Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2232779,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2232779/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net/",
    "project": {
        "id": 2,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/2/?format=api",
        "name": "Linux PPC development",
        "link_name": "linuxppc-dev",
        "list_id": "linuxppc-dev.lists.ozlabs.org",
        "list_email": "linuxppc-dev@lists.ozlabs.org",
        "web_url": "https://github.com/linuxppc/wiki/wiki",
        "scm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git",
        "webscm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/",
        "list_archive_url": "https://lore.kernel.org/linuxppc-dev/",
        "list_archive_url_format": "https://lore.kernel.org/linuxppc-dev/{}/",
        "commit_url_format": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"
    },
    "msgid": "<20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net>",
    "list_archive_url": "https://lore.kernel.org/linuxppc-dev/20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net/",
    "date": "2026-05-05T09:05:12",
    "name": "[v5,08/14] module: Move authentication logic into dedicated new file",
    "commit_ref": null,
    "pull_url": null,
    "state": "handled-elsewhere",
    "archived": false,
    "hash": "6e5e0e4152456b0a90ddc14b16055be99a5b2df2",
    "submitter": {
        "id": 82751,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/82751/?format=api",
        "name": "Thomas Weißschuh",
        "email": "linux@weissschuh.net"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net/mbox/",
    "series": [
        {
            "id": 502791,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/502791/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=502791",
            "date": "2026-05-05T09:05:17",
            "name": "module: Introduce hash-based integrity checking",
            "version": 5,
            "mbox": "http://patchwork.ozlabs.org/series/502791/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2232779/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2232779/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <linuxppc-dev+bounces-20465-incoming=patchwork.ozlabs.org@lists.ozlabs.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linuxppc-dev@lists.ozlabs.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=aIgpWDKX;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-20465-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)",
            "lists.ozlabs.org;\n arc=none smtp.remote-ip=159.69.126.157",
            "lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net",
            "lists.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=aIgpWDKX;\n\tdkim-atps=neutral",
            "lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=weissschuh.net\n (client-ip=159.69.126.157; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net; receiver=lists.ozlabs.org)"
        ],
        "Received": [
            "from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g8t9b1Yd8z1yJV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 05 May 2026 19:13:55 +1000 (AEST)",
            "from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4g8t9B4LHpz2yjx;\n\tTue, 05 May 2026 19:13:34 +1000 (AEST)",
