[PATCH v3 0/3][RESEND] modsign enhancement

From: Jia Zhang
Date: Fri Mar 23 2018 - 22:59:59 EST


This patch series allows to disable module validity enforcement
in runtime through the control switch located in securityfs.

In order to keep /sys/module/module/parameters/sig_enforce simple,
the disablement switch is located at
/sys/kernel/security/modsign/disable_enforce.

Assuming CONFIG_MODULE_SIG_FORCE=n, here are the instructions to
test this control switch.

# cat /sys/module/module/parameters/sig_enforce
N
# echo 1 > /sys/module/module/parameters/sig_enforce
# cat /sys/module/module/parameters/sig_enforce
Y
# echo -n 0 > no_sig_enforce
# openssl smime -sign -nocerts -noattr -binary -in no_sig_enforce \
-inkey <system_trusted_key> -signer <cert> -outform der \
-out /sys/kernel/security/modsign/disable_enforce
# cat /sys/module/module/parameters/sig_enforce
N

Changelog:
v3:
- The control switch now doesn't support showing the status of sig_enforce.

v2:
- Support to disable validity enforcement in runtime.