David Howells <dhowells@xxxxxxxxxx> wrote: > James Johnston <johnstonj.public@xxxxxxxxxxxx> wrote: > > > -If CONFIG_MODULE_SIG_FORCE is enabled or enforcemodulesig=1 is > > supplied on > > +If CONFIG_MODULE_SIG_FORCE is enabled or module.sig_enforce=1 is > > +supplied > > You're definitely right about the change from enforcemodulesig to > sig_enforce, but how does the "module." come about? It was reviewed by you 3.5 years ago. :) https://github.com/torvalds/linux/commit/106a4ee258d14818467829bf0e12aeae14c 16cd7#diff-04da0379417c7dc6cf47548c26e69236 In Documentation/kernel-parameters.txt: module.sig_enforce [KNL] When CONFIG_MODULE_SIG is set, this means that modules without (valid) signatures will fail to load. Note that if CONFIG_MODULE_SIG_FORCE is set, that is always true, so this option does nothing. The top of kernel-parameters.txt is also explicit that module parameters must be prefixed with a module name prefix, in this case "module." It sounds weird that the code loading modules is itself a module, but I guess that's how it works from a parameters standpoint? (The code in kernel/module.c certainly makes use of the normal module parameter macros; I guess that's how "module." prefix comes about.) In practice, I'm running an Ubuntu 4.2.0-30-generic kernel and this parameter can be seen in /sys/module and is controlled by the kernel cmdline: $ cat /sys/module/module/parameters/sig_enforce Y $ cat /proc/cmdline <snip snip snip> module.sig_enforce=1 $ grep CONFIG_MODULE_SIG_FORCE /boot/config-4.2.0-30-generic # CONFIG_MODULE_SIG_FORCE is not set And I tested to verify that some unsigned drivers I had did not load. If I reboot and change my cmdline to just "sig_enforce=1" then the above sig_enforce /sys parameters file reverts to "N", indicating that the "module." prefix is required. James -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