            "from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4g8t971Xs5z30V0\n\tfor <linuxppc-dev@lists.ozlabs.org>; Tue, 05 May 2026 19:13:31 +1000 (AEST)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1777972413;\n\tcv=none;\n b=n+9gRcsdUtE3LgL9WIqQGV6jZqen9255WpqBAx7RZ6iLOQYdmyyHoZRkzIB6Tp5a1G6L06gT+0ShqI4nqdOdRI5jueGrCy+ZN0xrXhGejj70LxcySePLIZTXmpBCpUSJ3Vsli9IbXgOMv3277cpYdJBzHMSTDW8bFNwgK7HbpqjI3dDGLHscKKuAsEl59aEYBqPXaMIVfeOcY7awwdZjHPi+OjdfLs0XBxHPB6TpXahEQX5V51S8gwkPuAAxZ16NgMM3zZyx07ZFQHZPja4fJfUoYEaknhckYUYqpVbVPzpdiazH+9AVHcetl8eD9tDn4o2KzZl67GpLgwT3q0g7bg==",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1777972413; c=relaxed/relaxed;\n\tbh=cC1QOMrwJPtD95LiyfR97c/VRpJ1ZihG5A+4cX/zfuM=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:\n\t In-Reply-To:To:Cc;\n b=UwwJWwZSiiuU/DqG/5H6gbWMLC8S3AhKX4I+3r+56NWESo3MD1uB4z1qYCeJf2Uc3sewWPIIfUREZjiru6/2Y2y80qw5nSJIep8hIDQpZD8XLZzY7sHbMECbnG1X6dhtKMsP9nbsoXpc/lWSh7Fk9MKow72nA6Rb9Mslh8Mu5L36r32X3w73AFL6e21M3au3UdLEro/x+huHUTVmpkOFjPqllbkGPlVST3is/R/8ZVCIj8T15viQpEV/JdjMkTJsJ8ZBMOuuO3yiQhFDmduB4QXpZEGaGk//79Lcb31Wp4sUUvECsLvhJuYf5x7pj4ZSyxdpwJda/ypXH+InLLGKDw==",
        "ARC-Authentication-Results": "i=1; lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net;\n dkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=aIgpWDKX; dkim-atps=neutral;\n spf=pass (client-ip=159.69.126.157; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net;\n receiver=lists.ozlabs.org) smtp.mailfrom=weissschuh.net",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net;\n\ts=mail; t=1777971923;\n\tbh=z587DQf7ydM5gOPKNIBxSBWu9EUeBOTRuUfIH6UhiJM=;\n\th=From:Date:Subject:References:In-Reply-To:To:Cc:From;\n\tb=aIgpWDKXrg76P12O4zkGtJLBuZn8YCeI7ZzPJs6xm6dzdrhNjHvlCsyJmUEjNrCDX\n\t nnsToJ9+zngAbg5KnB2apzV2zul/tNtdLxtFkKFMh/CCZJG5ISZHQPcUMzBA/S/C/H\n\t yDIMRiiPrmSBoXKa210qmdtwe3j1bEA6l8n1iwS4=",
        "From": "=?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>",
        "Date": "Tue, 05 May 2026 11:05:12 +0200",
        "Subject": "[PATCH v5 08/14] module: Move authentication logic into dedicated\n new file",
        "X-Mailing-List": "linuxppc-dev@lists.ozlabs.org",
        "List-Id": "<linuxppc-dev.lists.ozlabs.org>",
        "List-Help": "<mailto:linuxppc-dev+help@lists.ozlabs.org>",
        "List-Owner": "<mailto:linuxppc-dev+owner@lists.ozlabs.org>",
        "List-Post": "<mailto:linuxppc-dev@lists.ozlabs.org>",
        "List-Archive": "<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>",
        "List-Subscribe": "<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>",
        "List-Unsubscribe": "<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>",
        "Precedence": "list",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "8bit",
        "Message-Id": "<20260505-module-hashes-v5-8-e174a5a49fce@weissschuh.net>",
        "References": "<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>",
        "In-Reply-To": "<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>",
        "To": "Alexei Starovoitov <ast@kernel.org>,\n Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>,\n Eduard Zingerman <eddyz87@gmail.com>,\n Kumar Kartikeya Dwivedi <memxor@gmail.com>,\n Nathan Chancellor <nathan@kernel.org>, Nicolas Schier <nsc@kernel.org>,\n Arnd Bergmann <arnd@arndb.de>, Luis Chamberlain <mcgrof@kernel.org>,\n Petr Pavlu <petr.pavlu@suse.com>, Sami Tolvanen <samitolvanen@google.com>,\n Daniel Gomez <da.gomez@samsung.com>, Paul Moore <paul@paul-moore.com>,\n James Morris <jmorris@namei.org>, \"Serge E. Hallyn\" <serge@hallyn.com>,\n Jonathan Corbet <corbet@lwn.net>, Madhavan Srinivasan <maddy@linux.ibm.com>,\n Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>,\n Naveen N Rao <naveen@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>,\n Roberto Sassu <roberto.sassu@huawei.com>,\n Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,\n Eric Snowberg <eric.snowberg@oracle.com>,\n Nicolas Schier <nicolas.schier@linux.dev>,\n Daniel Gomez <da.gomez@kernel.org>, Aaron Tomlin <atomlin@atomlin.com>,\n \"Christophe Leroy (CS GROUP)\" <chleroy@kernel.org>,\n Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,\n Xiu Jianfeng <xiujianfeng@huawei.com>,\n Christophe Leroy <chleroy@kernel.org>",
