From nobody Thu Apr 9 13:37:44 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B37F373C1F; Mon, 2 Mar 2026 12:42:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772455380; cv=none; b=KJ7Vs5XRJYofucMIcC/ugCxEJk3dybIZaE1WaxvRzesmBYW6OcCgN1qzSdjALBGCU+hYsXRTReuTD3Yt2Ac5JvugEt0Cek/02tnTZDwC5ZeyQiqTGQKUbBm/F8aGHQh0p8yW3ONUUMt0FtIcXkfvR3xbaI2Q9k+ZveXUCFIa408= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772455380; c=relaxed/simple; bh=9+IykjM5+dY5sn98CC18UC25he8th29UA2N8+jw3urA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=CWwDNxR/f/vC1MbTSByNXBCmbuSRYPWfHTUDDhW9mjtLCEcgGvEFvioqUO5sT71IG0kbaU4V8GawehCeDCYgHDkgNwTgsBZWKiYBIj3MwnYogI9OEAgS3xlrFTrIGp9px1MntWOqDSWyp83upnJsamy1K4//q2OfrlKZxwUVFhY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=G7fUVQYq; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=nJQc+m+X; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="G7fUVQYq"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="nJQc+m+X" From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1772455377; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3nPD+9hI8vr93ENQswr2lT0bcHBLQpzVQifHXVF29X4=; b=G7fUVQYqsHj9j369TUYgzWkjiYptQkWn/O29ckfDJKaGuDQMVlkvXr5/RpMODz8DaZdJfK kjYgZtu77by+I6xZc2X+YHa3p4oHQV86RXPZVPrsssZ/vprD1dxK4NhwC2kHAF8WCOi5CI YOsQhWuUbxbcO2jUvS+nhr6MRcpsIE1044cExhOY9SDdMLcJ8EfDlxdWeGA8z6QawFHyUo dCaDRqaRLT2qUdDHN3b+HWdn38lQC3F951lbNZhx/tCBwnF3uMJDIPuSUIykUMUIlwRwZu T1RFBqoD3Uqsh56Xa6a0nq3U6ztwwjaZnxq5njM4egDqfy2U1pJ9CL5VzE6HAw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1772455377; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3nPD+9hI8vr93ENQswr2lT0bcHBLQpzVQifHXVF29X4=; b=nJQc+m+XufNzlTZsfCHAl/wRtpznIcPUwOY4Ec21Gw9dqVzHeWf7En6hDuTdia2VIReKmM SeddWLymgo2RupDQ== Date: Mon, 02 Mar 2026 13:42:40 +0100 Subject: [PATCH 4/8] module: Give MODULE_SIG_STRING a more descriptive name Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260302-module-signature-uapi-v1-4-207d955e0d69@linutronix.de> References: <20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de> In-Reply-To: <20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de> To: David Howells , David Woodhouse , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , Aaron Tomlin , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nicolas Schier , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, linux-s390@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kbuild@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Developer-Signature: v=1; a=ed25519-sha256; t=1772455374; l=4464; i=thomas.weissschuh@linutronix.de; s=20240209; h=from:subject:message-id; bh=9+IykjM5+dY5sn98CC18UC25he8th29UA2N8+jw3urA=; b=1+c/k0i8O34rx84KGRm3osKpiBBZnq0h63vMfa+CfTw6ZZtgcMWq2FXezJ9ZbUd2NqqyKXwd9 MYCpXWnexx+Dy0TbmK/59nSsweG3AwvbzXndkd/B/9snwFTzFSgnnLc X-Developer-Key: i=thomas.weissschuh@linutronix.de; a=ed25519; pk=pfvxvpFUDJV2h2nY0FidLUml22uGLSjByFbM6aqQQws= The purpose of the constant it is not entirely clear from its name. As this constant is going to be exposed in a UAPI header, give it a more specific name for clarity. As all its users call it 'marker', use that wording in the constant itself. Signed-off-by: Thomas Wei=C3=9Fschuh --- arch/s390/kernel/machine_kexec_file.c | 4 ++-- include/linux/module_signature.h | 2 +- kernel/module/signing.c | 4 ++-- security/integrity/ima/ima_modsig.c | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machi= ne_kexec_file.c index 667ee9279e23..6f0852d5a3a9 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -28,7 +28,7 @@ const struct kexec_file_ops * const kexec_file_loaders[] = =3D { #ifdef CONFIG_KEXEC_SIG int s390_verify_sig(const char *kernel, unsigned long kernel_len) { - const unsigned long marker_len =3D sizeof(MODULE_SIG_STRING) - 1; + const unsigned long marker_len =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; struct module_signature *ms; unsigned long sig_len; int ret; @@ -40,7 +40,7 @@ int s390_verify_sig(const char *kernel, unsigned long ker= nel_len) if (marker_len > kernel_len) return -EKEYREJECTED; =20 - if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIGNATURE_MARKER, marker_len)) return -EKEYREJECTED; kernel_len -=3D marker_len; diff --git a/include/linux/module_signature.h b/include/linux/module_signat= ure.h index c3a05d4cfe67..915549c779dc 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -12,7 +12,7 @@ #include =20 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */ -#define MODULE_SIG_STRING "~Module signature appended~\n" +#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n" =20 enum module_signature_type { MODULE_SIGNATURE_TYPE_PKCS7 =3D 2, /* Signature in PKCS#7 message */ diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..590ba29c85ab 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -70,7 +70,7 @@ int mod_verify_sig(const void *mod, struct load_info *inf= o) int module_sig_check(struct load_info *info, int flags) { int err =3D -ENODATA; - const unsigned long markerlen =3D sizeof(MODULE_SIG_STRING) - 1; + const unsigned long markerlen =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; const char *reason; const void *mod =3D info->hdr; bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | @@ -81,7 +81,7 @@ int module_sig_check(struct load_info *info, int flags) */ if (!mangled_module && info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) =3D= =3D 0) { + memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerle= n) =3D=3D 0) { /* We truncate the module to discard the signature */ info->len -=3D markerlen; err =3D mod_verify_sig(mod, info); diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/i= ma_modsig.c index 9aa92fd35a03..632c746fd81e 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -40,7 +40,7 @@ struct modsig { int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, struct modsig **modsig) { - const size_t marker_len =3D strlen(MODULE_SIG_STRING); + const size_t marker_len =3D strlen(MODULE_SIGNATURE_MARKER); const struct module_signature *sig; struct modsig *hdr; size_t sig_len; @@ -51,7 +51,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf,= loff_t buf_len, return -ENOENT; =20 p =3D buf + buf_len - marker_len; - if (memcmp(p, MODULE_SIG_STRING, marker_len)) + if (memcmp(p, MODULE_SIGNATURE_MARKER, marker_len)) return -ENOENT; =20 buf_len -=3D marker_len; @@ -105,7 +105,7 @@ void ima_collect_modsig(struct modsig *modsig, const vo= id *buf, loff_t size) * Provide the file contents (minus the appended sig) so that the PKCS7 * code can calculate the file hash. */ - size -=3D modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) + + size -=3D modsig->raw_pkcs7_len + strlen(MODULE_SIGNATURE_MARKER) + sizeof(struct module_signature); rc =3D pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size); if (rc) --=20 2.53.0