[v3] module: Move 'struct module_signature' to UAPI

[PATCH v3 0/8] module: Move 'struct module_signature' to UAPI

Posted by Thomas Weißschuh 1 month ago

This structure definition is used outside the kernel proper.
For example in kmod and the kernel build environment.

To allow reuse, move it to a new UAPI header.

While it is not a true UAPI, it is a common practice to have
non-UAPI interface definitions in the kernel's UAPI headers.

This came up as part of my CONFIG_MODULE_HASHES series [0].
But it is useful on its own and so we get it out of the way.

[0] https://lore.kernel.org/lkml/aZ3OfJJSJgfOb0rJ@levanger/

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Changes in v3:
- Also adapt the include path for the custom sign-file rule in the bpf selftests.
  (My manual run of BPF CI still fails, due to an BUG() on s390,
  I don't see how this is due to this patch)
- Link to v2: https://lore.kernel.org/r/20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de

Changes in v2:
- Drop spurious definition of MODULE_SIGNATURE_TYPE_MERKLE.
- s/modules/module/ in two patch subjects.
- Pick up review tags.
- Link to v1: https://lore.kernel.org/r/20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de

---
Thomas Weißschuh (8):
      extract-cert: drop unused definition of PKEY_ID_PKCS7
      module: Drop unused signature types
      module: Give 'enum pkey_id_type' a more specific name
      module: Give MODULE_SIG_STRING a more descriptive name
      module: Move 'struct module_signature' to UAPI
      tools uapi headers: add linux/module_signature.h
      sign-file: use 'struct module_signature' from the UAPI headers
      selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers

 arch/s390/kernel/machine_kexec_file.c              |  6 ++--
 certs/extract-cert.c                               |  2 --
 include/linux/module_signature.h                   | 30 +---------------
 include/uapi/linux/module_signature.h              | 41 ++++++++++++++++++++++
 kernel/module/signing.c                            |  4 +--
 kernel/module_signature.c                          |  2 +-
 scripts/Makefile                                   |  1 +
 scripts/sign-file.c                                | 19 +++-------
 security/integrity/ima/ima_modsig.c                |  6 ++--
 tools/include/uapi/linux/module_signature.h        | 41 ++++++++++++++++++++++
 tools/testing/selftests/bpf/Makefile               |  1 +
 .../selftests/bpf/prog_tests/verify_pkcs7_sig.c    | 28 ++-------------
 12 files changed, 101 insertions(+), 80 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260302-module-signature-uapi-61fa80b1e2bb

Best regards,
-- 
Thomas Weißschuh <thomas.weissschuh@linutronix.de>

Re: [PATCH v3 0/8] module: Move 'struct module_signature' to UAPI

Posted by Sami Tolvanen 2 weeks ago

On Thu, 05 Mar 2026 10:31:36 +0100, Thomas Weißschuh wrote:
> This structure definition is used outside the kernel proper.
> For example in kmod and the kernel build environment.
> 
> To allow reuse, move it to a new UAPI header.
> 
> While it is not a true UAPI, it is a common practice to have
> non-UAPI interface definitions in the kernel's UAPI headers.
> 
> [...]

Applied to modules-next, thanks!

[1/8] extract-cert: drop unused definition of PKEY_ID_PKCS7
      commit: 137676d4482d8b8d755890b4ed29fe8223661d20
[2/8] module: Drop unused signature types
      commit: 8988913aacee82e5401bf3b96839731982dcbde7
[3/8] module: Give 'enum pkey_id_type' a more specific name
      commit: acd87264af525dba6e9355310e8acdf066a5f6b5
[4/8] module: Give MODULE_SIG_STRING a more descriptive name
      commit: 2ae4ea2d9aaf25cb74fbc23450b1b8f0a5b7aa89
[5/8] module: Move 'struct module_signature' to UAPI
      commit: f9909cf0a2dcc9e99377f3fcc965ccd93e518e34
[6/8] tools uapi headers: add linux/module_signature.h
      commit: d2d7561dc656748f592cc34d34bf5db8d5c67f7b
[7/8] sign-file: use 'struct module_signature' from the UAPI headers
      commit: e340db306c3bb85877490f33a78eb80549ac43a7
[8/8] selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
      commit: 55722b3f80377103bac6ac748554129108c75651

Best regards,

	Sami

Re: [PATCH v3 0/8] module: Move 'struct module_signature' to UAPI

Posted by Nicolas Schier 2 weeks, 6 days ago

On Thu, Mar 05, 2026 at 10:31:36AM +0100, Thomas Weißschuh wrote:
> This structure definition is used outside the kernel proper.
> For example in kmod and the kernel build environment.
> 
> To allow reuse, move it to a new UAPI header.
> 
> While it is not a true UAPI, it is a common practice to have
> non-UAPI interface definitions in the kernel's UAPI headers.
> 
> This came up as part of my CONFIG_MODULE_HASHES series [0].
> But it is useful on its own and so we get it out of the way.
> 
> [0] https://lore.kernel.org/lkml/aZ3OfJJSJgfOb0rJ@levanger/
> 
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> ---
> Changes in v3:
> - Also adapt the include path for the custom sign-file rule in the bpf selftests.
>   (My manual run of BPF CI still fails, due to an BUG() on s390,
>   I don't see how this is due to this patch)
> - Link to v2: https://lore.kernel.org/r/20260305-module-signature-uapi-v2-0-dc4d81129dee@linutronix.de
> 
> Changes in v2:
> - Drop spurious definition of MODULE_SIGNATURE_TYPE_MERKLE.
> - s/modules/module/ in two patch subjects.
> - Pick up review tags.
> - Link to v1: https://lore.kernel.org/r/20260302-module-signature-uapi-v1-0-207d955e0d69@linutronix.de
> 
> ---
> Thomas Weißschuh (8):
>       extract-cert: drop unused definition of PKEY_ID_PKCS7
>       module: Drop unused signature types
>       module: Give 'enum pkey_id_type' a more specific name
>       module: Give MODULE_SIG_STRING a more descriptive name
>       module: Move 'struct module_signature' to UAPI
>       tools uapi headers: add linux/module_signature.h
>       sign-file: use 'struct module_signature' from the UAPI headers
>       selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
> 
>  arch/s390/kernel/machine_kexec_file.c              |  6 ++--
>  certs/extract-cert.c                               |  2 --
>  include/linux/module_signature.h                   | 30 +---------------
>  include/uapi/linux/module_signature.h              | 41 ++++++++++++++++++++++
>  kernel/module/signing.c                            |  4 +--
>  kernel/module_signature.c                          |  2 +-
>  scripts/Makefile                                   |  1 +
>  scripts/sign-file.c                                | 19 +++-------
>  security/integrity/ima/ima_modsig.c                |  6 ++--
>  tools/include/uapi/linux/module_signature.h        | 41 ++++++++++++++++++++++
>  tools/testing/selftests/bpf/Makefile               |  1 +
>  .../selftests/bpf/prog_tests/verify_pkcs7_sig.c    | 28 ++-------------
>  12 files changed, 101 insertions(+), 80 deletions(-)
> ---
> base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
> change-id: 20260302-module-signature-uapi-61fa80b1e2bb
> 

Thanks for these patches!

For the whole series:

Reviewed-by: Nicolas Schier <nsc@kernel.org>

-- 
Nicolas