This patch series allows to disable module validity enforcement
in runtime through the control switch located in securityfs.
In order to keep /sys/module/module/parameters/sig_enforce simple,
the disablement switch is located at
/sys/kernel/security/modsign/disable_enforce.
Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
test this control switch.
# cat /sys/module/module/parameters/sig_enforce
N
# echo 1 > /sys/module/module/parameters/sig_enforce
# cat /sys/module/module/parameters/sig_enforce
Y
# echo -n 0 > no_sig_enforce
# openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
-inkey <system_trusted_key> -signer <cert> -outform der \
-out /sys/kernel/security/modsign/disable_enforce
# cat /sys/module/module/parameters/sig_enforce
N
Changelog:
v3:
- The control switch now doesn't support showing the status of sig_enforce.
v2:
- Support to disable validity enforcement in runtime.
