1. Patchew
  2. linux
  3. View series

[GIT PULL] Modules changes for v7.0-rc1

Sami Tolvanen posted 1 patch 1 day, 2 hours ago 
MAINTAINERS                     |  4 +--
include/linux/module.h          | 18 ++++-------
include/linux/moduleparam.h     |  8 +++--
kernel/module/Kconfig           |  5 ----
kernel/module/decompress.c      | 10 +++----
kernel/module/dups.c            |  4 +--
kernel/params.c                 | 15 ++++------
scripts/gendwarfksyms/dwarf.c   |  4 ++-
scripts/gendwarfksyms/symbols.c |  5 ++--
scripts/sign-file.c             | 66 ++---------------------------------------
10 files changed, 35 insertions(+), 104 deletions(-)
[GIT PULL] Modules changes for v7.0-rc1
Posted by Sami Tolvanen 1 day, 2 hours ago 
The following changes since commit 9448598b22c50c8a5bb77a9103e2d49f134c9578:

  Linux 6.19-rc2 (2025-12-21 15:52:04 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux.git tags/modules-7.0-rc1

for you to fetch changes up to b68758e6f4307179247126b7641fa7ba7109c820:

  modules: moduleparam.h: fix kernel-doc comments (2025-12-22 16:35:54 +0000)

----------------------------------------------------------------
Modules changes for v7.0-rc1

Module signing:

  - Remove SHA-1 support for signing modules. SHA-1 is no longer
    considered secure for signatures due to vulnerabilities that can
    lead to hash collisions. None of the major distributions use
    SHA-1 anymore, and the kernel has defaulted to SHA-512 since
    v6.11. Note that loading SHA-1 signed modules is still supported.

  - Update scripts/sign-file to use only the OpenSSL CMS API for
    signing. As SHA-1 support is gone, we can drop the legacy PKCS#7
    API which was limited to SHA-1. This also cleans up support for
    legacy OpenSSL versions.

Cleanups and fixes:

  - Use system_dfl_wq instead of the per-cpu system_wq following the
    ongoing workqueue API refactoring.

  - Avoid open-coded kvrealloc() in module decompression logic by
    using the standard helper.

  - Improve section annotations by replacing the custom __modinit
    with __init_or_module and removing several unused __INIT*_OR_MODULE
    macros.

  - Fix kernel-doc warnings in include/linux/moduleparam.h.

  - Ensure set_module_sig_enforced is only declared when module
    signing is enabled.

  - Fix gendwarfksyms build failures on 32-bit hosts.

MAINTAINERS:

  - Update the module subsystem entry to reflect the maintainer
    rotation and update the git repository link.

The changes have been soaking in linux-next since -rc2.

Note that like Daniel mentioned in the previous pull request [1], we
rotate maintainership every 6 months, and I will be handling the module
subsystem pull requests for the first half of this year.

Link: https://lore.kernel.org/r/20251203234840.3720-1-da.gomez@kernel.org [1]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

----------------------------------------------------------------
Conflicts:

There's a linux-next conflict with dhowells' keys-next branch. Specifically,
the keys-next commit

  0ad9a71933e73 ("modsign: Enable ML-DSA module signing")

conflicts with

  d7afd65b4acc ("sign-file: Use only the OpenSSL CMS API for signing")

Here's a suggested resolution from Mark Brown, which has been applied to
linux-next:

diff --cc scripts/sign-file.c
index 16f2bf2e1e3c,78276b15ab23..bd269a2bbf26
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@@ -206,10 -228,15 +206,11 @@@ int main(int argc, char **argv
  	bool raw_sig = false;
  	unsigned char buf[4096];
  	unsigned long module_size, sig_size;
 -	unsigned int use_signed_attrs;
++	unsigned int use_signed_attrs = CMS_NOATTR;
  	const EVP_MD *digest_algo;
  	EVP_PKEY *private_key;
 -#ifndef USE_PKCS7
  	CMS_ContentInfo *cms = NULL;
  	unsigned int use_keyid = 0;
 -#else
 -	PKCS7 *pkcs7 = NULL;
 -#endif
  	X509 *x509;
  	BIO *bd, *bm;
  	int opt, n;
@@@ -271,20 -314,49 +272,40 @@@
  		digest_algo = EVP_get_digestbyname(hash_algo);
  		ERR(!digest_algo, "EVP_get_digestbyname");
  
