On Wed, Dec 25, 2024 at 11:52:00PM +0100, Thomas Weißschuh wrote:
> diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
> index 7b329057997ad2ec310133ca84617d9bfcdb7e9f..57d317a6fa444195d0806e6bd7a2af6e338a7f01 100644
> --- a/kernel/module/Kconfig
> +++ b/kernel/module/Kconfig
> @@ -344,6 +344,17 @@ config MODULE_DECOMPRESS
>
> If unsure, say N.
>
> +config MODULE_HASHES
> + bool "Module hash validation"
> + depends on !MODULE_SIG
Why are these mutually exclusive? Can't you want module signatures *and*
this as well? What distro which is using module signatures would switch
to this as an alternative instead? The help menu does not clarify any of
this at all, and neither does the patch.
> + select CRYPTO_LIB_SHA256
> + help
> + Validate modules by their hashes.
> + Only modules built together with the main kernel image can be
> + validated that way.
> +
> + Also see the warning in MODULE_SIG about stripping modules.
> +
> config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
> bool "Allow loading of modules with missing namespace imports"
> help
> diff --git a/kernel/module/Makefile b/kernel/module/Makefile
> index 50ffcc413b54504db946af4dce3b41dc4aece1a5..6fe0c14ca5a05b49c1161fcfa8aaa130f89b70e1 100644
> --- a/kernel/module/Makefile
> +++ b/kernel/module/Makefile
> @@ -23,3 +23,4 @@ obj-$(CONFIG_KGDB_KDB) += kdb.o
> obj-$(CONFIG_MODVERSIONS) += version.o
> obj-$(CONFIG_MODULE_UNLOAD_TAINT_TRACKING) += tracking.o
> obj-$(CONFIG_MODULE_STATS) += stats.o
> +obj-$(CONFIG_MODULE_HASHES) += hashes.o
> diff --git a/kernel/module/hashes.c b/kernel/module/hashes.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..f19eccb0e3754e3edbf5cdea6d418da5c6ae6c65
> --- /dev/null
> +++ b/kernel/module/hashes.c
> @@ -0,0 +1,51 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +
> +#define pr_fmt(fmt) "module/hash: " fmt
> +
> +#include <linux/int_log.h>
> +#include <linux/module_hashes.h>
> +#include <linux/module.h>
> +#include <crypto/sha2.h>
> +#include "internal.h"
> +
> +static inline size_t module_hashes_count(void)
> +{
> + return (__stop_module_hashes - __start_module_hashes) / MODULE_HASHES_HASH_SIZE;
> +}
> +
> +static __init __maybe_unused int module_hashes_init(void)
> +{
> + size_t num_hashes = module_hashes_count();
> + int num_width = (intlog10(num_hashes) >> 24) + 1;
> + size_t i;
> +
> + pr_debug("Builtin hashes (%zu):\n", num_hashes);
> +
> + for (i = 0; i < num_hashes; i++)
> + pr_debug("%*zu %*phN\n", num_width, i,
> + (int)sizeof(module_hashes[i]), module_hashes[i]);
> +
> + return 0;
> +}
> +
> +#ifdef DEBUG
We have MODULE_DEBUG so just add depend on that and leverage that for
this instead.
> diff --git a/scripts/module-hashes.sh b/scripts/module-hashes.sh
> new file mode 100755
> index 0000000000000000000000000000000000000000..7ca4e84f4c74266b9902d9f377aa2c901a06f995
> --- /dev/null
> +++ b/scripts/module-hashes.sh
> @@ -0,0 +1,26 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +
> +set -e
> +set -u
> +set -o pipefail
> +
> +prealloc="${1:-}"
> +
> +echo "#include <linux/module_hashes.h>"
> +echo
> +echo "const u8 module_hashes[][MODULE_HASHES_HASH_SIZE] __module_hashes_section = {"
> +
> +for mod in $(< modules.order); do
> + mod="${mod/%.o/.ko}"
> + if [ "$prealloc" = "prealloc" ]; then
> + modhash=""
> + else
> + modhash="$(cksum -a sha256 --raw "$mod" | hexdump -v -e '"0x" 1/1 "%02x, "')"
> + fi
> + echo " /* $mod */"
> + echo " { $modhash },"
> + echo
> +done
> +
> +echo "};"
Parallelize this.
Luis
