From nobody Fri Apr 10 01:06:04 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27FD431F9A6; Thu, 5 Mar 2026 07:11:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772694719; cv=none; b=Bq1Vy2S7Xlzcb5UBWgFRMPs/kUCyo/K5R8Db5lcI/JE7wO6QEu2vR+Dn+hd7ji8DEes2MwjlUTiCjedVOvqUmHKm354tPLbxHPdk/4yfWFtWucgKtLXgwaw8CA7da5J11qunPqleTABwLCmsbYrAxsqbHhbGHsz78omEC2J/QpA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772694719; c=relaxed/simple; bh=lm2zdd1A7Pa39t7QGFEXw1w4jepGk8HgTJnI9lzo6So=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fFGjSkhMx8z1PqVAn8Mut/z7hZQEqSO0mLtg/yIrOI5fAfg/OAeG2RPH2pdG8kxVr7XRZQcwjrBCsJT1OiHX4XJeTZxYx863L8YZoWzN0ogSu7RohMHS9bEkZeCZhWY0a4Nop0PpWP/vDcPwQY5Hp7wCGg6eIeRjBNBkHoC17UU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=hHHWE6qO; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=/cFEwIqn; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="hHHWE6qO"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="/cFEwIqn" From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1772694716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hyqXPUmQIvIGFxEm9KyWySX9eEIsRTDaevUpvtqQ49Y=; b=hHHWE6qO2w7N9k2PX13Th6Qi8PE6DO7vGYVZiEi+HUQA64mQ1l6Zgrzl8OW+ckOfIolWvK JR/jJWiNNO2pZK4J3056hbMNEsdPf++r0a4wd8GuqnFlAo/vs5TnY5DbgbIzzvvnAk31Bn puoYMT9VPRWr/obxwu1Pz5v04UvTXfEJHh87iLdHY/LupB3YBGbA/g1TNbg+O7Ks0/BFXn +zW6ZnoOCQwL3+LebKThaWmDFaTH+N4jRKM6S1CjPnWiDzvwxlI/Kn90VX/QCWhHbqYktO ZdtGmTxxJXOm9yEtehElvuhHo0ZtRVGG2OfkdVVt3qp38/nbZsAO27z7eI6JXA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1772694716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hyqXPUmQIvIGFxEm9KyWySX9eEIsRTDaevUpvtqQ49Y=; b=/cFEwIqnaLrgkd67t86VmXnG7wWL/gu7WST9kU69v6XphaEghl99TukQ1egPLlMMNbjqpx 1KLD/OVQbl/sEGCQ== Date: Thu, 05 Mar 2026 08:11:54 +0100 Subject: [PATCH v2 4/8] module: Give MODULE_SIG_STRING a more descriptive name Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260305-module-signature-uapi-v2-4-dc4d81129dee@linutronix.de> References: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de> In-Reply-To: <20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de> To: David Howells , David Woodhouse , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , Aaron Tomlin , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nicolas Schier , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, linux-s390@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kbuild@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Developer-Signature: v=1; a=ed25519-sha256; t=1772694712; l=4511; i=thomas.weissschuh@linutronix.de; s=20240209; h=from:subject:message-id; bh=lm2zdd1A7Pa39t7QGFEXw1w4jepGk8HgTJnI9lzo6So=; b=2YPpLLNIpoQvw0pSfhqynlGKSojRdOXRsSsl90BiLQ7EJcAIBlo4aeonDyKMETIJ/aPwbIemf o2LhQRzDkUOC/dujkPs70nt4vSFiffC85r3k1tff1MRXPH/QG5puN2r X-Developer-Key: i=thomas.weissschuh@linutronix.de; a=ed25519; pk=pfvxvpFUDJV2h2nY0FidLUml22uGLSjByFbM6aqQQws= The purpose of the constant it is not entirely clear from its name. As this constant is going to be exposed in a UAPI header, give it a more specific name for clarity. As all its users call it 'marker', use that wording in the constant itself. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Petr Pavlu --- arch/s390/kernel/machine_kexec_file.c | 4 ++-- include/linux/module_signature.h | 2 +- kernel/module/signing.c | 4 ++-- security/integrity/ima/ima_modsig.c | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machi= ne_kexec_file.c index 667ee9279e23..6f0852d5a3a9 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -28,7 +28,7 @@ const struct kexec_file_ops * const kexec_file_loaders[] = =3D { #ifdef CONFIG_KEXEC_SIG int s390_verify_sig(const char *kernel, unsigned long kernel_len) { - const unsigned long marker_len =3D sizeof(MODULE_SIG_STRING) - 1; + const unsigned long marker_len =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; struct module_signature *ms; unsigned long sig_len; int ret; @@ -40,7 +40,7 @@ int s390_verify_sig(const char *kernel, unsigned long ker= nel_len) if (marker_len > kernel_len) return -EKEYREJECTED; =20 - if (memcmp(kernel + kernel_len - marker_len, MODULE_SIG_STRING, + if (memcmp(kernel + kernel_len - marker_len, MODULE_SIGNATURE_MARKER, marker_len)) return -EKEYREJECTED; kernel_len -=3D marker_len; diff --git a/include/linux/module_signature.h b/include/linux/module_signat= ure.h index c3a05d4cfe67..915549c779dc 100644 --- a/include/linux/module_signature.h +++ b/include/linux/module_signature.h @@ -12,7 +12,7 @@ #include =20 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */ -#define MODULE_SIG_STRING "~Module signature appended~\n" +#define MODULE_SIGNATURE_MARKER "~Module signature appended~\n" =20 enum module_signature_type { MODULE_SIGNATURE_TYPE_PKCS7 =3D 2, /* Signature in PKCS#7 message */ diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..590ba29c85ab 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -70,7 +70,7 @@ int mod_verify_sig(const void *mod, struct load_info *inf= o) int module_sig_check(struct load_info *info, int flags) { int err =3D -ENODATA; - const unsigned long markerlen =3D sizeof(MODULE_SIG_STRING) - 1; + const unsigned long markerlen =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; const char *reason; const void *mod =3D info->hdr; bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | @@ -81,7 +81,7 @@ int module_sig_check(struct load_info *info, int flags) */ if (!mangled_module && info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) =3D= =3D 0) { + memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerle= n) =3D=3D 0) { /* We truncate the module to discard the signature */ info->len -=3D markerlen; err =3D mod_verify_sig(mod, info); diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/i= ma_modsig.c index 9aa92fd35a03..632c746fd81e 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -40,7 +40,7 @@ struct modsig { int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, struct modsig **modsig) { - const size_t marker_len =3D strlen(MODULE_SIG_STRING); + const size_t marker_len =3D strlen(MODULE_SIGNATURE_MARKER); const struct module_signature *sig; struct modsig *hdr; size_t sig_len; @@ -51,7 +51,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf,= loff_t buf_len, return -ENOENT; =20 p =3D buf + buf_len - marker_len; - if (memcmp(p, MODULE_SIG_STRING, marker_len)) + if (memcmp(p, MODULE_SIGNATURE_MARKER, marker_len)) return -ENOENT; =20 buf_len -=3D marker_len; @@ -105,7 +105,7 @@ void ima_collect_modsig(struct modsig *modsig, const vo= id *buf, loff_t size) * Provide the file contents (minus the appended sig) so that the PKCS7 * code can calculate the file hash. */ - size -=3D modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) + + size -=3D modsig->raw_pkcs7_len + strlen(MODULE_SIGNATURE_MARKER) + sizeof(struct module_signature); rc =3D pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size); if (rc) --=20 2.53.0