From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63FE43DDDB2; Tue, 5 May 2026 09:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; cv=none; b=cLLmS9TgjHAy/vtpAh+sdwi4JylHK9k6n9ZYitTVIptAZE18JTn6Mey/t0jdAZtVi4S6ButsfVFsjbgkvwwUezmL8CDKxnuI5sIA7jH7xDCUDsZz96hUC+YjGrx9jerHG/z0HktUpLFD+vGKx3WcJ+Gr1tFWzVPs+0ZIPSJczUM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; c=relaxed/simple; bh=vw8mmyBT43HvPMolq0TpHePOUuR7RTOx6Ud0LgA5MD4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZEEOA/RVuxyU2DbHy4qQ70vcyUUckTXwtEB82EGr2woyk2B9od7MK+3X/MzsZJV4Yt5/y0Gcl2IFayry5oERbQ+8Oa3a+uPMFrbm9US/K3UdfnuFnD1kKOQUzJnS8G73Ec+DyGdUokjeP10wvIwV2uvb6/EGn0nJwKxprwyf+PU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=l1HQpg72; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="l1HQpg72" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971922; bh=vw8mmyBT43HvPMolq0TpHePOUuR7RTOx6Ud0LgA5MD4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=l1HQpg727ayyAew6zE/8+4KeSD9/eY176fqNOl8FGSd4QoDzY74lG9Zoama5m7BhX 5EtXnyLwL1UVaosAa/7pPCSfFDE1zsNRTeOdiXhXg+IHBcSwltBhO7xw0NiiW59OkQ lXncKpkeqmo/DBlCAVoem3iKRfqI7XoOEL7pTwyk= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:05 +0200 Subject: [PATCH v5 01/14] kbuild: generate module BTF based on vmlinux.unstripped Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-1-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=2327; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=vw8mmyBT43HvPMolq0TpHePOUuR7RTOx6Ud0LgA5MD4=; b=uljsY9SHiTroukbScuvpJIHxWmUOPKF1Li5N+qi4PForcgFzxPQa9CcWjxWCEGeyur3gDIlFc Z0W8p94VZLqAoErAJy3AInjAguaLaf4rBiEebO3HJ/wS/1lChYp5oMo X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The upcoming module hashes functionality will build the modules in between the generation of the BTF data and the final link of vmlinux. At this point vmlinux is not yet built and therefore can't be used for module BTF generation. vmlinux.unstripped however is usable and sufficient for BTF generation. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Nicolas Schier --- scripts/Makefile.modfinal | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index adcbcde16a07..b09040ccddd2 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -38,12 +38,14 @@ quiet_cmd_ld_ko_o =3D LD [M] $@ $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ -T $(objtree)/scripts/module.lds -o $@ $(filter %.o, $^) =20 +btf-vmlinux :=3D $(if $(KBUILD_EXTMOD),vmlinux,vmlinux.unstripped) + quiet_cmd_btf_ko =3D BTF [M] $@ cmd_btf_ko =3D \ - if [ ! -f $(objtree)/vmlinux ]; then \ - printf "Skipping BTF generation for %s due to unavailability of vmlinux\= n" $@ 1>&2; \ + if [ ! -f $(objtree)/$(btf-vmlinux) ]; then \ + printf "Skipping BTF generation for %s due to unavailability of $(btf-vm= linux)\n" $@ 1>&2; \ else \ - $(CONFIG_SHELL) $(srctree)/scripts/gen-btf.sh --btf_base $(objtree)/vmli= nux $@; \ + $(CONFIG_SHELL) $(srctree)/scripts/gen-btf.sh --btf_base $(objtree)/$(bt= f-vmlinux) $@; \ fi; =20 # Same as newer-prereqs, but allows to exclude specified extra dependencies @@ -55,8 +57,8 @@ if_changed_except =3D $(if $(call newer_prereqs_except,$(= 2))$(cmd-check), \ printf '%s\n' 'savedcmd_$@ :=3D $(make-cmd)' > $(dot-target).cmd, @:) =20 # Re-generate module BTFs if either module's .ko or vmlinux changed -%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/vmlinux) FORCE - +$(call if_changed_except,ld_ko_o,$(objtree)/vmlinux) +%.ko: %.o %.mod.o .module-common.o $(objtree)/scripts/module.lds $(and $(C= ONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),$(objtree)/$(btf-vmlinux)) = FORCE + +$(call if_changed_except,ld_ko_o,$(objtree)/$(btf-vmlinux)) ifdef CONFIG_DEBUG_INFO_BTF_MODULES +$(if $(newer-prereqs),$(call cmd,btf_ko)) endif --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D17673F23AB; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; cv=none; b=lJymORWA76gYuoUWSBzZQvpwN+m6XfPxNPqX9fl/6pwHPCHiieuywTn7CrqkL6w5JlefTTVGBw8E5xAY/CmwIWAMVFfv+2ObULbyD0kVxjWaw0T1pu0kR53vGMwwL2n0MiMFr4nJLOIqJYYmArhQMkJR/M5LFaDNp2vqtfmWhLU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; c=relaxed/simple; bh=1JdBqz41kTdRxXQtXD0WlucfGsBSnYlrVmslcdqa4/k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=hQrZ6OnsipCLAiUfffRi5xTokgobi+8TRhd3RffoTSbZqorPocTAqNjNi0L4yGRY62dA99uOuwVfqedrOaB22K4JL6MQTuN3VJyzR3T9ujcy4P32RNqW1C8xBvOFeFVfPFiZUZY3a6AdU0fr0UbbHxtkLpZ1IG+fenlp6kj1lzM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=hceqxvCT; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="hceqxvCT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971922; bh=1JdBqz41kTdRxXQtXD0WlucfGsBSnYlrVmslcdqa4/k=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=hceqxvCTo7KzWPy3qLEp6+Bf8ZLZsXvy9Zdi17IfdrJ0f7TtrU2P7gxEPnWLeumex YcmnSqR2uXoMuRhMxwSZ/jHMOlGhFAqnIGNWeOcXQN9fmNIASNprFED4nuw7rfhNxz xPFd59w5ZXs8KO9qdxlAksPv3su3ooAfWyNHfXFo= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:06 +0200 Subject: [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-2-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=908; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=1JdBqz41kTdRxXQtXD0WlucfGsBSnYlrVmslcdqa4/k=; b=6atGlLLix4ALQ4Bm6XKscxGhFEfh5z+AYZle3axHq87vuO7rZdULGTT3XcROp3hep0FNMg2ml BENbqsRYpM3AKU121Q88x4JPeqLslbXSclc7rRA4Sctqz9h73F4bHRn X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The new hash-based module integrity checking will also be able to satisfy the requirements of lockdown. Such an alternative is not representable with "select", so use "depends on" instead. Acked-by: Paul Moore Reviewed-by: Nicolas Schier Signed-off-by: Thomas Wei=C3=9Fschuh --- security/lockdown/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index e84ddf484010..155959205b8e 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - select MODULE_SIG if MODULES + depends on !MODULES || MODULE_SIG help Build support for an LSM that enforces a coarse kernel lockdown behaviour. --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06EB030E82C; Tue, 5 May 2026 09:05:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; cv=none; b=KA9cefpWX/JmAWAUaUNoOyz5bpifuTjrEfyHZetNgAx6BNWwa7Hi/ZSMHTaAG14oKWdvyfEoyV+dLtzUdtYy/T4Xj/yV+rNSsp/MZmpRGUoRJjZQs40GF7je+s1N3jd9UoYkZp60e2UVnSq+Tvbb+2BWpox45Q/LbajhfGvX2Wg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971936; c=relaxed/simple; bh=urNb3wCpvLUEWBOX/KRz/AvKSgOExMhmzt3qzgx4rLs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=q94nE2CJMCykccrAWxQIaSLJmTVrK6HXH9gd99hSpRSlnd1R6DHQ0d1MxEfIJQQx2e/X3ccEKJ1TYTGI58Y8dV203NsvR234OdtMaatbi2bkjjL/yq1FqmkJfZSwpGy3SjSZbeplYzM+j4hG5FTGghdUaqnQA67YhGQuuSXtG6I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=KeHzGoIR; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="KeHzGoIR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971922; bh=urNb3wCpvLUEWBOX/KRz/AvKSgOExMhmzt3qzgx4rLs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=KeHzGoIRklkebRwSn23SbznclRtjezjvd5d7dG6KMuDXtXD0JgHO4jI11/IEp/6TT tj1bQriT3fPSO7EMQEFkPRv7qxmuo5y+6DIKg5nGmOTkh47yk8cRSGSNjbO58uIARW aQQQ8rdk48+qNmbOyW6+LhDqdsqh1R62+FcknhqA= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:07 +0200 Subject: [PATCH v5 03/14] kbuild: rename the strip_relocs command Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-3-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=1526; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=urNb3wCpvLUEWBOX/KRz/AvKSgOExMhmzt3qzgx4rLs=; b=zO4+a83ARZh91UdHs8c/zFFH5RWsYxSMyvtjjkwAZh87tyFNn/XXyYS4Ur+mm7rbCt/arjCT/ XQJfLzxEaBjBWLAWIx91HgeLuKwV16KxbtUDUGkyZZG34V7Riun6CDM X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= This command is doing more than just stripping relocations. With the introduction of CONFIG_MODULE_HASHES it will do even more. Use a more generic name for the variable. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.vmlinux | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index fcae1e432d9a..6cc661e5292b 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -91,13 +91,13 @@ remove-symbols :=3D -w --strip-unneeded-symbol=3D'__mod= _device_table__*' =20 # To avoid warnings: "empty loadable segment detected at ..." from GNU obj= copy, # it is necessary to remove the PT_LOAD flag from the segment. -quiet_cmd_strip_relocs =3D OBJCOPY $@ - cmd_strip_relocs =3D $(OBJCOPY) $(patsubst %,--set-section-flags %= =3Dnoload,$(remove-section-y)) $< $@; \ - $(OBJCOPY) $(addprefix --remove-section=3D,$(remo= ve-section-y)) $(remove-symbols) $@ +quiet_cmd_objcopy_vmlinux =3D OBJCOPY $@ + cmd_objcopy_vmlinux =3D $(OBJCOPY) $(patsubst %,--set-section-flags = %=3Dnoload,$(remove-section-y)) $< $@; \ + $(OBJCOPY) $(addprefix --remove-section=3D,$(r= emove-section-y)) $(remove-symbols) $@ =20 targets +=3D vmlinux vmlinux: vmlinux.unstripped FORCE - $(call if_changed,strip_relocs) + $(call if_changed,objcopy_vmlinux) =20 # modules.builtin.modinfo # ------------------------------------------------------------------------= --- --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D152E3F23A2; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; cv=none; b=ffvDxKeLPL2fmdZQX7+GG6W/CnZaUAwtL5LjlCqlkbpRIl7DL03AQYsajNmfcX3n5mZYm9I3GHPF4fmsbq9HNfcTlTjSowc1hhNKtVyNoNEGuK/EKPCm+ncw/wvY77euulvJ8IUdaYqbv2Gx0IZY+6PirJodVqqm0OW0N2p+ejY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; c=relaxed/simple; bh=XIA5YFBwc6Ej9VZmFF9JGp6ZBIHakQDs8PjcS5hpne4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qnr9kF+Uc6uKI8CESSNsreVtad7VNfKspHv3gy13BPa0/LW78gtAGzIwMmHNlKiSF53Pnjn4sQ/yZH0PobsMbst/EzuEP9bOC1A+kV1aHltprgck40UwElqZ8bM7bvmQE35d39r+/N2NhvCBwclkF8zIkrqoJj6sLrDxaK0DvO4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=ONiJCd1X; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="ONiJCd1X" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971922; bh=XIA5YFBwc6Ej9VZmFF9JGp6ZBIHakQDs8PjcS5hpne4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ONiJCd1Xjufi3qfX4PXYJk52Ans3Ce5JZoXSHJpZRM9GcvQ4b9Mv9AZkVK3SSkBDb uU34oNf0ltXz9UDGVNxNmTfz5eGAMR8ag9Kkbs+QXSzZwgehn2cJbjY0WL19iK1chP f9RRPhi1y40plE2CjJKV+XStQYmpjxANqKYPwWBQ= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:08 +0200 Subject: [PATCH v5 04/14] module: Drop pointless debugging message Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-4-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=660; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=XIA5YFBwc6Ej9VZmFF9JGp6ZBIHakQDs8PjcS5hpne4=; b=Ee+VM+f9ivEIue9ulRLTnR7A7RxGy6esDrOUiYWXgYjcohrPW0vgCLL+otaNguQ4yU33rNoC0 E/xUSCAFfC8Dq68rIFE+RjjVdNuj1MSQsJK7czkKKBhaEAT8wIUs2W8 X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= This is the only instance of pr_devel() in the whole module subsystem and essentially useless. Drop it. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/signing.