On 1/13/26 1:28 PM, Thomas Weißschuh wrote: > The upcoming CONFIG_MODULE_HASHES will introduce a signature type. > This needs to be handled by callers differently than PKCS7 signatures. > > Report the signature type to the caller and let them verify it. > > Signed-off-by: Thomas Weißschuh <[email protected]> > --- > [...] > diff --git a/kernel/module/main.c b/kernel/module/main.c > index d65bc300a78c..2a28a0ece809 100644 > --- a/kernel/module/main.c > +++ b/kernel/module/main.c > @@ -3348,19 +3348,24 @@ static int module_integrity_check(struct load_info > *info, int flags) > { > bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS | > MODULE_INIT_IGNORE_VERMAGIC); > + enum pkey_id_type sig_type; > size_t sig_len; > const u8 *sig; > int err = 0; > > if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) { > err = mod_split_sig(info->hdr, &info->len, mangled_module, > - &sig_len, &sig, "module"); > + &sig_type, &sig_len, &sig, "module"); > if (err) > return err; > } > > - if (IS_ENABLED(CONFIG_MODULE_SIG)) > + if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type == PKEY_ID_PKCS7) { > err = module_sig_check(info, sig, sig_len); > + } else { > + pr_err("module: not signed with expected PKCS#7 message\n"); > + err = -ENOPKG; > + }
The new else branch means that if the user chooses not to configure any module integrity policy, they will no longer be able to load any modules. I think this entire if-else part should be moved under the IS_ENABLED(CONFIG_MODULE_SIG_POLICY) block above, as I'm mentioning on patch #12. -- Thanks, Petr
