Re: [PATCH v12 01/11] MODSIGN: Export module signature definitions

From: Thiago Jung Bauermann
Date: Thu Jul 04 2019 - 02:43:24 EST

Next message: Sai Prakash Ranjan: "Re: [PATCHv5 1/2] dt-bindings: coresight: Change CPU phandle to required property"
Previous message: Greg KH: "Re: [git pull] habanalabs pull request for kernel 5.3"
In reply to: Jessica Yu: "Re: [PATCH v12 01/11] MODSIGN: Export module signature definitions"
Next in thread: Philipp Rudo: "Re: [PATCH v12 01/11] MODSIGN: Export module signature definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jessica Yu <jeyu@xxxxxxxxxx> writes:

> +++ Thiago Jung Bauermann [27/06/19 23:19 -0300]:
>>IMA will use the module_signature format for append signatures, so export
>>the relevant definitions and factor out the code which verifies that the
>>appended signature trailer is valid.
>>
>>Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it
>>and be able to use mod_check_sig() without having to depend on either
>>CONFIG_MODULE_SIG or CONFIG_MODULES.
>>
>>Signed-off-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx>
>>Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>>Cc: Jessica Yu <jeyu@xxxxxxxxxx>
>>---
>> include/linux/module.h | 3 --
>> include/linux/module_signature.h | 44 +++++++++++++++++++++++++
>> init/Kconfig | 6 +++-
>> kernel/Makefile | 1 +
>> kernel/module.c | 1 +
>> kernel/module_signature.c | 46 ++++++++++++++++++++++++++
>> kernel/module_signing.c | 56 +++++---------------------------
>> scripts/Makefile | 2 +-
>> 8 files changed, 106 insertions(+), 53 deletions(-)
>>
>>diff --git a/include/linux/module.h b/include/linux/module.h
>>index 188998d3dca9..aa56f531cf1e 100644
>>--- a/include/linux/module.h
>>+++ b/include/linux/module.h
>>@@ -25,9 +25,6 @@
>> #include <linux/percpu.h>
>> #include <asm/module.h>
>>
>>-/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
>>-#define MODULE_SIG_STRING "~Module signature appended~\n"
>>-
>
> Hi Thiago, apologies for the delay.

Hello Jessica, thanks for reviewing the patch!

> It looks like arch/s390/kernel/machine_kexec_file.c also relies on
> MODULE_SIG_STRING being defined, so module_signature.h will need to be
> included there too, otherwise we'll run into a compilation error.

Indeed. Thanks for spotting that. The patch below fixes it. It's
identical to the previous version except for the changes in
arch/s390/kernel/machine_kexec_file.c and their description in the
commit message. I'm also copying some s390 people in this email.

> Other than that, the module-related changes look good to me:
>
> Acked-by: Jessica Yu <jeyu@xxxxxxxxxx>

Thank you very much!

--
Thiago Jung Bauermann
IBM Linux Technology Center

Next message: Sai Prakash Ranjan: "Re: [PATCHv5 1/2] dt-bindings: coresight: Change CPU phandle to required property"
Previous message: Greg KH: "Re: [git pull] habanalabs pull request for kernel 5.3"
In reply to: Jessica Yu: "Re: [PATCH v12 01/11] MODSIGN: Export module signature definitions"
Next in thread: Philipp Rudo: "Re: [PATCH v12 01/11] MODSIGN: Export module signature definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]