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 590ba29c85ab..4a5e4eef250d 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -46,8 +46,6 @@ int mod_verify_sig(const void *mod, struct load_info *inf= o) size_t sig_len, modlen =3D info->len; int ret; =20 - pr_devel("=3D=3D>%s(,%zu)\n", __func__, modlen); - if (modlen <=3D sizeof(ms)) return -EBADMSG; =20 --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D287A3F23AC; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; cv=none; b=J6MqegxN8j8Rmhz6fKyHHufbfiKepKrlNEHcftpafD1uR7aCtwAnxE3BAk6SOWu1n9TAZ3OKkxuabgRRPUaqzpbDgOVVadv69PJ5Znvg/sUNixmqLawqO/qHo6K1w0o784RGja7Y1LbokFkoxmQ83W5b7i0YZ40kbK6E6c2HnwU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; c=relaxed/simple; bh=QGuEjahQSX5KIR3mv9uZyKkgUGxQh5zTTSgnqh/jiis=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=W++OowcSZUHbL1lw8VJlgFOPCXjl2Mfpu9x7GKuvRORTaFqCnOywFDMm6n5G/+ViLFG9hzqzDMHcGvM3L5JIoDLSfL9uOp1qkBkEqdYUxeKT3ksRI9YKcqOIXnnRPJLvgANQR0U48rghIZQPGx7SA+0alhzJak5POIxzjS5zwAA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=g4Fknziw; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="g4Fknziw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=QGuEjahQSX5KIR3mv9uZyKkgUGxQh5zTTSgnqh/jiis=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=g4Fknziwd96fLN+TTNQAV/fMHOhd/dIN0idNYLfwkjvob2sS26e2GZhdQjmJKGBg2 1Wuj9kttFMh09utr0/SaRmtgS+EoGk8Ji0s7efvwWTViHA7Eic1XoFHkeNankvLZGH d2Dvf/IQdZzsPGC4AF+nGave4W25BM2Rl2cxHXow= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:09 +0200 Subject: [PATCH v5 05/14] module: Make mod_verify_sig() static Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-5-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=1372; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=QGuEjahQSX5KIR3mv9uZyKkgUGxQh5zTTSgnqh/jiis=; b=YPbhooCs8Z4p5xzEA8Bou2VKPPahpzMZhKoMk8D4SPl0woEZ2hjUdTCq/NfLfVDVlfTISZ3Ax 2PKz7Hagg7xC31UJ4xI2NezkX4xUOqNSMisfL91GfGeptv87RApuP5L X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= It is not used outside of signing.c. Signed-off-by: Thomas Wei=C3=9Fschuh Reviewed-by: Aaron Tomlin Reviewed-by: Nicolas Schier Reviewed-by: Eric Biggers --- kernel/module/internal.h | 1 - kernel/module/signing.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 061161cc79d9..071999743341 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -117,7 +117,6 @@ struct module_use { struct module *source, *target; }; =20 -int mod_verify_sig(const void *mod, struct load_info *info); int try_to_force_load(struct module *mod, const char *reason); bool find_symbol(struct find_symbol_arg *fsa); struct module *find_module_all(const char *name, size_t len, bool even_unf= ormed); diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 4a5e4eef250d..69d4b1758540 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -40,7 +40,7 @@ void set_module_sig_enforced(void) /* * Verify the signature on a module. */ -int mod_verify_sig(const void *mod, struct load_info *info) +static int mod_verify_sig(const void *mod, struct load_info *info) { struct module_signature ms; size_t sig_len, modlen =3D info->len; --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 975183F54B4; Tue, 5 May 2026 09:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; cv=none; b=Fg7BbY92plYF8YvEuj5eNm6rwUovd1N0aqpkMj5nkYVYW+8HxM2IiK/Tvf05RcPL/6TUhirrqC0E+Y3NiUsuRDNciVGMCf5meBO+/18s6HTXiVkuVAjkl9uXksjveWUarD49/5BhY2U3ZmSiQ+MvoojeXCOis9/fIgMbRyoj1/g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; c=relaxed/simple; bh=iI+v2zM5qx20jDnDNLqjiaP4ZCALKgVYw8ssU51phr8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HppMHtLByaBdw0rnciLsLoyrkXBvhQiW0KeQQQ6Rwpi//zUsTkDlc9mwwP5DsFZb3s79unR7qMSBwdtqz//U2AJ0Vt07m/l7sj8Nw4kAvO/RWTXSZ6cNNDcoSZeTC0uCfhbLClZ5gmJwfRYEEErhDMS7rmQTKBTIbX+hFEjHeNI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=FOhks3pk; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="FOhks3pk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=iI+v2zM5qx20jDnDNLqjiaP4ZCALKgVYw8ssU51phr8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=FOhks3pkSuAan068u2UrzFyi9JQsEDgIjv34ZSsFVHJqVSf+M9lMkHDLbcwRwXefN Kr4mPvuQzzcb89VMnTHnol7YQJlmZ5JPIrnRSymUvGG61NYOoRb0UE6homXaCCq5YY nSuxvKf2aVU1eaBfgL7NkhG2PzPNeJuB2f42nHeI= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:10 +0200 Subject: [PATCH v5 06/14] module: Switch load_info::len to size_t Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-6-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=1545; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=iI+v2zM5qx20jDnDNLqjiaP4ZCALKgVYw8ssU51phr8=; b=nKBC+C6HVlaqqDqx1TU0YJ08KliDEuzosprDqqk3GExyuaX84HA5wt2KjHAaFNjSCBBzGKVKB tB2qsXnAO4LCSyyikeSwSVZHyHpzisots6OnVJBH4YtPeVK30OntV0b X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= Switching the types will make some later changes cleaner. size_t is also the semantically correct type for this field. As both 'size_t' and 'unsigned long' are always the same size, this should be risk-free. Reviewed-by: Nicolas Schier Acked-by: Nicolas Schier Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/internal.h | 2 +- kernel/module/main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 071999743341..006ada7d4e6e 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -64,7 +64,7 @@ struct load_info { /* pointer to module in temporary copy, freed at end of load_module() */ struct module *mod; Elf_Ehdr *hdr; - unsigned long len; + size_t len; Elf_Shdr *sechdrs; char *secstrings, *strtab; unsigned long symoffs, stroffs, init_typeoffs, core_typeoffs; diff --git a/kernel/module/main.c b/kernel/module/main.c index 46dd8d25a605..17a352198016 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1898,7 +1898,7 @@ static int validate_section_offset(const struct load_= info *info, Elf_Shdr *shdr) static int elf_validity_ehdr(const struct load_info *info) { if (info->len < sizeof(*(info->hdr))) { - pr_err("Invalid ELF header len %lu\n", info->len); + pr_err("Invalid ELF header len %zu\n", info->len); return -ENOEXEC; } if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) !=3D 0) { --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBE703F23B4; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; cv=none; b=B+wSO26bwtubBje75MRT1+ouMSa5GqQUACLSd8gzq5jSkq1SBXtFwBoCCtjI5GVnbQK87174KfomXjpzyOVG4OH+0ujIRPFu9ugH1m0/VwrQblZy0EAI0pY/7kJiU2yAon0zZy8KwrzQNgC9nMwrVRi1DWwlGHX8wB0d8i4U8uY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; c=relaxed/simple; bh=Z6oGRNNDPv7HY7Jwe2K5yTNZdEqWzrdbU1BcgGO8c9s=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=oKN5WJkN++UBmbeRwgyDoW12Y+lu2iXmZGqVd78A+2c+KftFhsiYX+Pdljnn206deVFyJEI3EwA7iWighPtTnEfh2SH18xZb60QuSLvUhVmDmgat/PxeKMZOTvoao6UY1qTG5xl457QsanlgN+4YwbvqUgDnyZC19PvHyjUyxPo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=XkblmXkp; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="XkblmXkp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=Z6oGRNNDPv7HY7Jwe2K5yTNZdEqWzrdbU1BcgGO8c9s=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=XkblmXkpzZZAvu9TAu6Fo8xGr7wGUQLffhlfPsrw/JunGdCmxKegomNJfYxkSvKrq nY+Ah0UWy7MZtVE5pdWxGb2KLagXUd1+rXC3feh++QtJWTN2zCB+dX2wFX50KLr0rC evPC6zYWtifj99O9PunB91EAD+OYk/kkSVv7oceU= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:11 +0200 Subject: [PATCH v5 07/14] module: Make module authentication usable without MODULE_SIG Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-7-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=7097; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=Z6oGRNNDPv7HY7Jwe2K5yTNZdEqWzrdbU1BcgGO8c9s=; b=gZ9L4Pv0bW11gPm0OadkMRRSd3fcG4bTAsBKfMt93FHeYTx6e3IE0Apbb9U2ZuKdpL6rwl+xH 0w+pvk6DlWQB4Kj/mcYSKmEB5iRuH1DnEV/AbAzFaQus13MV8FaxoKp X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The module authentication functionality will also be used by the hash-based module authentication. Split it out from CONFIG_MODULE_SIG so it is usable by both. Signed-off-by: Thomas Wei=C3=9Fschuh --- crypto/algapi.c | 4 ++-- include/linux/module.h | 18 +++++++++--------- kernel/module/Kconfig | 5 ++++- kernel/module/Makefile | 1 + kernel/module/auth.c | 32 ++++++++++++++++++++++++++++++++ kernel/module/internal.h | 2 +- kernel/module/main.c | 8 ++++---- kernel/module/signing.c | 23 +---------------------- 8 files changed, 54 insertions(+), 39 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index 37de377719ae..14252b780266 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -24,8 +24,8 @@ static LIST_HEAD(crypto_template_list); =20 static inline void crypto_check_module_sig(struct module *mod) { - if (fips_enabled && mod && !module_sig_ok(mod)) - panic("Module %s signature verification failed in FIPS mode\n", + if (fips_enabled && mod && !module_auth_ok(mod)) + panic("Module %s authentication failed in FIPS mode\n", module_name(mod)); } =20 diff --git a/include/linux/module.h b/include/linux/module.h index 7566815fabbe..b4760777daad 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -437,9 +437,9 @@ struct module { /* GPL-only exported symbols. */ bool using_gplonly_symbols; =20 -#ifdef CONFIG_MODULE_SIG - /* Signature was verified. */ - bool sig_ok; +#ifdef CONFIG_MODULE_AUTH + /* Module was authenticated. */ + bool auth_ok; #endif =20 bool async_probe_requested; @@ -918,16 +918,16 @@ static inline bool retpoline_module_ok(bool has_retpo= line) } #endif =20 -#ifdef CONFIG_MODULE_SIG +#ifdef CONFIG_MODULE_AUTH bool is_module_sig_enforced(void); =20 void set_module_sig_enforced(void); =20 -static inline bool module_sig_ok(struct module *module) +static inline bool module_auth_ok(struct module *module) { - return module->sig_ok; + return module->auth_ok; } -#else /* !CONFIG_MODULE_SIG */ +#else /* !CONFIG_MODULE_AUTH */ static inline bool is_module_sig_enforced(void) { return false; @@ -937,11 +937,11 @@ static inline void set_module_sig_enforced(void) { } =20 -static inline bool module_sig_ok(struct module *module) +static inline bool module_auth_ok(struct module *module) { return true; } -#endif /* CONFIG_MODULE_SIG */ +#endif /* CONFIG_MODULE_AUTH */ =20 #if defined(CONFIG_MODULES) && defined(CONFIG_KALLSYMS) int module_kallsyms_on_each_symbol(const char *modname, diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index f535181e0d98..84297da666ff 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -271,9 +271,12 @@ config MODULE_SIG debuginfo strip done by some packagers (such as rpmbuild) and inclusion into an initramfs that wants the module size reduced. =20 +config MODULE_AUTH + def_bool MODULE_SIG + config MODULE_SIG_FORCE bool "Require modules to be validly signed" - depends on MODULE_SIG + depends on MODULE_AUTH help Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel. diff --git a/kernel/module/Makefile b/kernel/module/Makefile index d9e8759a7b05..c7200e293d04 100644 --- a/kernel/module/Makefile +++ b/kernel/module/Makefile @@ -14,6 +14,7 @@ obj-y +=3D strict_rwx.o obj-y +=3D kmod.o obj-$(CONFIG_MODULE_DEBUG_AUTOLOAD_DUPS) +=3D dups.o obj-$(CONFIG_MODULE_DECOMPRESS) +=3D decompress.o +obj-$(CONFIG_MODULE_AUTH) +=3D auth.o obj-$(CONFIG_MODULE_SIG) +=3D signing.o obj-$(CONFIG_LIVEPATCH) +=3D livepatch.o obj-$(CONFIG_MODULES_TREE_LOOKUP) +=3D tree_lookup.o diff --git a/kernel/module/auth.c b/kernel/module/auth.c new file mode 100644 index 000000000000..956ac63d9d33 --- /dev/null +++ b/kernel/module/auth.c @@ -0,0 +1,32 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* Module authentication checker + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#include +#include +#include +#include + +#undef MODULE_PARAM_PREFIX +#define MODULE_PARAM_PREFIX "module." + +static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +module_param(sig_enforce, bool_enable_only, 0644); + +/* + * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. + */ +bool is_module_sig_enforced(void) +{ + return sig_enforce; +} +EXPORT_SYMBOL(is_module_sig_enforced); + +void set_module_sig_enforced(void) +{ + sig_enforce =3D true; +} diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 006ada7d4e6e..f8f425b167f1 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -68,7 +68,7 @@ struct load_info { Elf_Shdr *sechdrs; char *secstrings, *strtab; unsigned long symoffs, stroffs, init_typeoffs, core_typeoffs; - bool sig_ok; + bool auth_ok; #ifdef CONFIG_KALLSYMS unsigned long mod_kallsyms_init_off; #endif diff --git a/kernel/module/main.c b/kernel/module/main.c index 17a352198016..cd8a74df117e 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2601,10 +2601,10 @@ static void module_augment_kernel_taints(struct mod= ule *mod, struct load_info *i mod->name); add_taint_module(mod, TAINT_TEST, LOCKDEP_STILL_OK); } -#ifdef CONFIG_MODULE_SIG - mod->sig_ok =3D info->sig_ok; - if (!mod->sig_ok) { - pr_notice_once("%s: module verification failed: signature " +#ifdef CONFIG_MODULE_AUTH + mod->auth_ok =3D info->auth_ok; + if (!mod->auth_ok) { + pr_notice_once("%s: module authentication failed: signature " "and/or required key missing - tainting " "kernel\n", mod->name); add_taint_module(mod, TAINT_UNSIGNED_MODULE, LOCKDEP_STILL_OK); diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 69d4b1758540..07a786723221 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -16,27 +16,6 @@ #include #include "internal.h" =20 -#undef MODULE_PARAM_PREFIX -#define MODULE_PARAM_PREFIX "module." - -static bool sig_enforce =3D IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -module_param(sig_enforce, bool_enable_only, 0644); - -/* - * Export sig_enforce kernel cmdline parameter to allow other subsystems r= ely - * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. - */ -bool is_module_sig_enforced(void) -{ - return sig_enforce; -} -EXPORT_SYMBOL(is_module_sig_enforced); - -void set_module_sig_enforced(void) -{ - sig_enforce =3D true; -} - /* * Verify the signature on a module. */ @@ -84,7 +63,7 @@ int module_sig_check(struct load_info *info, int flags) info->len -=3D markerlen; err =3D mod_verify_sig(mod, info); if (!err) { - info->sig_ok =3D true; + info->auth_ok =3D true; return 0; } } --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 351BD3DC4C2; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; cv=none; b=EdtA7t/Ti+FBBumvyDWne9L5EBxvQUFrhKO2NpQ/VnRbjRWYFi7hqPZ5+BSmKcMQ3rTTFhk68PULODP9L0I1lYxqAcwA58CMoHKcOUeRrD38el6u2LL3L942jekk4O7MxYgBedPdNOKFU/B25gSIDvvsJ47x0P1WVmJ3CVS4aEw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; c=relaxed/simple; bh=z587DQf7ydM5gOPKNIBxSBWu9EUeBOTRuUfIH6UhiJM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eOHt9CyB/yR3txJMsmxyAHQ2e7xeITzBSNBNpTVPM7BSC6eyVkLP8NyqJRRKBwiexNg4cTYhu+b8hIPNmCXKbB7e6i1495+QXoet+aHMBeLK8Cri25Hh0agRVzC/64Z24y+hefh85t1+oIzzysGzVJK2fq1B+9uqcJWZK6/PumM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=aIgpWDKX; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="aIgpWDKX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=z587DQf7ydM5gOPKNIBxSBWu9EUeBOTRuUfIH6UhiJM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=aIgpWDKXrg76P12O4zkGtJLBuZn8YCeI7ZzPJs6xm6dzdrhNjHvlCsyJmUEjNrCDX nnsToJ9+zngAbg5KnB2apzV2zul/tNtdLxtFkKFMh/CCZJG5ISZHQPcUMzBA/S/C/H yDIMRiiPrmSBoXKa210qmdtwe3j1bEA6l8n1iwS4= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:12 +0200 Subject: [PATCH v5 08/14] module: Move authentication logic into dedicated new file Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=8567; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=z587DQf7ydM5gOPKNIBxSBWu9EUeBOTRuUfIH6UhiJM=; b=0QD9Bo5ArZ/toPAgrZ/Kwp8g1MN5vGvLlI3JacHftC7LXDAwqZfm7Tb5hscKQ74Tdp4pPzyNi hUJ9tsUkDfZBUtISxftgnKStnD51XKADZgJpNxcoo2sKOBdHsu9omPS X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The module authentication functionality will also be used by the hash-based module authentication. To make it usable even if CONFIG_MODULE_SIG is disabled, move it to a new file. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/auth.c | 85 +++++++++++++++++++++++++++++++++++++++++++++ kernel/module/internal.h | 14 ++++++-- kernel/module/main.c | 6 ++-- kernel/module/signing.c | 90 ++------------------------------------------= ---- 4 files changed, 103 insertions(+), 92 deletions(-) diff --git a/kernel/module/auth.c b/kernel/module/auth.c index 956ac63d9d33..831a13eb0c9b 100644 --- a/kernel/module/auth.c +++ b/kernel/module/auth.c @@ -5,10 +5,16 @@ * Written by David Howells (dhowells@redhat.com) */ =20 +#include #include #include +#include #include +#include +#include #include +#include +#include "internal.h" =20 #undef MODULE_PARAM_PREFIX #define MODULE_PARAM_PREFIX "module." @@ -30,3 +36,82 @@ void set_module_sig_enforced(void) { sig_enforce =3D true; } + +static int mod_verify_sig(const void *mod, struct load_info *info) +{ + struct module_signature ms; + size_t sig_len, modlen =3D info->len; + int ret; + + if (modlen <=3D sizeof(ms)) + return -EBADMSG; + + memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); + + ret =3D mod_check_sig(&ms, modlen, "module"); + if (ret) + return ret; + + sig_len =3D be32_to_cpu(ms.sig_len); + modlen -=3D sig_len + sizeof(ms); + info->len =3D modlen; + + return module_sig_check(mod, modlen, mod + modlen, sig_len); +} + +int module_auth_check(struct load_info *info, int flags) +{ + int err =3D -ENODATA; + const unsigned long markerlen =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; + const char *reason; + const void *mod =3D info->hdr; + bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | + MODULE_INIT_IGNORE_VERMAGIC); + /* + * Do not allow mangled modules as a module with version information + * removed is no longer the module that was signed. + */ + if (!mangled_module && + info->len > markerlen && + memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerle= n) =3D=3D 0) { + /* We truncate the module to discard the signature */ + info->len -=3D markerlen; + err =3D mod_verify_sig(mod, info); + if (!err) { + info->auth_ok =3D true; + return 0; + } + } + + /* + * We don't permit modules to be loaded into the trusted kernels + * without a valid signature on them, but if we're not enforcing, + * certain errors are non-fatal. + */ + switch (err) { + case -ENODATA: + reason =3D "unsigned module"; + break; + case -ENOPKG: + reason =3D "module with unsupported crypto"; + break; + case -ENOKEY: + reason =3D "module with unavailable key"; + break; + + default: + /* + * All other errors are fatal, including lack of memory, + * unparseable signatures, and signature check failures -- + * even if signatures aren't required. + */ + return err; + } + + if (is_module_sig_enforced()) { + pr_notice("Loading of %s is rejected\n", reason); + return -EKEYREJECTED; + } + + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); +} diff --git a/kernel/module/internal.h b/kernel/module/internal.h index f8f425b167f1..d923e31a5d8e 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -336,14 +336,24 @@ void module_mark_ro_after_init(const Elf_Ehdr *hdr, E= lf_Shdr *sechdrs, const char *secstrings); =20 #ifdef CONFIG_MODULE_SIG -int module_sig_check(struct load_info *info, int flags); +int module_sig_check(const void *mod, size_t mod_len, const void *sig, siz= e_t sig_len); #else /* !CONFIG_MODULE_SIG */ -static inline int module_sig_check(struct load_info *info, int flags) +static inline int module_sig_check(const void *mod, size_t mod_len, + const void *sig, size_t sig_len) { return 0; } #endif /* !CONFIG_MODULE_SIG */ =20 +#ifdef CONFIG_MODULE_AUTH +int module_auth_check(struct load_info *info, int flags); +#else /* !CONFIG_MODULE_AUTH */ +static inline int module_auth_check(struct load_info *info, int flags) +{ + return 0; +} +#endif /* !CONFIG_MODULE_AUTH */ + #ifdef CONFIG_DEBUG_KMEMLEAK void kmemleak_load_module(const struct module *mod, const struct load_info= *info); #else /* !CONFIG_DEBUG_KMEMLEAK */ diff --git a/kernel/module/main.c b/kernel/module/main.c index cd8a74df117e..55a010383a8d 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -3428,8 +3428,8 @@ static int load_module(struct load_info *info, const = char __user *uargs, char *after_dashes; =20 /* - * Do the signature check (if any) first. All that - * the signature check needs is info->len, it does + * Do the authentication checks (if any) first. All that + * the authentication checks need is info->len, it does * not need any of the section info. That can be * set up later. This will minimize the chances * of a corrupt module causing problems before @@ -3439,7 +3439,7 @@ static int load_module(struct load_info *info, const = char __user *uargs, * off the sig length at the end of the module, making * checks against info->len more correct. */ - err =3D module_sig_check(info, flags); + err =3D module_auth_check(info, flags); if (err) goto free_copy; =20 diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 07a786723221..a49317e3c66f 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -5,98 +5,14 @@ * Written by David Howells (dhowells@redhat.com) */ =20 -#include -#include -#include -#include -#include +#include #include -#include -#include -#include #include "internal.h" =20 -/* - * Verify the signature on a module. - */ -static int mod_verify_sig(const void *mod, struct load_info *info) +int module_sig_check(const void *mod, size_t mod_len, const void *sig, siz= e_t sig_len) { - struct module_signature ms; - size_t sig_len, modlen =3D info->len; - int ret; - - if (modlen <=3D sizeof(ms)) - return -EBADMSG; - - memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); - - ret =3D mod_check_sig(&ms, modlen, "module"); - if (ret) - return ret; - - sig_len =3D be32_to_cpu(ms.sig_len); - modlen -=3D sig_len + sizeof(ms); - info->len =3D modlen; - - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + return verify_pkcs7_signature(mod, mod_len, sig, sig_len, VERIFY_USE_SECONDARY_KEYRING, VERIFYING_MODULE_SIGNATURE, NULL, NULL); } - -int module_sig_check(struct load_info *info, int flags) -{ - int err =3D -ENODATA; - const unsigned long markerlen =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; - const char *reason; - const void *mod =3D info->hdr; - bool mangled_module =3D flags & (MODULE_INIT_IGNORE_MODVERSIONS | - MODULE_INIT_IGNORE_VERMAGIC); - /* - * Do not allow mangled modules as a module with version information - * removed is no longer the module that was signed. - */ - if (!mangled_module && - info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerle= n) =3D=3D 0) { - /* We truncate the module to discard the signature */ - info->len -=3D markerlen; - err =3D mod_verify_sig(mod, info); - if (!err) { - info->auth_ok =3D true; - return 0; - } - } - - /* - * We don't permit modules to be loaded into the trusted kernels - * without a valid signature on them, but if we're not enforcing, - * certain errors are non-fatal. - */ - switch (err) { - case -ENODATA: - reason =3D "unsigned module"; - break; - case -ENOPKG: - reason =3D "module with unsupported crypto"; - break; - case -ENOKEY: - reason =3D "module with unavailable key"; - break; - - default: - /* - * All other errors are fatal, including lack of memory, - * unparseable signatures, and signature check failures -- - * even if signatures aren't required. - */ - return err; - } - - if (is_module_sig_enforced()) { - pr_notice("Loading of %s is rejected\n", reason); - return -EKEYREJECTED; - } - - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); -} --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED22B3C4547; Tue, 5 May 2026 09:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; cv=none; b=mhZIemmH3ghI2cWk1Wj7a7T4Jo7H9uA6mCfyc8q3tgRnttUVFe1CNqlrMtMN2XCJ+HyjuUQqSB9aBYtru7RLBrbE3H/ePgUD3jteKHheEtEFfLisHABYq3gV7FiH3f1etlw4Nt/D2yCooTOBmZ0j6MeyIu9pY2ZdhnDnDy17Zws= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971938; c=relaxed/simple; bh=6VJvYnOHZshtQlmEnWd/K1udWrIwe9dejx/5mZI/Wtg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=dgnB2FLyEm1Bwoz3xRBeJ7ENapNcN4xuWixioZtfds2zkqMr/BL3YlKM7nKE+VWk8f8B/aFMpp/eKaPc+cxk35XkOxwd4JizWnZBtXMGiqUqMkQuonzwhg6BYBOpiD/hbjqcqSUE3WkNRdHQOhHZ5pCn79v8x1aVq6dfi/ISzdU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=owjODUEx; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="owjODUEx" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=6VJvYnOHZshtQlmEnWd/K1udWrIwe9dejx/5mZI/Wtg=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=owjODUExCCypec6TKWlnIwzT8DVnXMsfb+ZaEjU0MoKmKL+u/Hgk0XMLanRHlOS5p MNeyeJ7VYX8n6e4baZNE/ejhPU8IePBOA5zatZB7qfpcaHAbaVKcUT7fN5vxhMYVdb T5d4nFyczBMUPklVRaKpvkmaSNX/c9tzIRq1bRpM= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:13 +0200 Subject: [PATCH v5 09/14] module: Move signature type check out of mod_check_sig() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=2558; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=6VJvYnOHZshtQlmEnWd/K1udWrIwe9dejx/5mZI/Wtg=; b=CMdNpxTCGkVu3CYbUQ//Xh1Da5BfQXG6erPbBdP2NTFne3QRqh52DC/9CSjILoKbNrS8gBQHS 8rcJfdzG3nTABuTlKzuzZV5cQk7a/PkWY+ZZAqFMl0YgtXmFbCISOTR X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= Additional signature types are about to be added. As each caller of mod_check_sig() can have different support for these, move the type validation into the callers. Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/auth.c | 5 +++++ kernel/module_signature.c | 8 +------- security/integrity/ima/ima_modsig.c | 5 +++++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/kernel/module/auth.c b/kernel/module/auth.c index 831a13eb0c9b..21e49eb4967c 100644 --- a/kernel/module/auth.c +++ b/kernel/module/auth.c @@ -48,6 +48,11 @@ static int mod_verify_sig(const void *mod, struct load_i= nfo *info) =20 memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); =20 + if (ms.id_type !=3D MODULE_SIGNATURE_TYPE_PKCS7) { + pr_err("module: not signed with expected PKCS#7 message\n"); + return -ENOPKG; + } + ret =3D mod_check_sig(&ms, modlen, "module"); if (ret) return ret; diff --git a/kernel/module_signature.c b/kernel/module_signature.c index a0eee2fe4368..4d0476bcdb72 100644 --- a/kernel/module_signature.c +++ b/kernel/module_signature.c @@ -24,12 +24,6 @@ int mod_check_sig(const struct module_signature *ms, siz= e_t file_len, if (be32_to_cpu(ms->sig_len) >=3D file_len - sizeof(*ms)) return -EBADMSG; =20 - if (ms->id_type !=3D MODULE_SIGNATURE_TYPE_PKCS7) { - pr_err("%s: not signed with expected PKCS#7 message\n", - name); - return -ENOPKG; - } - if (ms->algo !=3D 0 || ms->hash !=3D 0 || ms->signer_len !=3D 0 || @@ -37,7 +31,7 @@ int mod_check_sig(const struct module_signature *ms, size= _t file_len, ms->__pad[0] !=3D 0 || ms->__pad[1] !=3D 0 || ms->__pad[2] !=3D 0) { - pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n", + pr_err("%s: signature info has unexpected non-zero params\n", name); return -EBADMSG; } diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/i= ma_modsig.c index 632c746fd81e..ebfcdd368a2a 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -57,6 +57,11 @@ int ima_read_modsig(enum ima_hooks func, const void *buf= , loff_t buf_len, buf_len -=3D marker_len; sig =3D (const struct module_signature *)(p - sizeof(*sig)); =20 + if (sig->id_type !=3D MODULE_SIGNATURE_TYPE_PKCS7) { + pr_err("%s: not signed with expected PKCS#7 message\n", func_tokens[func= ]); + return -ENOPKG; + } + rc =3D mod_check_sig(sig, buf_len, func_tokens[func]); if (rc) return rc; --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F00D3F54A2; Tue, 5 May 2026 09:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; cv=none; b=aDxuH41b030EOOPwZw4f4iK5XtaYCjz4madKkpHjl7O3juB0XA84cr6zMDH99Si9Th9Jfop/V2XtEvINHVw4aWaQ23Z5SbSjcRl/kQ8c2YdrlnCRkbne9CogWs9mMfGsaD/QF9mKDdMs3QZQh4/Sg8NDRN3z4khnoV0nHBedX8k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; c=relaxed/simple; bh=chCyrFKTgdh3bqAx/mQ6lIysEIJoVqpFJGF/rlIkqi4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Y2xA6FQm1R1FqGTHGBNqfbcxyBeX5yE48l6zjQcJlNZIh4ZQJkbokVGNVzLxzqRtLV3kHSUKOAGYAS3xlYaady06m5+0n1OS0kGiWGbtaQYbw9l014JTO7dO/5qv8diA1ogD2o/mxeczBOHX0A/laFND2s2gNyRI+TlMMC4LEpg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=uSjcE3/7; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="uSjcE3/7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=chCyrFKTgdh3bqAx/mQ6lIysEIJoVqpFJGF/rlIkqi4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=uSjcE3/7RPzqVxYeknvP09UES2PQcOS9VkYVVqueNpzecmFvo1an3XpkguzW1D0Bg nFEHj3iswoLhusE/F96Ei5XojOmHw/x30HPACKMdW35EThCzDfqEd2VucH5aOjSyPt ZadmbkICr/8be6TA7uVP9y8q16Xm891dDk9OoxpA= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:14 +0200 Subject: [PATCH v5 10/14] module: Prepare for additional module authentication mechanisms Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-10-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=2563; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=chCyrFKTgdh3bqAx/mQ6lIysEIJoVqpFJGF/rlIkqi4=; b=AghgISpSvC9jFLJMASwIQ2fl2y7giwEV7IIPQJiNe92PMZ8lKZf0qC99jV/SdHmNA1NchS945 I53O1yr0Ve6Cw+2TVu7rpkv9iMeNkP/+D4AMPAnvVv3dujuIZnIrT4f X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= Reorganize the code to make it easier to add the new hash-based module authentication. Also drop the now unnecessary stub for module_sig_check(). Signed-off-by: Thomas Wei=C3=9Fschuh --- kernel/module/auth.c | 17 ++++++++++++++--- kernel/module/internal.h | 8 -------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/kernel/module/auth.c b/kernel/module/auth.c index 21e49eb4967c..2ee512d26790 100644 --- a/kernel/module/auth.c +++ b/kernel/module/auth.c @@ -37,6 +37,14 @@ void set_module_sig_enforced(void) sig_enforce =3D true; } =20 +static __always_inline bool mod_sig_type_valid(enum module_signature_type = id_type) +{ + if (id_type =3D=3D MODULE_SIGNATURE_TYPE_PKCS7 && IS_ENABLED(CONFIG_MODUL= E_SIG)) + return true; + + return false; +} + static int mod_verify_sig(const void *mod, struct load_info *info) { struct module_signature ms; @@ -48,8 +56,8 @@ static int mod_verify_sig(const void *mod, struct load_in= fo *info) =20 memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); =20 - if (ms.id_type !=3D MODULE_SIGNATURE_TYPE_PKCS7) { - pr_err("module: not signed with expected PKCS#7 message\n"); + if (!mod_sig_type_valid(ms.id_type)) { + pr_err("module: not signed with expected signature\n"); return -ENOPKG; } =20 @@ -61,7 +69,10 @@ static int mod_verify_sig(const void *mod, struct load_i= nfo *info) modlen -=3D sig_len + sizeof(ms); info->len =3D modlen; =20 - return module_sig_check(mod, modlen, mod + modlen, sig_len); + if (ms.id_type =3D=3D MODULE_SIGNATURE_TYPE_PKCS7 && IS_ENABLED(CONFIG_MO= DULE_SIG)) + return module_sig_check(mod, modlen, mod + modlen, sig_len); + + return 0; } =20 int module_auth_check(struct load_info *info, int flags) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index d923e31a5d8e..aabe7f8e1af4 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -335,15 +335,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, c= onst Elf_Shdr *sechdrs, void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs, const char *secstrings); =20 -#ifdef CONFIG_MODULE_SIG int module_sig_check(const void *mod, size_t mod_len, const void *sig, siz= e_t sig_len); -#else /* !CONFIG_MODULE_SIG */ -static inline int module_sig_check(const void *mod, size_t mod_len, - const void *sig, size_t sig_len) -{ - return 0; -} -#endif /* !CONFIG_MODULE_SIG */ =20 #ifdef CONFIG_MODULE_AUTH int module_auth_check(struct load_info *info, int flags); --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7917E386440; Tue, 5 May 2026 09:10:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972245; cv=none; b=BTQ8HQ16oHoV15U+ZSr1tNO6Zua45p/D6MDpbNsVq0weClfGIgVhHGtk9MdZFdq9MjyQ/4TDs5Pti0XCNjkpEDtX+wmhv/L0G1BYx1iaUQLTZ8XeiJIBPhSRetSXxbnakU9f0T+2Nny3+1TUq5HMK2WYzh+aSmHhwBT1089ao5w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972245; c=relaxed/simple; bh=OjVEQENALnBrLz41nWZb6yT3a4erxpjD/nxLglpoCvs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=t3P1qiJgwc2oNuuyI3hIytDKRjepMkm/zm69/g4ZCtUfN2XfhiegqEID3mvGSFoaoTnJ3/mUYOJIM36qOG/j2gGvVwk9nHk8IbaRrbiIJRh73ElPotepacLfSsc+AoX0H1+6hBL44DICI93P0mG1b2+ombvhhxmMAkK8Rrbxk6I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=XYlaUPL2; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="XYlaUPL2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777972242; bh=OjVEQENALnBrLz41nWZb6yT3a4erxpjD/nxLglpoCvs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=XYlaUPL2+1keZjN6BW3dcVpUl1RE38eQ/mlaVVvGmo2i9QCzRFbU331m2UYsSbCld hta5KOZvDq0W86hZIs2n1rYUwCZ+NdnAkIxcW5Y5qHrZWxaytUG2jOyjEHymCGLDmA Xja87gSXTb9+q0HubyhjmtkQGlwGOrsIzkE2RZwc= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:15 +0200 Subject: [PATCH v5 11/14] module: update timestamp of modules.order after modules are built Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-11-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=973; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=OjVEQENALnBrLz41nWZb6yT3a4erxpjD/nxLglpoCvs=; b=uffap1Yp7A9oUyxJAg/JMqLbZ7j2qeL8SXGije4OWjL3Lmqea939UF78GetZTKRZdUELCxw7k wcm9ivOs6zTCvQInib7BHj9Xe5zk405K6/DXSFSlvx+rY7B0KYo+1yw X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= Make sure that modules.order is always newer than the module .ko files. Other rules can then use modules.order as a prerequisite and rerun if any module is (re-)built. