simple; bh=b2TM6fz30nYE4pXc7lphgAZV10HkjJO6Y6M5OUfLXpI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=M6QNH01hmbQCKH1qE7lk3RyPK4+ckJSIFxba9wrgTSWt2AgWaMoUUu2vtLlFqXQzqUWFQWtx6P4N9HOhXS29DKMPMnW6XMCb1BrOes3KtZX5fwBLSV6fpMAdIa4FgAfRDqi27FIUxwKKsN9xbAPs/PRjtUaA1fmH4ez8Xjil9+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=U1KnkUqV; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="U1KnkUqV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=b2TM6fz30nYE4pXc7lphgAZV10HkjJO6Y6M5OUfLXpI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=U1KnkUqV1THtBM/FnYjupYo4PNuIDXrDa9wv1DZZEcE2tF6N/S6c6EF/7n1DbgEIo qOks4JyottD1KEeI5d5Su4cVMYj6/huuFG1gQCYx8NWdP5UZzwImedmtvEXcdV9YUP QToV2OswA9J3WiLqB4jdefpF4mhb4HxgZoFv100U= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:29:00 +0100 Subject: [PATCH v4 16/17] kbuild: move handling of module stripping to Makefile.lib Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-16-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=3531; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=b2TM6fz30nYE4pXc7lphgAZV10HkjJO6Y6M5OUfLXpI=; b=Xez2lBrIjdFMFK8Oh5pBpyprlmOXfIFf5MbbX1IYj3vnIscUbHikzrmsTG8b9pMw9G8LxfD6v TVK+2le9j2rBEgHkmELEMe8iyvQ9/x6dQX0oXApfSpXVDLL5sLXzdtE X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= To allow CONFIG_MODULE_HASHES in combination with INSTALL_MOD_STRIP, this logc will also be used by Makefile.modfinal. Move it to a shared location to enable reuse. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.lib | 32 ++++++++++++++++++++++++++++++++ scripts/Makefile.modinst | 37 +++++-------------------------------- 2 files changed, 37 insertions(+), 32 deletions(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 28a1c08e3b22..7fcf3c43e408 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -474,6 +474,38 @@ define sed-offsets s:->::; p;}' endef =20 +# +# Module Installation +# +quiet_cmd_install_mod =3D INSTALL $@ + cmd_install_mod =3D cp $< $@ + +# Module Strip +# ------------------------------------------------------------------------= --- +# +# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after t= hey +# are installed. If INSTALL_MOD_STRIP is '1', then the default option +# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be u= sed +# as the options to the strip command. +ifeq ($(INSTALL_MOD_STRIP),1) +mod-strip-option :=3D --strip-debug +else +mod-strip-option :=3D $(INSTALL_MOD_STRIP) +endif + +# Strip +ifdef INSTALL_MOD_STRIP + +quiet_cmd_strip_mod =3D STRIP $@ + cmd_strip_mod =3D $(STRIP) $(mod-strip-option) $@ + +else + +quiet_cmd_strip_mod =3D + cmd_strip_mod =3D : + +endif + # Use filechk to avoid rebuilds when a header changes, but the resulting f= ile # does not define filechk_offsets diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index ba4343b40497..07380c7233a0 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -8,6 +8,7 @@ __modinst: =20 include $(objtree)/include/config/auto.conf include $(srctree)/scripts/Kbuild.include +include $(srctree)/scripts/Makefile.lib =20 install-y :=3D =20 @@ -36,7 +37,7 @@ install-y +=3D $(addprefix $(MODLIB)/, modules.builtin mo= dules.builtin.modinfo) install-$(CONFIG_BUILTIN_MODULE_RANGES) +=3D $(MODLIB)/modules.builtin.ran= ges =20 $(addprefix $(MODLIB)/, modules.builtin modules.builtin.modinfo