Re: [PATCH v12 01/14] module: Move all into module/
From: Saravana Kannan
Date: Wed Jun 01 2022 - 23:42:06 EST
Aaron Tomlin <atomlin@xxxxxxxxxx> wrote:
> No functional changes.
I could be mistaken, but I think this has a functional change and could
break module signature enforcement in some cases.
>
> This patch moves all module related code into a separate directory,
> modifies each file name and creates a new Makefile. Note: this effort
> is in preparation to refactor core module code.
>
> Reviewed-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
> Signed-off-by: Aaron Tomlin <atomlin@xxxxxxxxxx>
> ---
> MAINTAINERS | 2 +-
> kernel/Makefile | 5 +----
> kernel/module/Makefile | 12 ++++++++++++
> kernel/{module_decompress.c => module/decompress.c} | 2 +-
> kernel/{module-internal.h => module/internal.h} | 0
> kernel/{module.c => module/main.c} | 2 +-
> kernel/{module_signing.c => module/signing.c} | 2 +-
I spent at least an hour trying to figure out how the code below in
module/signing.c (was moved from module/main.c in a later patch in this
series) managed to have a "module" prefix for "module.sig_enforce" kernel
cmdline param and for the /sys/module/module/parameters/sig_enforce file.
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
I thought I was missing something until I realized this was a very recent
change and might actually be a bug. If I'm not mistaken, the prefix will
now become "signing". So the kernel cmdline param would get ignore and any
userspace writes to /sys/module/module/parameters/sig_enforce will start
failing.
I don't have a device to boot 5.19-rcX in, but I think I'm right. Can
someone confirm?
If my code analysis is right, then the fix seems to be adding this code
before the module_param() line.
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 85c8999dfecf..6b0672e4417b 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -16,6 +16,11 @@
#include <uapi/linux/module.h>
#include "internal.h"
+#ifdef MODULE_PARAM_PREFIX
+#undef MODULE_PARAM_PREFIX
+#endif
+#define MODULE_PARAM_PREFIX "module."
+
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
-Saravana