The following changes since commit 9448598b22c50c8a5bb77a9103e2d49f134c9578:
Linux 6.19-rc2 (2025-12-21 15:52:04 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux.git
tags/modules-7.0-rc1
for you to fetch changes up to b68758e6f4307179247126b7641fa7ba7109c820:
modules: moduleparam.h: fix kernel-doc comments (2025-12-22 16:35:54 +0000)
----------------------------------------------------------------
Modules changes for v7.0-rc1
Module signing:
- Remove SHA-1 support for signing modules. SHA-1 is no longer
considered secure for signatures due to vulnerabilities that can
lead to hash collisions. None of the major distributions use
SHA-1 anymore, and the kernel has defaulted to SHA-512 since
v6.11. Note that loading SHA-1 signed modules is still supported.
- Update scripts/sign-file to use only the OpenSSL CMS API for
signing. As SHA-1 support is gone, we can drop the legacy PKCS#7
API which was limited to SHA-1. This also cleans up support for
legacy OpenSSL versions.
Cleanups and fixes:
- Use system_dfl_wq instead of the per-cpu system_wq following the
ongoing workqueue API refactoring.
- Avoid open-coded kvrealloc() in module decompression logic by
using the standard helper.
- Improve section annotations by replacing the custom __modinit
with __init_or_module and removing several unused __INIT*_OR_MODULE
macros.
- Fix kernel-doc warnings in include/linux/moduleparam.h.
- Ensure set_module_sig_enforced is only declared when module
signing is enabled.
- Fix gendwarfksyms build failures on 32-bit hosts.
MAINTAINERS:
- Update the module subsystem entry to reflect the maintainer
rotation and update the git repository link.
The changes have been soaking in linux-next since -rc2.
Note that like Daniel mentioned in the previous pull request [1], we
rotate maintainership every 6 months, and I will be handling the module
subsystem pull requests for the first half of this year.
Link: https://lore.kernel.org/r/[email protected] [1]
Signed-off-by: Sami Tolvanen <[email protected]>
----------------------------------------------------------------
Conflicts:
There's a linux-next conflict with dhowells' keys-next branch. Specifically,
the keys-next commit
0ad9a71933e73 ("modsign: Enable ML-DSA module signing")
conflicts with
d7afd65b4acc ("sign-file: Use only the OpenSSL CMS API for signing")
Here's a suggested resolution from Mark Brown, which has been applied to
linux-next:
diff --cc scripts/sign-file.c
index 16f2bf2e1e3c,78276b15ab23..bd269a2bbf26
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@@ -206,10 -228,15 +206,11 @@@ int main(int argc, char **argv
bool raw_sig = false;
unsigned char buf[4096];
unsigned long module_size, sig_size;
- unsigned int use_signed_attrs;
++ unsigned int use_signed_attrs = CMS_NOATTR;
const EVP_MD *digest_algo;
EVP_PKEY *private_key;
-#ifndef USE_PKCS7
CMS_ContentInfo *cms = NULL;
unsigned int use_keyid = 0;
-#else
- PKCS7 *pkcs7 = NULL;
-#endif
X509 *x509;
BIO *bd, *bm;
int opt, n;
@@@ -271,20 -314,49 +272,40 @@@
digest_algo = EVP_get_digestbyname(hash_algo);
ERR(!digest_algo, "EVP_get_digestbyname");
-#ifndef USE_PKCS7
-
+ unsigned int flags =
+ CMS_NOCERTS |
+ CMS_PARTIAL |
+ CMS_BINARY |
+ CMS_DETACHED |
+ CMS_STREAM |
+ CMS_NOSMIMECAP |
+ #ifdef CMS_NO_SIGNING_TIME
+ CMS_NO_SIGNING_TIME |
+ #endif
+ use_keyid;
+
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER <
0x40000000L
+ if (EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
+ EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
+ EVP_PKEY_is_a(private_key, "ML-DSA-87")) {
+ /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
+ * and before.
+ */
+ use_signed_attrs = 0;
+ }
+ #endif
+
+ flags |= use_signed_attrs;
+
/* Load the signature message from the digest buffer. */
- cms = CMS_sign(NULL, NULL, NULL, NULL,
- CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
- CMS_DETACHED | CMS_STREAM);
+ cms = CMS_sign(NULL, NULL, NULL, NULL, flags);
ERR(!cms, "CMS_sign");
- ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
- CMS_NOCERTS | CMS_BINARY |
- CMS_NOSMIMECAP | CMS_NOATTR |
- use_keyid),
+ ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
flags),
"CMS_add1_signer");
- ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1,
+ ERR(CMS_final(cms, bm, NULL, flags) != 1,
"CMS_final");
-#else
- pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
- PKCS7_NOCERTS | PKCS7_BINARY |
- PKCS7_DETACHED | use_signed_attrs);
- ERR(!pkcs7, "PKCS7_sign");
-#endif
-
if (save_sig) {
char *sig_file_name;
BIO *b;
----------------------------------------------------------------
Coiby Xu (1):
module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
Kees Cook (1):
module/decompress: Avoid open-coded kvrealloc()
Marco Crivellari (1):
module: replace use of system_wq with system_dfl_wq
Petr Pavlu (4):
module: Remove unused __INIT*_OR_MODULE macros
params: Replace __modinit with __init_or_module
module: Remove SHA-1 support for module signing
sign-file: Use only the OpenSSL CMS API for signing
Randy Dunlap (1):
modules: moduleparam.h: fix kernel-doc comments
Sami Tolvanen (2):
MAINTAINERS: Update module subsystem maintainers and repository
gendwarfksyms: Fix build on 32-bit hosts
MAINTAINERS | 4 +--
include/linux/module.h | 18 ++++-------
include/linux/moduleparam.h | 8 +++--
kernel/module/Kconfig | 5 ----
kernel/module/decompress.c | 10 +++----
kernel/module/dups.c | 4 +--
kernel/params.c | 15 ++++------
scripts/gendwarfksyms/dwarf.c | 4 ++-
scripts/gendwarfksyms/symbols.c | 5 ++--
scripts/sign-file.c | 66 ++---------------------------------------
10 files changed, 35 insertions(+), 104 deletions(-)