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.modfinal | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index b09040ccddd2..44a382689a5a 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -66,6 +66,13 @@ endif =20 targets +=3D $(modules:%.o=3D%.ko) $(modules:%.o=3D%.mod.o) .module-common= .o =20 +# Update modules.order when a module is (re-)built. +# Allow using it as target dependency. +targets +=3D modules.order +__modfinal: modules.order +modules.order: $(modules:%.o=3D%.ko) + @touch $@ + # Add FORCE to the prerequisites of a target to force it to be always rebu= ilt. # ------------------------------------------------------------------------= --- =20 --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1FA530E0E5; Tue, 5 May 2026 09:10:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972247; cv=none; b=dm+H7mDuEAJ6aGjDw4IxvAeDy+7vTPbyMq4mscxbBio7oHG7wcbyYi+obF9PPjaVx3WRVYnRA6AkmLaqIa4xGKw1E6h/Poxnk2MmNda5BGDxk38Ib/u53sfwWxsO02jwMVS5pQAntXCgQ9ttID/TB8j8U368vsbHZ46nuk+ryZU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972247; c=relaxed/simple; bh=yof0b38w6FUaPXaXJVuEYnR5HxHXG6atxby+tUyoxFE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LqLj9R60iU7sO+UA7VgCGObOAXzohBDUiy+W+6GP+eTbJeaV7cZu69B4GPVM5InFpF8Q4G4u3T03sgTK4s54p2Gbi3dOf+yf3t2dZcR9lixAUVX7ByB3aoIy+6YYgu1ZJdpOL6cAzlSjr6VaGHAdZFH3An4bJbCVxXFPCA10K6o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=peK6gKbp; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="peK6gKbp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777972242; bh=yof0b38w6FUaPXaXJVuEYnR5HxHXG6atxby+tUyoxFE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=peK6gKbpZy9I2phipLr55Fcmd9gtrGuZOeNZtSVObfqt6DpO/b/TAPVcRP8FOdZs3 +FzamGKC2tLwT1aeF7e76QEhToz/xMmPPR2LtOk0y4dB7c99N+h6iXpMIPM0P6+V5e 71yemcE5YnO7t0cR3Y7DlzDSYtFxX8DhHB/XYvps= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:16 +0200 Subject: [PATCH v5 12/14] module: Introduce hash-based integrity checking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-12-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=31710; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=yof0b38w6FUaPXaXJVuEYnR5HxHXG6atxby+tUyoxFE=; b=siIepplh1FilcLPn8putesLGCzUZGqtVhKp+bmtp42MnyR8HeJmS+FNxtZift5z7h6LEcmcCf IP6vBhYlk0YCllMcWb/mTsdHcfZS3SpufWRnpAfpah+MUlMt99oibUB X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated. The goal is to reach bit-for-bit reproducibility. Excluding certain parts of the build output from the reproducibility analysis would be error-prone and force each downstream consumer to introduce new tooling. Introduce a new mechanism to ensure only well-known modules are loaded by embedding a merkle tree root of all modules built as part of the full kernel build into vmlinux. Out-of-tree modules can be validated as before through signatures. Normally the .ko module files depend on a fully built vmlinux to be available for modpost validation and BTF generation. With CONFIG_MODULE_HASHES, vmlinux now depends on the modules to build a merkle tree. This introduces a dependency cycle which is impossible to satisfy. Work around this by building the modules during link-vmlinux.sh, after vmlinux is complete enough for modpost and BTF but before the final module hashes are The PKCS7 format which is used for regular module signatures can not represent Merkle proofs, so a new kind of module signature is introduced. As this signature type is only ever used for builtin modules, no compatibility issues can arise. Signed-off-by: Thomas Wei=C3=9Fschuh --- .gitignore | 1 + Documentation/kbuild/reproducible-builds.rst | 5 +- Makefile | 7 +- include/asm-generic/vmlinux.lds.h | 11 + include/linux/module_hashes.h | 29 ++ include/uapi/linux/module_signature.h | 1 + kernel/module/Kconfig | 21 +- kernel/module/Makefile | 1 + kernel/module/auth.c | 6 + kernel/module/hashes.c | 95 ++++++ kernel/module/hashes_root.c | 6 + kernel/module/internal.h | 1 + scripts/.gitignore | 1 + scripts/Makefile | 4 + scripts/Makefile.modinst | 11 + scripts/Makefile.vmlinux | 32 +++ scripts/include/xalloc.h | 29 ++ scripts/link-vmlinux.sh | 3 +- scripts/modules-merkle-tree.c | 416 +++++++++++++++++++++++= ++++ security/lockdown/Kconfig | 2 +- tools/include/uapi/linux/module_signature.h | 1 + 21 files changed, 677 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 3044b9590f05..78cf799401e6 100644 --- a/.gitignore +++ b/.gitignore @@ -36,6 +36,7 @@ *.lz4 *.lzma *.lzo +*.merkle *.mod *.mod.c *.o diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/k= build/reproducible-builds.rst index bc1eb82211df..b15019678aae 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -84,7 +84,10 @@ generate a different temporary key for each build, resul= ting in the modules being unreproducible. However, including a signing key with your source would presumably defeat the purpose of signing modules. =20 -One approach to this is to divide up the build process so that the +Instead ``CONFIG_MODULE_HASHES`` can be used to embed a static list +of valid modules to load. + +Another approach to this is to divide up the build process so that the unreproducible parts can be treated as sources: =20 1. Generate a persistent signing key. Add the certificate for the key diff --git a/Makefile b/Makefile index e27c91ea56fc..def4a2413c43 100644 --- a/Makefile +++ b/Makefile @@ -1650,7 +1650,9 @@ ifdef CONFIG_MODULES =20 # By default, build modules as well =20 +ifndef CONFIG_MODULE_HASHES all: modules +endif =20 # When we're building modules with modversions, we need to consider # the built-in objects during the descend as well, in order to @@ -1666,8 +1668,10 @@ endif # is an exception. ifdef CONFIG_DEBUG_INFO_BTF_MODULES KBUILD_BUILTIN :=3D y +ifndef CONFIG_MODULE_HASHES modules: vmlinux endif +endif =20 modules: modules_prepare =20 @@ -2068,7 +2072,7 @@ modules.order: $(build-dir) # KBUILD_MODPOST_NOFINAL can be set to skip the final link of modules. # This is solely useful to speed up test compiles. modules: modpost -ifneq ($(KBUILD_MODPOST_NOFINAL),1) +ifneq ($(CONFIG_MODULE_HASHES)|$(KBUILD_MODPOST_NOFINAL),|1) $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modfinal endif =20 @@ -2162,6 +2166,7 @@ clean: $(clean-dirs) -o -name '*.c.[012]*.*' \ -o -name '*.ll' \ -o -name '*.gcno' \ + -o -name '*.merkle' \ \) -type f -print \ -o -name '.tmp_*' -print \ | xargs rm -rf diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinu= x.lds.h index 60c8c22fd3e4..661881e5ef96 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -508,6 +508,8 @@ \ PRINTK_INDEX \ \ + MODULE_HASHES \ + \ /* Kernel symbol table */ \ __ksymtab : AT(ADDR(__ksymtab) - LOAD_OFFSET) { \ __start___ksymtab =3D .; \ @@ -913,6 +915,15 @@ #define PRINTK_INDEX #endif =20 +#ifdef CONFIG_MODULE_HASHES +#define MODULE_HASHES \ + .module_hashes : AT(ADDR(.module_hashes) - LOAD_OFFSET) { \ + KEEP(*(SORT(.module_hashes))) \ + } +#else +#define MODULE_HASHES +#endif + /* * Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler. * Otherwise, the type of .notes section would become PROGBITS instead of = NOTES. diff --git a/include/linux/module_hashes.h b/include/linux/module_hashes.h new file mode 100644 index 000000000000..53b34fa12f2d --- /dev/null +++ b/include/linux/module_hashes.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _LINUX_MODULE_HASHES_H +#define _LINUX_MODULE_HASHES_H + +#include +#include +#include + +#define __module_hashes_section __section(".module_hashes") +#define MODULE_HASHES_HASH_SIZE SHA256_DIGEST_SIZE + +struct module_hash { + u8 h[MODULE_HASHES_HASH_SIZE]; +}; + +struct module_hashes_proof { + __be32 pos; + struct module_hash hash_sigs[]; +} __packed; + +struct module_hashes_root { + u32 levels; + struct module_hash hash; +}; + +extern const struct module_hashes_root module_hashes_root; + +#endif /* _LINUX_MODULE_HASHES_H */ diff --git a/include/uapi/linux/module_signature.h b/include/uapi/linux/mod= ule_signature.h index 634c9f1c8fc2..78e206996eed 100644 --- a/include/uapi/linux/module_signature.h +++ b/include/uapi/linux/module_signature.h @@ -16,6 +16,7 @@ =20 enum module_signature_type { MODULE_SIGNATURE_TYPE_PKCS7 =3D 2, /* Signature in PKCS#7 message */ + MODULE_SIGNATURE_TYPE_MERKLE =3D 3, /* Merkle proof for modules, opaque s= tructure */ }; =20 /* diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 84297da666ff..acbbda58e7c8 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -272,7 +272,7 @@ config MODULE_SIG inclusion into an initramfs that wants the module size reduced. =20 config MODULE_AUTH - def_bool MODULE_SIG + def_bool MODULE_SIG || MODULE_HASHES =20 config MODULE_SIG_FORCE bool "Require modules to be validly signed" @@ -291,7 +291,7 @@ config MODULE_SIG_ALL modules must be signed manually, using the scripts/sign-file tool. =20 comment "Do not forget to sign required modules with scripts/sign-file" - depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL + depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL && !MODULE_HASHES =20 choice prompt "Hash algorithm to sign modules" @@ -406,6 +406,23 @@ config MODULE_DECOMPRESS =20 endif # MODULE_COMPRESS =20 +config MODULE_HASHES + bool "Hash-based module authentication" + depends on !MODULE_SIG_ALL + depends on !IMA_APPRAISE_MODSIG + select MODULE_SIG_FORMAT + select CRYPTO_LIB_SHA256 + help + Validate modules by their hashes. + Only modules built together with the main kernel image can be + validated that way. + + This is a reproducible-build compatible alternative to a build-time + generated module keyring, as enabled by + CONFIG_MODULE_SIG_KEY=3Dcerts/signing_key.pem. + + Also see the warning in MODULE_SIG about stripping modules. + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/kernel/module/Makefile b/kernel/module/Makefile index c7200e293d04..da9420f140e9 100644 --- a/kernel/module/Makefile +++ b/kernel/module/Makefile @@ -26,3 +26,4 @@ obj-$(CONFIG_KGDB_KDB) +=3D kdb.o obj-$(CONFIG_MODVERSIONS) +=3D version.o obj-$(CONFIG_MODULE_UNLOAD_TAINT_TRACKING) +=3D tracking.o obj-$(CONFIG_MODULE_STATS) +=3D stats.o +obj-$(CONFIG_MODULE_HASHES) +=3D hashes.o hashes_root.o diff --git a/kernel/module/auth.c b/kernel/module/auth.c index 2ee512d26790..cf3fe3f8bd89 100644 --- a/kernel/module/auth.c +++ b/kernel/module/auth.c @@ -42,6 +42,9 @@ static __always_inline bool mod_sig_type_valid(enum modul= e_signature_type id_typ if (id_type =3D=3D MODULE_SIGNATURE_TYPE_PKCS7 && IS_ENABLED(CONFIG_MODUL= E_SIG)) return true; =20 + if (id_type =3D=3D MODULE_SIGNATURE_TYPE_MERKLE && IS_ENABLED(CONFIG_MODU= LE_HASHES)) + return true; + return false; } =20 @@ -72,6 +75,9 @@ static int mod_verify_sig(const void *mod, struct load_in= fo *info) if (ms.id_type =3D=3D MODULE_SIGNATURE_TYPE_PKCS7 && IS_ENABLED(CONFIG_MO= DULE_SIG)) return module_sig_check(mod, modlen, mod + modlen, sig_len); =20 + if (ms.id_type =3D=3D MODULE_SIGNATURE_TYPE_MERKLE && IS_ENABLED(CONFIG_M= ODULE_HASHES)) + return module_hash_check(mod, modlen, mod + modlen, sig_len); + return 0; } =20 diff --git a/kernel/module/hashes.c b/kernel/module/hashes.c new file mode 100644 index 000000000000..3d3cf0366f75 --- /dev/null +++ b/kernel/module/hashes.c @@ -0,0 +1,95 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* Module hash-based integrity checker + * + * Copyright (C) 2025 Thomas Wei=C3=9Fschuh + * Copyright (C) 2025 Sebastian Andrzej Siewior + * + * The structure of the Merkle tree is documented in scripts/modules-merkl= e-tree.c. + */ + +#define pr_fmt(fmt) "module/hash: " fmt + +#include +#include +#include + +#include + +#include "internal.h" + +static __init __maybe_unused int module_hashes_init(void) +{ + pr_debug("root: levels=3D%u hash=3D%*phN\n", + module_hashes_root.levels, + (int)sizeof(module_hashes_root.hash), &module_hashes_root.hash); + + return 0; +} + +#if IS_ENABLED(CONFIG_MODULE_DEBUG) +early_initcall(module_hashes_init); +#endif + +static void hash_entry(const struct module_hash *left, const struct module= _hash *right, + struct module_hash *out) +{ + struct sha256_ctx ctx; + u8 magic =3D 0x02; + + sha256_init(&ctx); + sha256_update(&ctx, &magic, sizeof(magic)); + sha256_update(&ctx, left->h, sizeof(left->h)); + sha256_update(&ctx, right->h, sizeof(right->h)); + sha256_final(&ctx, out->h); +} + +static void hash_data(const u8 *d, size_t len, unsigned int pos, struct mo= dule_hash *out) +{ + struct sha256_ctx ctx; + u8 magic =3D 0x01; + __be32 pos_be; + + pos_be =3D cpu_to_be32(pos); + + sha256_init(&ctx); + sha256_update(&ctx, &magic, sizeof(magic)); + sha256_update(&ctx, (const u8 *)&pos_be, sizeof(pos_be)); + sha256_update(&ctx, d, len); + sha256_final(&ctx, out->h); +} + +static bool module_hashes_verify_proof(u32 pos, const struct module_hash *= hash_sigs, + struct module_hash *cur) +{ + for (unsigned int i =3D 0; i < module_hashes_root.levels; i++, pos >>=3D = 1) { + if ((pos & 1) =3D=3D 0) + hash_entry(cur, &hash_sigs[i], cur); + else + hash_entry(&hash_sigs[i], cur, cur); + } + + return !memcmp(cur, &module_hashes_root.hash, sizeof(module_hashes_root.h= ash)); +} + +int module_hash_check(const void *mod, size_t mod_len, const void *sig, si= ze_t sig_len) +{ + const struct module_hashes_proof *proof; + struct module_hash modhash; + size_t proof_size; + u32 pos; + + proof_size =3D struct_size(proof, hash_sigs, module_hashes_root.levels); + + if (sig_len !=3D proof_size) + return -ENOPKG; + + proof =3D (const struct module_hashes_proof *)sig; + pos =3D get_unaligned_be32(&proof->pos); + + hash_data(mod, mod_len, pos, &modhash); + + if (!module_hashes_verify_proof(pos, proof->hash_sigs, &modhash)) + return -ENOKEY; + + return 0; +} diff --git a/kernel/module/hashes_root.c b/kernel/module/hashes_root.c new file mode 100644 index 000000000000..ffb6adfc2193 --- /dev/null +++ b/kernel/module/hashes_root.c @@ -0,0 +1,6 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include + +/* Blank dummy data. Will be replaced by the read data during the build */ +const struct module_hashes_root module_hashes_root __module_hashes_section= =3D {}; diff --git a/kernel/module/internal.h b/kernel/module/internal.h index aabe7f8e1af4..259e8ca5cb25 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -336,6 +336,7 @@ void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf= _Shdr *sechdrs, const char *secstrings); =20 int module_sig_check(const void *mod, size_t mod_len, const void *sig, siz= e_t sig_len); +int module_hash_check(const void *mod, size_t mod_len, const void *sig, si= ze_t sig_len); =20 #ifdef CONFIG_MODULE_AUTH int module_auth_check(struct load_info *info, int flags); diff --git a/scripts/.gitignore b/scripts/.gitignore index 4215c2208f7e..8dad9b0d3b2d 100644 --- a/scripts/.gitignore +++ b/scripts/.gitignore @@ -5,6 +5,7 @@ /insert-sys-cert /kallsyms /module.lds +/modules-merkle-tree /recordmcount /rustdoc_test_builder /rustdoc_test_gen diff --git a/scripts/Makefile b/scripts/Makefile index c983e09be78c..b6291595d9e8 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,6 +11,7 @@ hostprogs-always-y +=3D sign-file hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) +=3D insert-sys-cert hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) +=3D rustdoc_test_builder hostprogs-always-$(CONFIG_RUST_KERNEL_DOCTESTS) +=3D rustdoc_test_gen +hostprogs-always-$(CONFIG_MODULE_HASHES) +=3D modules-merkle-tree hostprogs-always-$(CONFIG_TRACEPOINTS) +=3D tracepoint-update =20 sorttable-objs :=3D sorttable.o elf-parse.o @@ -37,6 +38,9 @@ HOSTCFLAGS_asn1_compiler.o =3D -I$(srctree)/include HOSTCFLAGS_sign-file.o =3D $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2>= /dev/null) HOSTCFLAGS_sign-file.o +=3D -I$(srctree)/tools/include/uapi/ HOSTLDLIBS_sign-file =3D $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /de= v/null || echo -lcrypto) +HOSTCFLAGS_modules-merkle-tree.o =3D $(shell $(HOSTPKG_CONFIG) --cflags li= bcrypto 2> /dev/null) +HOSTCFLAGS_modules-merkle-tree.o +=3D -I$(srctree)/tools/include/uapi/ +HOSTLDLIBS_modules-merkle-tree =3D $(shell $(HOSTPKG_CONFIG) --libs libcry= pto 2> /dev/null || echo -lcrypto) =20 ifdef CONFIG_UNWINDER_ORC ifeq ($(ARCH),x86_64) diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 9ba45e5b32b1..68708a039a62 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -79,6 +79,12 @@ quiet_cmd_install =3D INSTALL $@ # as the options to the strip command. ifdef INSTALL_MOD_STRIP =20 +ifdef CONFIG_MODULE_HASHES +ifeq ($(KBUILD_EXTMOD),) +$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +endif +endif + ifeq ($(INSTALL_MOD_STRIP),1) strip-option :=3D --strip-debug else @@ -116,6 +122,11 @@ quiet_cmd_sign :=3D cmd_sign :=3D : endif =20 +ifeq ($(KBUILD_EXTMOD)|$(CONFIG_MODULE_HASHES),|y) +quiet_cmd_sign =3D MERKLE [M] $@ + cmd_sign =3D cat $(objtree)/$*.merkle >> $@ +endif + # Create necessary directories $(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir))) =20 diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index 6cc661e5292b..a0332c06bde1 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -78,6 +78,33 @@ ifdef CONFIG_BUILDTIME_TABLE_SORT vmlinux.unstripped: scripts/sorttable endif =20 +ifdef CONFIG_MODULE_HASHES +targets +=3D .tmp_module_hashes.c + +modules.order: vmlinux.unstripped FORCE + $(Q)echo " MAKE modules" + $(Q)$(MAKE) -f $(srctree)/Makefile modules + +quiet_cmd_modules_merkle_tree =3D MERKLE $@ + cmd_modules_merkle_tree =3D $< $@ .ko + +targets +=3D .tmp_module_hashes.c +.tmp_module_hashes.c: $(objtree)/scripts/modules-merkle-tree modules.order= FORCE + $(call if_changed,modules_merkle_tree) + +targets +=3D .tmp_module_hashes.o +.tmp_module_hashes.o: .tmp_module_hashes.c FORCE + +quiet_cmd_modules_merkle_tree_root =3D GEN $@ + cmd_modules_merkle_tree_root =3D $(OBJCOPY) --dump-section .module_h= ashes=3D$@ $< + +targets +=3D .tmp_module_hashes.bin +.tmp_module_hashes.bin: .tmp_module_hashes.o FORCE + $(call if_changed,modules_merkle_tree_root) + +vmlinux: .tmp_module_hashes.bin +endif + # vmlinux # ------------------------------------------------------------------------= --- =20 @@ -95,6 +122,11 @@ quiet_cmd_objcopy_vmlinux =3D OBJCOPY $@ cmd_objcopy_vmlinux =3D $(OBJCOPY) $(patsubst %,--set-section-flags = %=3Dnoload,$(remove-section-y)) $< $@; \ $(OBJCOPY) $(addprefix --remove-section=3D,$(r= emove-section-y)) $(remove-symbols) $@ =20 +ifdef CONFIG_MODULE_HASHES +# Patch module hashes root into vmlinux after modules have been built. + cmd_objcopy_vmlinux +=3D ; $(OBJCOPY) --update-section .module_hashe= s=3D.tmp_module_hashes.bin $@ +endif + targets +=3D vmlinux vmlinux: vmlinux.unstripped FORCE $(call if_changed,objcopy_vmlinux) diff --git a/scripts/include/xalloc.h b/scripts/include/xalloc.h index cdadb07d0592..8294bc0b836f 100644 --- a/scripts/include/xalloc.h +++ b/scripts/include/xalloc.h @@ -3,6 +3,7 @@ #ifndef XALLOC_H #define XALLOC_H =20 +#include #include #include =20 @@ -50,4 +51,32 @@ static inline char *xstrndup(const char *s, size_t n) return p; } =20 +static inline void *xreallocarray(void *oldp, size_t n, size_t size) +{ + void *p; + + p =3D reallocarray(oldp, n, size); + if (!p) + exit(1); + + return p; +} + +#ifdef _GNU_SOURCE +static inline char *xasprintf(const char *fmt, ...) +{ + va_list ap; + char *strp; + int ret; + + va_start(ap, fmt); + ret =3D vasprintf(&strp, fmt, ap); + va_end(ap); + if (ret =3D=3D -1) + exit(1); + + return strp; +} +#endif /* _GNU_SOURCE */ + #endif /* XALLOC_H */ diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index f99e196abeea..0edec5ee34dc 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -103,7 +103,7 @@ vmlinux_link() ${ld} ${ldflags} -o ${output} \ ${wl}--whole-archive ${objs} ${wl}--no-whole-archive \ ${wl}--start-group ${libs} ${wl}--end-group \ - ${kallsymso} ${btf_vmlinux_bin_o} ${arch_vmlinux_o} ${ldlibs} + ${kallsymso} ${btf_vmlinux_bin_o} ${module_hashes_o} ${arch_vmlinux_o} $= {ldlibs} } =20 # Create ${2}.o file with all symbols from the ${1} object file @@ -183,6 +183,7 @@ fi btf_vmlinux_bin_o=3D btfids_vmlinux=3D kallsymso=3D +module_hashes_o=3D strip_debug=3D generate_map=3D =20 diff --git a/scripts/modules-merkle-tree.c b/scripts/modules-merkle-tree.c new file mode 100644 index 000000000000..10e3455d5d7a --- /dev/null +++ b/scripts/modules-merkle-tree.c @@ -0,0 +1,416 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Compute hashes for modules files and build a merkle tree. + * + * Copyright (C) 2025 Sebastian Andrzej Siewior + * Copyright (C) 2025 Thomas Wei=C3=9Fschuh + * + * Structure of the Merkle tree: + * + * The full built modules are leaf nodes. They are hashed pairwise in the = order + * of modules.order to create internal nodes. These in turn are also hashed + * pairwise to create the next higher level of internal nodes. This is rep= eated + * up to a single root node. In case of an uneven amount of node on a leve= l, the + * last node is paired with itself. + * + * The single root node can then be embedded into vmlinux to validate all = modules. + */ + +#define _GNU_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include "ssl-common.h" + +#include +#include + +static int hash_size; +static EVP_MD_CTX *ctx; + +struct hash { + uint8_t h[32]; /* For sha256 */ +}; + +struct file_entry { + char *name; + unsigned int pos; + struct hash hash; +}; + +static struct file_entry *fh_list; +static size_t num_files; + +struct mtree { + struct hash **level_hashes; + unsigned int *entries; + unsigned int num_levels; +}; + +static unsigned int log2_roundup(uint32_t val) +{ + if (val <=3D 1) + return 1; + return 32 - __builtin_clz(val - 1); +} + +static void hash_data(unsigned int pos, unsigned char *data, size_t size, = struct hash *ret_hash) +{ + uint8_t magic =3D 0x01; /* domain separation prefix */ + uint32_t pos_be; + + pos_be =3D htobe32(pos); + + ERR(EVP_DigestInit_ex(ctx, NULL, NULL) !