modules.bu= iltin.ranges): $(MODLIB)/%: % FORCE - $(call cmd,install) + $(call cmd,install_mod) =20 endif =20 @@ -65,40 +66,12 @@ install-$(CONFIG_MODULES) +=3D $(modules) __modinst: $(install-y) @: =20 -# -# Installation -# -quiet_cmd_install =3D INSTALL $@ - cmd_install =3D cp $< $@ - -# Strip -# -# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after t= hey -# are installed. If INSTALL_MOD_STRIP is '1', then the default option -# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be u= sed -# as the options to the strip command. -ifdef INSTALL_MOD_STRIP - ifdef CONFIG_MODULE_HASHES ifeq ($(KBUILD_EXTMOD),) +ifdef INSTALL_MOD_STRIP $(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) endif endif - -ifeq ($(INSTALL_MOD_STRIP),1) -strip-option :=3D --strip-debug -else -strip-option :=3D $(INSTALL_MOD_STRIP) -endif - -quiet_cmd_strip =3D STRIP $@ - cmd_strip =3D $(STRIP) $(strip-option) $@ - -else - -quiet_cmd_strip =3D - cmd_strip =3D : - endif =20 # @@ -133,8 +106,8 @@ endif $(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir))) =20 $(dst)/%.ko: %.ko FORCE - $(call cmd,install) - $(call cmd,strip) + $(call cmd,install_mod) + $(call cmd,strip_mod) $(call cmd,sign) =20 ifdef CONFIG_MODULES --=20 2.52.0 From nobody Sat Feb 7 07:12:13 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E83773921DF; Tue, 13 Jan 2026 12:37:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; cv=none; b=DTjFljwrcrDWMJ822amGWflm9MtMFwTy5Ijd0xyqhhNqchcxqaVjq8vcaGrRIDdbviEwnKHsURohX9tTBS05t10oGT1kqRX8lxXcIpf6XP13RI4SfyBZblqHlrhNvyqRC6ss9uyX0taAFXsofsi6bKaDcq640z/pqY/SEjYljRQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768307873; c=relaxed/simple; bh=Ws8Eb0NwBaSsIELRvPFLQCi4wI4t0JSg+rOArDpr4jQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HjOf+Y5245XTTrgtw4f9eWg0iAhuR0JmA0ALGMuygvDMLP+7H8D6VrOFCRy0IMUbd5KfZ66tC+iHOX7yqCVSO6QXc+FRNm9LhGHWkSIPBYxWXsogALvwZnY/zRRA+dNTLx7LFaO0i5YC18enGv+ZXnL9jYy+dpnR+CspE38JQ/M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=O9Xe+RO7; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="O9Xe+RO7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1768307861; bh=Ws8Eb0NwBaSsIELRvPFLQCi4wI4t0JSg+rOArDpr4jQ=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=O9Xe+RO75UPCb36u5nzxwzV4aFggvjHY0s8dnC9SRndh/IQGhUfIuuT5vLRHHP6Mc K1sGiiSW4ebwVx+7Utb4cgjie5ndXNJBjH7Lg49kYigRXnXpkxRbcHBRO0bqcmXgZj MgNncGcUilz/vm19oRV49rtYw8DPUlXsLyytbp+Y= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 13 Jan 2026 13:29:01 +0100 Subject: [PATCH v4 17/17] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260113-module-hashes-v4-17-0b932db9b56b@weissschuh.net> References: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> In-Reply-To: <20260113-module-hashes-v4-0-0b932db9b56b@weissschuh.net> To: Nathan Chancellor , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Schier , Nicolas Bouchinet , Xiu Jianfeng , Nicolas Schier , Christophe Leroy Cc: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1768307859; l=3767; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=Ws8Eb0NwBaSsIELRvPFLQCi4wI4t0JSg+rOArDpr4jQ=; b=oEsyx/jtBizezIcvSkje+0qtObz/4ddhy8qPoVzSRgXe5bKNpF2FVLAcW5REc98tF23qYcGl2 oWzLDhETAiYD5GsTguxB0tE2w91SHoXCLNfs4qDbap5w+MSSx88FHYp X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= CONFIG_MODULE_HASHES needs to process