[PATCH v5 09/14] module: Move signature type check out of mod_check_sig()

Tue, 05 May 2026 02:14:02 -0700 

Additional signature types are about to be added.
As each caller of mod_check_sig() can have different support for these,
move the type validation into the callers.

Signed-off-by: Thomas Weißschuh <[email protected]>
---
 kernel/module/auth.c                | 5 +++++
 kernel/module_signature.c           | 8 +-------
 security/integrity/ima/ima_modsig.c | 5 +++++
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/kernel/module/auth.c b/kernel/module/auth.c
index 831a13eb0c9b..21e49eb4967c 100644
--- a/kernel/module/auth.c
+++ b/kernel/module/auth.c
@@ -48,6 +48,11 @@ static int mod_verify_sig(const void *mod, struct load_info 
*info)
 
        memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
 
+       if (ms.id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
+               pr_err("module: not signed with expected PKCS#7 message\n");
+               return -ENOPKG;
+       }
+
        ret = mod_check_sig(&ms, modlen, "module");
        if (ret)
                return ret;
diff --git a/kernel/module_signature.c b/kernel/module_signature.c
index a0eee2fe4368..4d0476bcdb72 100644
--- a/kernel/module_signature.c
+++ b/kernel/module_signature.c
@@ -24,12 +24,6 @@ int mod_check_sig(const struct module_signature *ms, size_t 
file_len,
        if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
                return -EBADMSG;
 
-       if (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
-               pr_err("%s: not signed with expected PKCS#7 message\n",
-                      name);
-               return -ENOPKG;
-       }
-
        if (ms->algo != 0 ||
            ms->hash != 0 ||
            ms->signer_len != 0 ||
@@ -37,7 +31,7 @@ int mod_check_sig(const struct module_signature *ms, size_t 
file_len,
            ms->__pad[0] != 0 ||
            ms->__pad[1] != 0 ||
            ms->__pad[2] != 0) {
-               pr_err("%s: PKCS#7 signature info has unexpected non-zero 
params\n",
+               pr_err("%s: signature info has unexpected non-zero params\n",
                       name);
                return -EBADMSG;
        }
diff --git a/security/integrity/ima/ima_modsig.c 
b/security/integrity/ima/ima_modsig.c
index 632c746fd81e..ebfcdd368a2a 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -57,6 +57,11 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, 
loff_t buf_len,
        buf_len -= marker_len;
        sig = (const struct module_signature *)(p - sizeof(*sig));
 
+       if (sig->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
+               pr_err("%s: not signed with expected PKCS#7 message\n", 
func_tokens[func]);
+               return -ENOPKG;
+       }
+
        rc = mod_check_sig(sig, buf_len, func_tokens[func]);
        if (rc)
                return rc;

-- 
2.54.0

Reply via email to