=3D 1, "EVP_DigestInit_ex()"); + ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) !=3D 1, "EVP_DigestUpdat= e(magic)"); + ERR(EVP_DigestUpdate(ctx, &pos_be, sizeof(pos_be)) !=3D 1, "EVP_DigestUpd= ate(pos)"); + ERR(EVP_DigestUpdate(ctx, data, size) !=3D 1, "EVP_DigestUpdate(data)"); + ERR(EVP_DigestFinal_ex(ctx, ret_hash->h, NULL) !=3D 1, "EVP_DigestFinal_e= x()"); +} + +static void hash_entry(const struct hash *left, const struct hash *right, = struct hash *ret_hash) +{ + uint8_t magic =3D 0x02; /* domain separation prefix */ + + ERR(EVP_DigestInit_ex(ctx, NULL, NULL) !=3D 1, "EVP_DigestInit_ex()"); + ERR(EVP_DigestUpdate(ctx, &magic, sizeof(magic)) !=3D 1, "EVP_DigestUpdat= e(magic)"); + ERR(EVP_DigestUpdate(ctx, left, hash_size) !=3D 1, "EVP_DigestUpdate(left= )"); + ERR(EVP_DigestUpdate(ctx, right, hash_size) !=3D 1, "EVP_DigestUpdate(rig= ht)"); + ERR(EVP_DigestFinal_ex(ctx, ret_hash->h, NULL) !=3D 1, "EVP_DigestFinal_e= x()"); +} + +static void hash_file(struct file_entry *fe) +{ + unsigned char *mem; + struct stat sb; + int fd, ret; + + fd =3D open(fe->name, O_RDONLY); + if (fd < 0) + err(1, "Failed to open %s", fe->name); + + ret =3D fstat(fd, &sb); + if (ret) + err(1, "Failed to stat %s", fe->name); + + mem =3D mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); + if (mem =3D=3D MAP_FAILED) + err(1, "Failed to mmap %s", fe->name); + + hash_data(fe->pos, mem, sb.st_size, &fe->hash); + + munmap(mem, sb.st_size); + close(fd); +} + +static struct mtree *build_merkle(struct file_entry *files, size_t num_fil= es) +{ + unsigned int num_cur_le, num_prev_le; + struct mtree *mt; + + if (!num_files) + return NULL; + + mt =3D xmalloc(sizeof(*mt)); + mt->num_levels =3D log2_roundup(num_files); + + mt->level_hashes =3D xcalloc(sizeof(*mt->level_hashes), mt->num_levels); + + mt->entries =3D xcalloc(sizeof(*mt->entries), mt->num_levels); + num_cur_le =3D (num_files + 1) / 2; + mt->entries[0] =3D num_cur_le; + mt->level_hashes[0] =3D xcalloc(sizeof(**mt->level_hashes), num_cur_le); + + /* First level of pairs */ + for (size_t i =3D 0; i < num_files; i +=3D 2) { + /* Hash the pair, or the last file with itself if it's odd. */ + const struct hash *right =3D i + 1 < num_files ? &files[i + 1].hash : &f= iles[i].hash; + + hash_entry(&files[i].hash, right, &mt->level_hashes[0][i / 2]); + } + + for (unsigned int i =3D 1; i < mt->num_levels; i++) { + num_prev_le =3D num_cur_le; + + num_cur_le =3D (num_prev_le + 1) / 2; + mt->entries[i] =3D num_cur_le; + mt->level_hashes[i] =3D xcalloc(sizeof(**mt->level_hashes), num_cur_le); + + for (unsigned int n =3D 0; n < num_prev_le; n +=3D 2) { + /* Hash the pair, or the last with itself if it's odd. */ + const struct hash *right =3D n + 1 < num_prev_le ? + &mt->level_hashes[i - 1][n + 1] : + &mt->level_hashes[i - 1][n]; + hash_entry(&mt->level_hashes[i - 1][n], right, + &mt->level_hashes[i][n / 2]); + } + } + + /* FIXME assert single hash in root */ + + return mt; +} + +static void free_mtree(struct mtree *mt) +{ + if (!mt) + return; + + for (unsigned int i =3D 0; i < mt->num_levels; i++) + free(mt->level_hashes[i]); + + free(mt->level_hashes); + free(mt->entries); + free(mt); +} + +static void write_be_int(int fd, unsigned int v) +{ + unsigned int be_val =3D htobe32(v); + + if (write(fd, &be_val, sizeof(be_val)) !=3D sizeof(be_val)) + err(1, "Failed writing to file"); +} + +static void write_hash(int fd, const struct hash *hash) +{ + if (write(fd, hash->h, hash_size) !=3D hash_size) + err(1, "Failed writing to file"); +} + +static void build_proof(struct mtree *mt, unsigned int n, int fd) +{ + struct file_entry *fe, *fe_sib; + + fe =3D &fh_list[n]; + + if ((n & 1) =3D=3D 0) { + /* No pair, hash with itself */ + if (n + 1 =3D=3D num_files) + fe_sib =3D fe; + else + fe_sib =3D &fh_list[n + 1]; + } else { + fe_sib =3D &fh_list[n - 1]; + } + /* First comes the node position into the file */ + write_be_int(fd, n); + + /* Next is the sibling hash, followed by hashes in the tree */ + write_hash(fd, &fe_sib->hash); + + for (unsigned int i =3D 0; i < mt->num_levels - 1; i++) { + n >>=3D 1; + if ((n & 1) =3D=3D 0) { + const struct hash *h; + + /* No pair, hash with itself */ + if (n + 1 =3D=3D mt->entries[i]) + h =3D &mt->level_hashes[i][n]; + else + h =3D &mt->level_hashes[i][n + 1]; + + write_hash(fd, h); + } else { + write_hash(fd, &mt->level_hashes[i][n - 1]); + } + } +} + +static void append_module_signature_magic(int fd, unsigned int sig_len) +{ + const struct module_signature sig_info =3D { + .id_type =3D MODULE_SIGNATURE_TYPE_MERKLE, + .sig_len =3D htobe32(sig_len), + }; + const size_t sig_str_len =3D sizeof(MODULE_SIGNATURE_MARKER) - 1; + const char *sig_str =3D MODULE_SIGNATURE_MARKER; + + if (write(fd, &sig_info, sizeof(sig_info)) !=3D sizeof(sig_info)) + err(1, "write(sig_info) failed"); + + if (write(fd, sig_str, sig_str_len) !=3D sig_str_len) + err(1, "write(magic_number) failed"); +} + +static void write_merkle_root(struct mtree *mt, const char *filename) +{ + unsigned int num_levels; + struct hash *h; + FILE *f; + + if (mt) { + num_levels =3D mt->num_levels; + h =3D &mt->level_hashes[mt->num_levels - 1][0]; + } else { + num_levels =3D 0; + h =3D xcalloc(1, hash_size); + } + + f =3D fopen(filename, "w"); + if (!f) + err(1, "Failed to create %s", filename); + + fprintf(f, "#include \n\n"); + fprintf(f, "const struct\n"); + fprintf(f, "module_hashes_root module_hashes_root __module_hashes_section= =3D {\n"); + + fprintf(f, "\t.levels =3D %u,\n", num_levels); + fprintf(f, "\t.hash =3D {{"); + for (unsigned int i =3D 0; i < hash_size; i++) { + char *space =3D ""; + + if (!(i % 8)) + fprintf(f, "\n\t\t"); + + if ((i + 1) % 8) + space =3D " "; + + fprintf(f, "0x%02x,%s", h->h[i], space); + } + fprintf(f, "\n\t}},"); + + fprintf(f, "\n};\n"); + + if (fclose(f)) + err(1, "Failed to write %s", filename); + + if (!mt) + free(h); +} + +static char *xstrdup_replace_suffix(const char *str, const char *old_suffi= x, const char *new_suffix) +{ + size_t str_len, old_suffix_len, base_len; + + str_len =3D strlen(str); + old_suffix_len =3D strlen(old_suffix); + base_len =3D str_len - old_suffix_len; + + if (old_suffix_len > str_len || memcmp(str + base_len, old_suffix, old_su= ffix_len) !=3D 0) + errx(1, "'%s' does not end in '%s'", str, old_suffix); + + return xasprintf("%.*s%s", (int)base_len, str, new_suffix); +} + +static void trim_newline(char *line) +{ + size_t len; + + if (!line) + return; + + len =3D strlen(line); + if (!len) + return; + + if (line[len - 1] =3D=3D '\n') + line[len - 1] =3D '\0'; +} + +static void read_modules_order(const char *fname, const char *suffix) +{ + char line[PATH_MAX]; + FILE *in; + + in =3D fopen(fname, "r"); + if (!in) + err(1, "Failed to open %s", fname); + + while (fgets(line, PATH_MAX, in)) { + struct file_entry *entry; + + trim_newline(line); + + fh_list =3D xreallocarray(fh_list, num_files + 1, sizeof(*fh_list)); + entry =3D &fh_list[num_files]; + + entry->pos =3D num_files; + entry->name =3D xstrdup_replace_suffix(line, ".o", suffix); + hash_file(entry); + + num_files++; + } + + if (ferror(in)) + errx(1, "Failed to read %s", fname); + + fclose(in); +} + +static __attribute__((noreturn)) +void usage(void) +{ + fprintf(stderr, + "Usage: scripts/modules-merkle-tree \n"); + exit(2); +} + +int main(int argc, char *argv[]) +{ + const char *kmod_suffix; + const EVP_MD *hash_evp; + struct mtree *mt; + + if (argc !=3D 3) + usage(); + + kmod_suffix =3D argv[2]; + + hash_evp =3D EVP_sha256(); + ERR(!hash_evp, "EVP_sha256()"); + + ctx =3D EVP_MD_CTX_new(); + ERR(!ctx, "EVP_MD_CTX_new()"); + + hash_size =3D EVP_MD_get_size(hash_evp); + ERR(hash_size <=3D 0, "EVP_get_digestbyname"); + + if (hash_size !=3D sizeof(struct hash)) + errx(1, "Invalid hash size"); + + if (EVP_DigestInit_ex(ctx, hash_evp, NULL) !=3D 1) + ERR(1, "EVP_DigestInit_ex()"); + + read_modules_order("modules.order", kmod_suffix); + + mt =3D build_merkle(fh_list, num_files); + write_merkle_root(mt, argv[1]); + for (size_t i =3D 0; i < num_files; i++) { + char *signame; + int fd; + + signame =3D xstrdup_replace_suffix(fh_list[i].name, kmod_suffix, ".merkl= e"); + + fd =3D open(signame, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd < 0) + err(1, "Can't create %s", signame); + + build_proof(mt, i, fd); + append_module_signature_magic(fd, lseek(fd, 0, SEEK_CUR)); + if (close(fd)) + err(1, "Can't write %s", signame); + } + + free_mtree(mt); + for (size_t i =3D 0; i < num_files; i++) + free(fh_list[i].name); + free(fh_list); + + EVP_MD_CTX_free(ctx); + return 0; +} diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig index 155959205b8e..60b240e3ef1f 100644 --- a/security/lockdown/Kconfig +++ b/security/lockdown/Kconfig @@ -1,7 +1,7 @@ config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY - depends on !MODULES || MODULE_SIG + depends on !MODULES || MODULE_SIG || MODULE_HASHES help Build support for an LSM that enforces a coarse kernel lockdown behaviour. diff --git a/tools/include/uapi/linux/module_signature.h b/tools/include/ua= pi/linux/module_signature.h index 634c9f1c8fc2..78e206996eed 100644 --- a/tools/include/uapi/linux/module_signature.h +++ b/tools/include/uapi/linux/module_signature.h @@ -16,6 +16,7 @@ =20 enum module_signature_type { MODULE_SIGNATURE_TYPE_PKCS7 =3D 2, /* Signature in PKCS#7 message */ + MODULE_SIGNATURE_TYPE_MERKLE =3D 3, /* Merkle proof for modules, opaque s= tructure */ }; =20 /* --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 419D3347BD4; Tue, 5 May 