the modules at build time in the exact form they will be loaded at runtime. If the modules are stripped afterwards they will not be loadable anymore. Also evaluate INSTALL_MOD_STRIP at build time and build the hashes based on modules stripped this way. If users specify inconsistent values of INSTALL_MOD_STRIP between build and installation time, an error is reported. Signed-off-by: Thomas Wei=C3=9Fschuh --- .gitignore | 1 + kernel/module/Kconfig | 5 +++++ scripts/Makefile.modfinal | 9 +++++++-- scripts/Makefile.modinst | 4 ++-- scripts/Makefile.vmlinux | 1 + 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 299c54083672..900251c72ade 100644 --- a/.gitignore +++ b/.gitignore @@ -29,6 +29,7 @@ *.gz *.i *.ko +*.ko.stripped *.lex.c *.ll *.lst diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index c00ca830330c..9fd34765ce2c 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -425,6 +425,11 @@ config MODULE_HASHES =20 Also see the warning in MODULE_SIG about stripping modules. =20 +# To validate the consistency of INSTALL_MOD_STRIP for MODULE_HASHES +config MODULE_INSTALL_STRIP + string + default "$(INSTALL_MOD_STRIP)" + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 5b8e94170beb..890724edac69 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -63,10 +63,14 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES endif +$(call cmd,check_tracepoint) =20 +%.ko.stripped: %.ko $(wildcard include/config/MODULE_INSTALL_STRIP) + $(call cmd,install_mod) + $(call cmd,strip_mod) + quiet_cmd_merkle =3D MERKLE $@ - cmd_merkle =3D $(objtree)/scripts/modules-merkle-tree $@ .ko + cmd_merkle =3D $(objtree)/scripts/modules-merkle-tree $@ $(if $(CONF= IG_MODULE_INSTALL_STRIP),.ko.stripped,.ko) =20 -.tmp_module_hashes.c: $(modules:%.o=3D%.ko) $(objtree)/scripts/modules-mer= kle-tree FORCE +.tmp_module_hashes.c: $(if $(CONFIG_MODULE_INSTALL_STRIP),$(modules:%.o=3D= %.ko.stripped),$(modules:%.o=3D%.ko)) $(objtree)/scripts/modules-merkle-tre= e $(wildcard include/config/MODULE_INSTALL_STRIP) FORCE $(call cmd,merkle) =20 ifdef CONFIG_MODULE_HASHES @@ -75,6 +79,7 @@ endif =20 targets +=3D $(modules:%.o=3D%.ko) $(modules:%.o=3D%.mod.o) .module-common= .o targets +=3D $(modules:%.o=3D%.merkle) .tmp_module_hashes.c +targets +=3D $(modules:%.o=3D%.ko.stripped) =20 # Add FORCE to the prerequisites of a target to force it to be always rebu= ilt. # ------------------------------------------------------------------------= --- diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 07380c7233a0..45606f994ad9 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -68,8 +68,8 @@ __modinst: $(install-y) =20 ifdef CONFIG_MODULE_HASHES ifeq ($(KBUILD_EXTMOD),) -ifdef INSTALL_MOD_STRIP -$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +ifneq ($(INSTALL_MOD_STRIP),$(CONFIG_MODULE_INSTALL_STRIP)) +$(error Inconsistent values for INSTALL_MOD_STRIP between build and instal= lation) endif endif endif diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index f4e38b953b01..4ce849f6253a 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -81,6 +81,7 @@ endif ifdef CONFIG_MODULE_HASHES vmlinux.unstripped: $(objtree)/scripts/modules-merkle-tree vmlinux.unstripped: modules.order +vmlinux.unstripped: $(wildcard include/config/MODULE_INSTALL_STRIP) endif =20 # vmlinux --=20 2.52.0