        "Cc": "Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>,\n  Yonghong Song <yonghong.song@linux.dev>, Jiri Olsa <jolsa@kernel.org>,\n  bpf@vger.kernel.org,\n =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,\n  Arnout Engelen <arnout@bzzt.net>, Mattia Rizzolo <mattia@mapreri.org>,\n  kpcyrd <kpcyrd@archlinux.org>, Christian Heusel <christian@heusel.eu>,\n\t=?utf-8?q?C=C3=A2ju_Mihai-Drosi?= <mcaju95@gmail.com>,\n  Eric Biggers <ebiggers@kernel.org>,\n  Sebastian Andrzej Siewior <bigeasy@linutronix.de>,\n  linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,\n  linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,\n  linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,\n  linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org,\n  debian-kernel@lists.debian.org,\n =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>",
        "X-Mailer": "b4 0.15.2",
        "X-Developer-Signature": "v=1; a=ed25519-sha256; t=1777971921; l=8567;\n i=linux@weissschuh.net; s=20221212; h=from:subject:message-id;\n bh=z587DQf7ydM5gOPKNIBxSBWu9EUeBOTRuUfIH6UhiJM=;\n b=0QD9Bo5ArZ/toPAgrZ/Kwp8g1MN5vGvLlI3JacHftC7LXDAwqZfm7Tb5hscKQ74Tdp4pPzyNi\n hUJ9tsUkDfZBUtISxftgnKStnD51XKADZgJpNxcoo2sKOBdHsu9omPS",
        "X-Developer-Key": "i=linux@weissschuh.net; a=ed25519;\n pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw=",
        "X-Spam-Status": "No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1 OzLabs 8",
        "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"
    },
    "content": "The module authentication functionality will also be used by the\nhash-based module authentication. To make it usable even if\nCONFIG_MODULE_SIG is disabled, move it to a new file.\n\nSigned-off-by: Thomas Weißschuh <linux@weissschuh.net>\n---\n kernel/module/auth.c     | 85 +++++++++++++++++++++++++++++++++++++++++++++\n kernel/module/internal.h | 14 ++++++--\n kernel/module/main.c     |  6 ++--\n kernel/module/signing.c  | 90 ++----------------------------------------------\n 4 files changed, 103 insertions(+), 92 deletions(-)",
    "diff": "diff --git a/kernel/module/auth.c b/kernel/module/auth.c\nindex 956ac63d9d33..831a13eb0c9b 100644\n--- a/kernel/module/auth.c\n+++ b/kernel/module/auth.c\n@@ -5,10 +5,16 @@\n  * Written by David Howells (dhowells@redhat.com)\n  */\n \n+#include <linux/errno.h>\n #include <linux/export.h>\n #include <linux/module.h>\n+#include <linux/module_signature.h>\n #include <linux/moduleparam.h>\n+#include <linux/security.h>\n+#include <linux/string.h>\n #include <linux/types.h>\n+#include <uapi/linux/module.h>\n+#include \"internal.h\"\n \n #undef MODULE_PARAM_PREFIX\n #define MODULE_PARAM_PREFIX \"module.\"\n@@ -30,3 +36,82 @@ void set_module_sig_enforced(void)\n {\n \tsig_enforce = true;\n }\n+\n+static int mod_verify_sig(const void *mod, struct load_info *info)\n+{\n+\tstruct module_signature ms;\n+\tsize_t sig_len, modlen = info->len;\n+\tint ret;\n+\n+\tif (modlen <= sizeof(ms))\n+\t\treturn -EBADMSG;\n+\n+\tmemcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));\n+\n+\tret = mod_check_sig(&ms, modlen, \"module\");\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tsig_len = be32_to_cpu(ms.sig_len);\n+\tmodlen -= sig_len + sizeof(ms);\n+\tinfo->len = modlen;\n+\n+\treturn module_sig_check(mod, modlen, mod + modlen, sig_len);\n+}\n+\n+int module_auth_check(struct load_info *info, int flags)\n+{\n+\tint err = -ENODATA;\n+\tconst unsigned long markerlen = sizeof(MODULE_SIGNATURE_MARKER) - 1;\n+\tconst char *reason;\n+\tconst void *mod = info->hdr;\n+\tbool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |\n+\t\t\t\t       MODULE_INIT_IGNORE_VERMAGIC);\n+\t/*\n+\t * Do not allow mangled modules as a module with version information\n+\t * removed is no longer the module that was signed.