2026 09:10:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972248; cv=none; b=lgC4MFwyo1FD1pfZM48nchWgLWz0DkX2jN4CAP5FjatgWztg3gZpGDnQjca9CgfWwfJ8kgU/Yk3CO+rppHklLgp0UMlfsbfR+CMwpg0XE3ikxzrrrUebLTmSEAJ6nFZGAR6ApW98eLKR0R3tKdLDGardjezfnsmi4INngOnICxk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777972248; c=relaxed/simple; bh=4sym237a3wzjHBQDzN72ZtH7iFNxSpm8gXdzQ0UrWmw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=V9ZzR9uTZDuIZFiJde7o/jZXWdJRkXjk/nT8S/JesTzQYzpMvn3C6v6y1EZfgE+Ll7HZmNcgoZrdXhki2TKxcku4XLd0FZQJSbVB8e9fjp6DqwsWDECgHolNQJ7/pLPHcPDhICOFM4WJRVVMQWblt68JselEf8SXBLFAzFQJYec= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=Up2Yt+/i; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="Up2Yt+/i" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777972242; bh=4sym237a3wzjHBQDzN72ZtH7iFNxSpm8gXdzQ0UrWmw=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=Up2Yt+/iewqFT4CdTJtEHClfccc2bXaZkDpSUGByup4Vjop5SUh30Qw8cs4enAqE3 ezzRxbNnLJYJrCGV+ryDaz+xSLJTy627+iEeBG9M2YPm1ZbEn/3tJi93kE1vSEhuZG GHsrlN1CEma0J6DFPiAPBGPBIuHEuzWSdyzkEtF0= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:17 +0200 Subject: [PATCH v5 13/14] kbuild: move handling of module stripping to Makefile.lib Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-13-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=3531; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=4sym237a3wzjHBQDzN72ZtH7iFNxSpm8gXdzQ0UrWmw=; b=yK767BHsapJV15dUfHNe8idRaS/QEQT7THkpmPRTFTWVR8JNmIEaIi786mZC/3G3QxzBTTSEr ElIP5qYLNiJD4Y2+AainUiunn1D7qpG9VUvSrTlTN7McIL/cM3ZvgES X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= To allow CONFIG_MODULE_HASHES in combination with INSTALL_MOD_STRIP, this logc will also be used by Makefile.modfinal. Move it to a shared location to enable reuse. Signed-off-by: Thomas Wei=C3=9Fschuh --- scripts/Makefile.lib | 32 ++++++++++++++++++++++++++++++++ scripts/Makefile.modinst | 37 +++++-------------------------------- 2 files changed, 37 insertions(+), 32 deletions(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 0718e39cedda..bb713a1a11be 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -484,6 +484,38 @@ define sed-offsets s:->::; p;}' endef =20 +# +# Module Installation +# +quiet_cmd_install_mod =3D INSTALL $@ + cmd_install_mod =3D cp $< $@ + +# Module Strip +# ------------------------------------------------------------------------= --- +# +# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after t= hey +# are installed. If INSTALL_MOD_STRIP is '1', then the default option +# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be u= sed +# as the options to the strip command. +ifeq ($(INSTALL_MOD_STRIP),1) +mod-strip-option :=3D --strip-debug +else +mod-strip-option :=3D $(INSTALL_MOD_STRIP) +endif + +# Strip +ifdef INSTALL_MOD_STRIP + +quiet_cmd_strip_mod =3D STRIP $@ + cmd_strip_mod =3D $(STRIP) $(mod-strip-option) $@ + +else + +quiet_cmd_strip_mod =3D + cmd_strip_mod =3D : + +endif + # Use filechk to avoid rebuilds when a header changes, but the resulting f= ile # does not define filechk_offsets diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 68708a039a62..b95f613e23c8 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -8,6 +8,7 @@ __modinst: =20 include $(objtree)/include/config/auto.conf include $(srctree)/scripts/Kbuild.include +include $(srctree)/scripts/Makefile.lib =20 install-y :=3D =20 @@ -36,7 +37,7 @@ install-y +=3D $(addprefix $(MODLIB)/, modules.builtin mo= dules.builtin.modinfo) install-$(CONFIG_BUILTIN_MODULE_RANGES) +=3D $(MODLIB)/modules.builtin.ran= ges =20 $(addprefix $(MODLIB)/, modules.builtin modules.builtin.modinfo modules.bu= iltin.ranges): $(MODLIB)/%: % FORCE - $(call cmd,install) + $(call cmd,install_mod) =20 endif =20 @@ -65,40 +66,12 @@ install-$(CONFIG_MODULES) +=3D $(modules) __modinst: $(install-y) @: =20 -# -# Installation -# -quiet_cmd_install =3D INSTALL $@ - cmd_install =3D cp $< $@ - -# Strip -# -# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after t= hey -# are installed. If INSTALL_MOD_STRIP is '1', then the default option -# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be u= sed -# as the options to the strip command. -ifdef INSTALL_MOD_STRIP - ifdef CONFIG_MODULE_HASHES ifeq ($(KBUILD_EXTMOD),) +ifdef INSTALL_MOD_STRIP $(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) endif endif - -ifeq ($(INSTALL_MOD_STRIP),1) -strip-option :=3D --strip-debug -else -strip-option :=3D $(INSTALL_MOD_STRIP) -endif - -quiet_cmd_strip =3D STRIP $@ - cmd_strip =3D $(STRIP) $(strip-option) $@ - -else - -quiet_cmd_strip =3D - cmd_strip =3D : - endif =20 # @@ -131,8 +104,8 @@ endif $(foreach dir, $(sort $(dir $(install-y))), $(shell mkdir -p $(dir))) =20 $(dst)/%.ko: %.ko FORCE - $(call cmd,install) - $(call cmd,strip) + $(call cmd,install_mod) + $(call cmd,strip_mod) $(call cmd,sign) =20 ifdef CONFIG_MODULES --=20 2.54.0 From nobody Sat May 9 13:10:41 2026 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 705AF3E5EE6; Tue, 5 May 2026 09:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.69.126.157 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; cv=none; b=tocO4Qttnx/kyOl10VN3a+ir4Qi0HzlVHOUoHqk8jTqzKKR9aDTqLqCS6hoEZZxbutRMxSdIqtd1KpEer2hq2vRg9besY1Hrbr/QopeyNu15/VVertytlp7VHLvZj3KY6qD39U2yVu8QdtdcDx4d4LsDXvuQSv9DBaDfu+V4obA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777971939; c=relaxed/simple; bh=elZqxqWASNPH02Zi8B2qimxrAyck+wx1GcCTAUaTf68=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=pmqikKnc16AHEZ3vKNg1uI3EGlgC7xvoICcq0kSpOvver2JQ0aEo6Nvqm2vkqudeyN/mkwjGlil6D0tOzkmUffNSz+x7ilRO6k7kKQ+Ik90vinTEToR6TeUvs1mazg4ORtyj570Qqn3T7FVoXy0bad0umgAnWmUuXJnpYMaATC4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net; spf=pass smtp.mailfrom=weissschuh.net; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b=bQ5agIzB; arc=none smtp.client-ip=159.69.126.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="bQ5agIzB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1777971923; bh=elZqxqWASNPH02Zi8B2qimxrAyck+wx1GcCTAUaTf68=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=bQ5agIzBPRuFL7JWUhX7aDRNPbRhYiMMw3NdQA1wwclDcc9afVYMsG/75i/WNqhAA hijo/UrDsuQnHCYS7acn94RhzsDs7Y51FfF3ckZNMmNlu5Jpy4KPF9/PiukPGcZcfg X9HSI5nDm5v9ZQqJggt0rWkhUIJPYhzeHojeyMw8= From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= Date: Tue, 05 May 2026 11:05:18 +0200 Subject: [PATCH v5 14/14] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260505-module-hashes-v5-14-e174a5a49fce@weissschuh.net> References: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> In-Reply-To: <20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net> To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Nathan Chancellor , Nicolas Schier , Arnd Bergmann , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan Corbet , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Naveen N Rao , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Nicolas Schier , Daniel Gomez , Aaron Tomlin , "Christophe Leroy (CS GROUP)" , Nicolas Bouchinet , Xiu Jianfeng , Christophe Leroy Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , bpf@vger.kernel.org, =?utf-8?q?Fabian_Gr=C3=BCnbichler?= , Arnout Engelen , Mattia Rizzolo , kpcyrd , Christian Heusel , =?utf-8?q?C=C3=A2ju_Mihai-Drosi?= , Eric Biggers , Sebastian Andrzej Siewior , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-modules@vger.kernel.org, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org, debian-kernel@lists.debian.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777971921; l=3316; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=elZqxqWASNPH02Zi8B2qimxrAyck+wx1GcCTAUaTf68=; b=VL/y6lxcfMaVVCAqnHqBHAsMZQRoRMAJFmErw+a7YjNMWb7GcK//q6XoNoKQXYhMyaE3gwwLJ is6WW72xVPJDMy3Dd1T+JiFrphn8xBMZBZ2NTjggWulGxg5uKuR6cHw X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= CONFIG_MODULE_HASHES needs to process the modules at build time in the exact form they will be loaded at runtime. If the modules are stripped afterwards they will not be loadable anymore. Also evaluate INSTALL_MOD_STRIP at build time and build the hashes based on modules stripped this way. If users specify inconsistent values of INSTALL_MOD_STRIP between build and installation time, an error is reported. Signed-off-by: Thomas Wei=C3=9Fschuh --- .gitignore | 1 + kernel/module/Kconfig | 5 +++++ scripts/Makefile.modfinal | 9 +++++++++ scripts/Makefile.modinst | 4 ++-- scripts/Makefile.vmlinux | 2 +- 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 78cf799401e6..6ce10623c5a3 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,7 @@ *.gz *.i *.ko +*.ko.stripped *.lex.c *.ll *.lst diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index acbbda58e7c8..48be498a4452 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -423,6 +423,11 @@ config MODULE_HASHES =20 Also see the warning in MODULE_SIG about stripping modules. =20 +# To validate the consistency of INSTALL_MOD_STRIP for MODULE_HASHES +config MODULE_INSTALL_STRIP + string + default "$(INSTALL_MOD_STRIP)" + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 44a382689a5a..9924a7bb73c5 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -64,7 +64,16 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES endif +$(call cmd,check_tracepoint) =20 +%.ko.stripped: %.ko $(wildcard include/config/MODULE_INSTALL_STRIP) + $(call cmd,install_mod) + $(call cmd,strip_mod) + +ifneq ($(CONFIG_MODULE_INSTALL_STRIP),) +modules.order: $(modules:%.o=3D%.ko.stripped) +endif + targets +=3D $(modules:%.o=3D%.ko) $(modules:%.o=3D%.mod.o) .module-common= .o +targets +=3D $(modules:%.o=3D%.ko.stripped) =20 # Update modules.order when a module is (re-)built. # Allow using it as target dependency. diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index b95f613e23c8..fd1fb89bb0bd 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -68,8 +68,8 @@ __modinst: $(install-y) =20 ifdef CONFIG_MODULE_HASHES ifeq ($(KBUILD_EXTMOD),) -ifdef INSTALL_MOD_STRIP -$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +ifneq ($(INSTALL_MOD_STRIP),$(CONFIG_MODULE_INSTALL_STRIP)) +$(error Inconsistent values for INSTALL_MOD_STRIP between build and instal= lation) endif endif endif diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index a0332c06bde1..a2d170241a2f 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -86,7 +86,7 @@ modules.order: vmlinux.unstripped FORCE $(Q)$(MAKE) -f $(srctree)/Makefile modules =20 quiet_cmd_modules_merkle_tree =3D MERKLE $@ - cmd_modules_merkle_tree =3D $< $@ .ko + cmd_modules_merkle_tree =3D $< $@ $(if $(CONFIG_MODULE_INSTALL_STRIP= ),.ko.stripped,.ko) =20 targets +=3D .tmp_module_hashes.c .tmp_module_hashes.c: $(objtree)/scripts/modules-merkle-tree modules.order= FORCE --=20 2.54.0