On 2026-05-26 12:53:22+0200, Petr Pavlu wrote: > On 5/5/26 11:05 AM, Thomas Weißschuh wrote: > > The module authentication functionality will also be used by the > > hash-based module authentication. Split it out from CONFIG_MODULE_SIG > > so it is usable by both. > > > > Signed-off-by: Thomas Weißschuh <[email protected]> > > [...] > > diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig > > index f535181e0d98..84297da666ff 100644 > > --- a/kernel/module/Kconfig > > +++ b/kernel/module/Kconfig > > @@ -271,9 +271,12 @@ config MODULE_SIG > > debuginfo strip done by some packagers (such as rpmbuild) and > > inclusion into an initramfs that wants the module size reduced. > > > > +config MODULE_AUTH > > + def_bool MODULE_SIG > > + > > config MODULE_SIG_FORCE > > bool "Require modules to be validly signed" > > - depends on MODULE_SIG > > + depends on MODULE_AUTH > > help > > Reject unsigned modules or signed modules for which we don't have a > > key. Without this, such modules will simply taint the kernel. > > Should MODULE_SIG_FORCE be renamed to MODULE_AUTH_FORCE, along with > renaming the sig_enforce functionality in kernel/module/auth.c to > auth_enforce?
Given that it is a user-visible symbol we'll need to be a bit careful not to break existing configurations. I'll try to use the new "transitional" kconfig attribute. Thomas
