On 2026-01-29 15:44:31+0100, Petr Pavlu wrote: > On 1/13/26 1:28 PM, Thomas Weißschuh wrote: > > The upcoming CONFIG_MODULE_HASHES will introduce a signature type. > > This needs to be handled by callers differently than PKCS7 signatures. > > > > Report the signature type to the caller and let them verify it. > > > > Signed-off-by: Thomas Weißschuh <[email protected]> > > --- > > [...] > > diff --git a/kernel/module/main.c b/kernel/module/main.c > > index d65bc300a78c..2a28a0ece809 100644 > > --- a/kernel/module/main.c > > +++ b/kernel/module/main.c > > @@ -3348,19 +3348,24 @@ static int module_integrity_check(struct load_info > > *info, int flags) > > { > > bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS | > > MODULE_INIT_IGNORE_VERMAGIC); > > + enum pkey_id_type sig_type; > > size_t sig_len; > > const u8 *sig; > > int err = 0; > > > > if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) { > > err = mod_split_sig(info->hdr, &info->len, mangled_module, > > - &sig_len, &sig, "module"); > > + &sig_type, &sig_len, &sig, "module"); > > if (err) > > return err; > > } > > > > - if (IS_ENABLED(CONFIG_MODULE_SIG)) > > + if (IS_ENABLED(CONFIG_MODULE_SIG) && sig_type == PKEY_ID_PKCS7) { > > err = module_sig_check(info, sig, sig_len); > > + } else { > > + pr_err("module: not signed with expected PKCS#7 message\n"); > > + err = -ENOPKG; > > + } > > The new else branch means that if the user chooses not to configure any > module integrity policy, they will no longer be able to load any > modules. I think this entire if-else part should be moved under the > IS_ENABLED(CONFIG_MODULE_SIG_POLICY) block above, as I'm mentioning on > patch #12.
Ack.
