Hi!
Thanks for reaching out, also your work on this is much appreciated and
followed with great interest. <3
On 1/20/25 6:44 PM, Thomas Weißschuh wrote:
diff --git a/kernel/module/main.c b/kernel/module/main.c
index effe1db02973d4f60ff6cbc0d3b5241a3576fa3e..094ace81d795711b56d12a2abc75ea35449c8300 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3218,6 +3218,12 @@ static int module_integrity_check(struct load_info *info, int flags)
{
int err = 0;
+ if (IS_ENABLED(CONFIG_MODULE_HASHES)) {
+ err = module_hash_check(info, flags);
+ if (!err)
+ return 0;
+ }
+
if (IS_ENABLED(CONFIG_MODULE_SIG))
err = module_sig_check(info, flags);
From how I'm reading this (please let me know if I'm wrong):
## !CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG
No special checks, CAP_SYS_MODULE only.
## !CONFIG_MODULE_HASHES && CONFIG_MODULE_SIG
No change from how things work today:
- if the module signature verifies the module is permitted
- else, if sig_enforce=1, the module is rejected
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
## CONFIG_MODULE_HASHES && CONFIG_MODULE_SIG
This configuration is the one relevant for Arch Linux:
- if the module is in the set of allowed module_hashes it is permitted
- else, if the module signature verifies, the module is permitted
- else, if sig_enforce=1, the module is rejected
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
## CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG
This one is new:
- if the module is in the set of allowed module_hashes it is permitted
- else, if lockdown mode is enabled, the module is rejected
- else, the module is permitted
---
This all seems reasonable to me, maybe the check for
is_module_sig_enforced() could be moved from kernel/module/signing.c to
kernel/module/main.c, otherwise `sig_enforce=1` would not have any
effect for a `CONFIG_MODULE_HASHES && !CONFIG_MODULE_SIG` kernel.
cheers,
kpcyrd
