[PATCH v5 10/14] module: Prepare for additional module authentication mechanisms

Tue, 05 May 2026 02:14:33 -0700 

Reorganize the code to make it easier to add the new hash-based module
authentication.

Also drop the now unnecessary stub for module_sig_check().

Signed-off-by: Thomas Weißschuh <[email protected]>
---
 kernel/module/auth.c     | 17 ++++++++++++++---
 kernel/module/internal.h |  8 --------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/kernel/module/auth.c b/kernel/module/auth.c
index 21e49eb4967c..2ee512d26790 100644
--- a/kernel/module/auth.c
+++ b/kernel/module/auth.c
@@ -37,6 +37,14 @@ void set_module_sig_enforced(void)
        sig_enforce = true;
 }
 
+static __always_inline bool mod_sig_type_valid(enum module_signature_type 
id_type)
+{
+       if (id_type == MODULE_SIGNATURE_TYPE_PKCS7 && 
IS_ENABLED(CONFIG_MODULE_SIG))
+               return true;
+
+       return false;
+}
+
 static int mod_verify_sig(const void *mod, struct load_info *info)
 {
        struct module_signature ms;
@@ -48,8 +56,8 @@ static int mod_verify_sig(const void *mod, struct load_info 
*info)
 
        memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
 
-       if (ms.id_type != MODULE_SIGNATURE_TYPE_PKCS7) {
-               pr_err("module: not signed with expected PKCS#7 message\n");
+       if (!mod_sig_type_valid(ms.id_type)) {
+               pr_err("module: not signed with expected signature\n");
                return -ENOPKG;
        }
 
@@ -61,7 +69,10 @@ static int mod_verify_sig(const void *mod, struct load_info 
*info)
        modlen -= sig_len + sizeof(ms);
        info->len = modlen;
 
-       return module_sig_check(mod, modlen, mod + modlen, sig_len);
+       if (ms.id_type == MODULE_SIGNATURE_TYPE_PKCS7 && 
IS_ENABLED(CONFIG_MODULE_SIG))
+               return module_sig_check(mod, modlen, mod + modlen, sig_len);
+
+       return 0;
 }
 
 int module_auth_check(struct load_info *info, int flags)
diff --git a/kernel/module/internal.h b/kernel/module/internal.h
index d923e31a5d8e..aabe7f8e1af4 100644
--- a/kernel/module/internal.h
+++ b/kernel/module/internal.h
@@ -335,15 +335,7 @@ int module_enforce_rwx_sections(const Elf_Ehdr *hdr, const 
Elf_Shdr *sechdrs,
 void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
                               const char *secstrings);
 
-#ifdef CONFIG_MODULE_SIG
 int module_sig_check(const void *mod, size_t mod_len, const void *sig, size_t 
sig_len);
-#else /* !CONFIG_MODULE_SIG */
-static inline int module_sig_check(const void *mod, size_t mod_len,
-                                  const void *sig, size_t sig_len)
-{
-       return 0;
-}
-#endif /* !CONFIG_MODULE_SIG */
 
 #ifdef CONFIG_MODULE_AUTH
 int module_auth_check(struct load_info *info, int flags);

-- 
2.54.0

Reply via email to