[RFC,07/12] module: Move extra signature support out of core code

Message ID	20211228213041.1356334-8-atomlin@redhat.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-modules-owner@kernel.org> From: Aaron Tomlin <atomlin@redhat.com> To: mcgrof@kernel.org Cc: cl@linux.com, pmladek@suse.com, mbenes@suse.cz, akpm@linux-foundation.org, jeyu@kernel.org, linux-kernel@vger.kernel.org, linux-modules@vger.kernel.org, atomlin@atomlin.com, ghalat@redhat.com Subject: [RFC PATCH 07/12] module: Move extra signature support out of core code Date: Tue, 28 Dec 2021 21:30:36 +0000 Message-Id: <20211228213041.1356334-8-atomlin@redhat.com> In-Reply-To: <20211228213041.1356334-1-atomlin@redhat.com> References: <YbKUUJUtjBk/n913@bombadil.infradead.org> <20211228213041.1356334-1-atomlin@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	module: core code clean up \| expand [RFC,00/12] module: core code clean up [RFC,01/12] module: Move all into module/ [RFC,02/12] module: Simple refactor in preparation for split [RFC,03/12] module: Move livepatch support to a separate file [RFC,04/12] module: Move latched RB-tree support to a separate file [RFC,05/12] module: Move arch strict rwx support to a separate file [RFC,06/12] module: Move strict rwx support to a separate file [RFC,07/12] module: Move extra signature support out of core code [RFC,08/12] module: Move kmemleak support to a separate file [RFC,09/12] module: Move kallsyms support into a separate file [RFC,10/12] module: Move procfs support into a separate file [RFC,11/12] module: Move sysfs support into a separate file [RFC,12/12] module: Move kdb_modules list out of core code

diff --git a/include/linux/module.h b/include/linux/module.h index 218ac6768433..3383912268af 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -736,8 +736,8 @@ static inline bool is_livepatch_module(struct module *mod) } #endif /* CONFIG_LIVEPATCH */ -bool is_module_sig_enforced(void); -void set_module_sig_enforced(void); +extern bool is_module_sig_enforced(void); +extern void set_module_sig_enforced(void); #else /* !CONFIG_MODULES... */ @@ -927,6 +927,7 @@ static inline bool module_sig_ok(struct module *module) { return true; } +#define sig_enforce false #endif /* CONFIG_MODULE_SIG */ int module_kallsyms_on_each_symbol(int (*fn)(void *, const char *, diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 91ef152aeffb..b4db57bafcd3 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -63,3 +63,12 @@ static inline int copy_module_elf(struct module *mod, struct load_info *info) } static inline void free_module_elf(struct module *mod) { } #endif /* CONFIG_LIVEPATCH */ + +#ifdef CONFIG_MODULE_SIG +extern int module_sig_check(struct load_info *info, int flags); +#else /* !CONFIG_MODULE_SIG */ +static int module_sig_check(struct load_info *info, int flags) +{ + return 0; +} +#endif /* !CONFIG_MODULE_SIG */ diff --git a/kernel/module/main.c b/kernel/module/main.c index c404d00f7958..8f8a904d5ba7 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -22,7 +22,6 @@ #include <linux/vmalloc.h> #include <linux/elf.h> #include <linux/proc_fs.h> -#include <linux/security.h> #include <linux/seq_file.h> #include <linux/syscalls.h> #include <linux/fcntl.h> @@ -114,28 +113,6 @@ static void module_assert_mutex_or_preempt(void) #endif } -#ifdef CONFIG_MODULE_SIG -static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); -module_param(sig_enforce, bool_enable_only, 0644); - -void set_module_sig_enforced(void) -{ - sig_enforce = true; -} -#else -#define sig_enforce false -#endif - -/* - * Export sig_enforce kernel cmdline parameter to allow other subsystems rely - * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. - */ -bool is_module_sig_enforced(void) -{ - return sig_enforce; -} -EXPORT_SYMBOL(is_module_sig_enforced); - /* Block module loading/unloading? */ int modules_disabled = 0; core_param(nomodule, modules_disabled, bint, 0); @@ -2517,69 +2494,6 @@ static inline void kmemleak_load_module(const struct module *mod, } #endif -#ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) -{ - int err = -ENODATA; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - const char *reason; - const void *mod = info->hdr; - - /* - * Require flags == 0, as a module with version information - * removed is no longer the module that was signed - */ - if (flags == 0 && - info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { - /* We truncate the module to discard the signature */ - info->len -= markerlen; - err = mod_verify_sig(mod, info); - if (!err) { - info->sig_ok = true; - return 0; - } - } - - /* - * We don't permit modules to be loaded into the trusted kernels - * without a valid signature on them, but if we're not enforcing, - * certain errors are non-fatal. - */ - switch (err) { - case -ENODATA: - reason = "unsigned module"; - break; - case -ENOPKG: - reason = "module with unsupported crypto"; - break; - case -ENOKEY: - reason = "module with unavailable key"; - break; - - default: - /* - * All other errors are fatal, including lack of memory, - * unparseable signatures, and signature check failures -- - * even if signatures aren't required. - */ - return err; - } - - if (is_module_sig_enforced()) { - pr_notice("Loading of %s is rejected\n", reason); - return -EKEYREJECTED; - } - - return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); -} -#else /* !CONFIG_MODULE_SIG */ -static int module_sig_check(struct load_info *info, int flags) -{ - return 0; -} -#endif /* !CONFIG_MODULE_SIG */ - static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) { unsigned long secend; diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 8aeb6d2ee94b..ff41541e982a 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -11,9 +11,28 @@ #include <linux/module_signature.h> #include <linux/string.h> #include <linux/verification.h> +#include <linux/security.h> #include <crypto/public_key.h> #include "internal.h" +static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +module_param(sig_enforce, bool_enable_only, 0644); + +/* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. + */ +bool is_module_sig_enforced(void) +{ + return sig_enforce; +} +EXPORT_SYMBOL(is_module_sig_enforced); + +void set_module_sig_enforced(void) +{ + sig_enforce = true; +} + /* * Verify the signature on a module. */ @@ -43,3 +62,59 @@ int mod_verify_sig(const void *mod, struct load_info *info) VERIFYING_MODULE_SIGNATURE, NULL, NULL); } + +int module_sig_check(struct load_info *info, int flags) +{ + int err = -ENODATA; + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; + const void *mod = info->hdr; + + /* + * Require flags == 0, as a module with version information + * removed is no longer the module that was signed + */ + if (flags == 0 && + info->len > markerlen && + memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { + /* We truncate the module to discard the signature */ + info->len -= markerlen; + err = mod_verify_sig(mod, info); + if (!err) { + info->sig_ok = true; + return 0; + } + } + + /* + * We don't permit modules to be loaded into the trusted kernels + * without a valid signature on them, but if we're not enforcing, + * certain errors are non-fatal. + */ + switch (err) { + case -ENODATA: + reason = "unsigned module"; + break; + case -ENOPKG: + reason = "module with unsupported crypto"; + break; + case -ENOKEY: + reason = "module with unavailable key"; + break; + + default: + /* + * All other errors are fatal, including lack of memory, + * unparseable signatures, and signature check failures -- + * even if signatures aren't required. + */ + return err; + } + + if (is_module_sig_enforced()) { + pr_notice("Loading of %s is rejected\n", reason); + return -EKEYREJECTED; + } + + return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); +}

[RFC,07/12] module: Move extra signature support out of core code

Commit Message

Patch