 -#ifndef USE_PKCS7
 -
+ 		unsigned int flags =
+ 			CMS_NOCERTS |
+ 			CMS_PARTIAL |
+ 			CMS_BINARY |
+ 			CMS_DETACHED |
+ 			CMS_STREAM  |
+ 			CMS_NOSMIMECAP |
+ #ifdef CMS_NO_SIGNING_TIME
+ 			CMS_NO_SIGNING_TIME |
+ #endif
+ 			use_keyid;
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
+ 		if (EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
+ 		    EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
+ 		    EVP_PKEY_is_a(private_key, "ML-DSA-87")) {
+ 			 /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
+ 			  * and before.
+ 			  */
+ 			use_signed_attrs = 0;
+ 		}
+ #endif
+ 
+ 		flags |= use_signed_attrs;
+ 
  		/* Load the signature message from the digest buffer. */
- 		cms = CMS_sign(NULL, NULL, NULL, NULL,
- 			       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
- 			       CMS_DETACHED | CMS_STREAM);
+ 		cms = CMS_sign(NULL, NULL, NULL, NULL, flags);
  		ERR(!cms, "CMS_sign");
  
- 		ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
- 				     CMS_NOCERTS | CMS_BINARY |
- 				     CMS_NOSMIMECAP | CMS_NOATTR |
- 				     use_keyid),
+ 		ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags),
  		    "CMS_add1_signer");
- 		ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1,
+ 		ERR(CMS_final(cms, bm, NULL, flags) != 1,
  		    "CMS_final");
  
 -#else
 -		pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
 -				   PKCS7_NOCERTS | PKCS7_BINARY |
 -				   PKCS7_DETACHED | use_signed_attrs);
 -		ERR(!pkcs7, "PKCS7_sign");
 -#endif
 -
  		if (save_sig) {
  			char *sig_file_name;
  			BIO *b;

----------------------------------------------------------------
Coiby Xu (1):
      module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y

Kees Cook (1):
      module/decompress: Avoid open-coded kvrealloc()

Marco Crivellari (1):
      module: replace use of system_wq with system_dfl_wq

Petr Pavlu (4):
      module: Remove unused __INIT*_OR_MODULE macros
      params: Replace __modinit with __init_or_module
      module: Remove SHA-1 support for module signing
      sign-file: Use only the OpenSSL CMS API for signing

Randy Dunlap (1):
      modules: moduleparam.h: fix kernel-doc comments

Sami Tolvanen (2):
      MAINTAINERS: Update module subsystem maintainers and repository
      gendwarfksyms: Fix build on 32-bit hosts

 MAINTAINERS                     |  4 +--
 include/linux/module.h          | 18 ++++-------
 include/linux/moduleparam.h     |  8 +++--
 kernel/module/Kconfig           |  5 ----
 kernel/module/decompress.c      | 10 +++----
 kernel/module/dups.c            |  4 +--
 kernel/params.c                 | 15 ++++------
 scripts/gendwarfksyms/dwarf.c   |  4 ++-
 scripts/gendwarfksyms/symbols.c |  5 ++--
 scripts/sign-file.c             | 66 ++---------------------------------------
 10 files changed, 35 insertions(+), 104 deletions(-)
Re: [GIT PULL] Modules changes for v7.0-rc1
Posted by pr-tracker-bot@kernel.org 26 minutes ago 
The pull request you sent on Mon,  9 Feb 2026 15:55:26 +0000:

> git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux.git tags/modules-7.0-rc1

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/a7423e6ea2f8f6f453de79213c26f7a36c86d9a2

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
Re: [GIT PULL] Modules changes for v7.0-rc1
Posted by pr-tracker-bot@kernel.org 26 minutes ago 
The pull request you sent on Mon,  9 Feb 2026 15:55:26 +0000:

> git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux.git tags/modules-7.0-rc1

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/a7423e6ea2f8f6f453de79213c26f7a36c86d9a2

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.