\n+\t */\n+\tif (!mangled_module &&\n+\t    info->len > markerlen &&\n+\t    memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerlen) == 0) {\n+\t\t/* We truncate the module to discard the signature */\n+\t\tinfo->len -= markerlen;\n+\t\terr = mod_verify_sig(mod, info);\n+\t\tif (!err) {\n+\t\t\tinfo->auth_ok = true;\n+\t\t\treturn 0;\n+\t\t}\n+\t}\n+\n+\t/*\n+\t * We don't permit modules to be loaded into the trusted kernels\n+\t * without a valid signature on them, but if we're not enforcing,\n+\t * certain errors are non-fatal.\n+\t */\n+\tswitch (err) {\n+\tcase -ENODATA:\n+\t\treason = \"unsigned module\";\n+\t\tbreak;\n+\tcase -ENOPKG:\n+\t\treason = \"module with unsupported crypto\";\n+\t\tbreak;\n+\tcase -ENOKEY:\n+\t\treason = \"module with unavailable key\";\n+\t\tbreak;\n+\n+\tdefault:\n+\t\t/*\n+\t\t * All other errors are fatal, including lack of memory,\n+\t\t * unparseable signatures, and signature check failures --\n+\t\t * even if signatures aren't required.\n+\t\t */\n+\t\treturn err;\n+\t}\n+\n+\tif (is_module_sig_enforced()) {\n+\t\tpr_notice(\"Loading of %s is rejected\\n\", reason);\n+\t\treturn -EKEYREJECTED;\n+\t}\n+\n+\treturn security_locked_down(LOCKDOWN_MODULE_SIGNATURE);\n+}\ndiff --git a/kernel/module/internal.h b/kernel/module/internal.h\nindex f8f425b167f1..d923e31a5d8e 100644\n--- a/kernel/module/internal.h\n+++ b/kernel/module/internal.h\n@@ -336,14 +336,24 @@ void module_mark_ro_after_init(const Elf_Ehdr *hdr, Elf_Shdr *sechdrs,\n \t\t\t       const char *secstrings);\n \n #ifdef CONFIG_MODULE_SIG\n-int module_sig_check(struct load_info *info, int flags);\n+int module_sig_check(const void *mod, size_t mod_len, const void *sig, size_t sig_len);\n #else /* !CONFIG_MODULE_SIG */\n-static inline int module_sig_check(struct load_info *info, int flags)\n+static inline int module_sig_check(const void *mod, size_t mod_len,\n+\t\t\t\t   const void *sig, size_t sig_len)\n {\n \treturn 0;\n }\n #endif /* !CONFIG_MODULE_SIG */\n \n+#ifdef CONFIG_MODULE_AUTH\n+int module_auth_check(struct load_info *info, int flags);\n+#else /* !CONFIG_MODULE_AUTH */\n+static inline int module_auth_check(struct load_info *info, int flags)\n+{\n+\treturn 0;\n+}\n+#endif /* !CONFIG_MODULE_AUTH */\n+\n #ifdef CONFIG_DEBUG_KMEMLEAK\n void kmemleak_load_module(const struct module *mod, const struct load_info *info);\n #else /* !CONFIG_DEBUG_KMEMLEAK */\ndiff --git a/kernel/module/main.c b/kernel/module/main.c\nindex cd8a74df117e..55a010383a8d 100644\n--- a/kernel/module/main.c\n+++ b/kernel/module/main.c\n@@ -3428,8 +3428,8 @@ static int load_module(struct load_info *info, const char __user *uargs,\n \tchar *after_dashes;\n \n \t/*\n-\t * Do the signature check (if any) first. All that\n-\t * the signature check needs is info->len, it does\n+\t * Do the authentication checks (if any) first. All that\n+\t * the authentication checks need is info->len, it does\n \t * not need any of the section info. That can be\n \t * set up later. This will minimize the chances\n \t * of a corrupt module causing problems before\n@@ -3439,7 +3439,7 @@ static int load_module(struct load_info *info, const char __user *uargs,\n \t * off the sig length at the end of the module, making\n \t * checks against info->len more correct.\n \t */\n-\terr = module_sig_check(info, flags);\n+\terr = module_auth_check(info, flags);\n \tif (err)\n \t\tgoto free_copy;\n \ndiff --git a/kernel/module/signing.c b/kernel/module/signing.c\nindex 07a786723221..a49317e3c66f 100644\n--- a/kernel/module/signing.c\n+++ b/kernel/module/signing.c\n@@ -5,98 +5,14 @@\n  * Written by David Howells (dhowells@redhat.com)\n  */\n \n-#include <linux/kernel.h>\n-#include <linux/errno.h>\n-#include <linux/module.h>\n-#include <linux/module_signature.h>\n-#include <linux/string.h>\n+#include <linux/types.h>\n #include <linux/verification.h>\n-#include <linux/security.h>\n-#include <crypto/public_key.h>\n-#include <uapi/linux/module.h>\n #include \"internal.h\"\n \n-/*\n- * Verify the signature on a module.\n- */\n-static int mod_verify_sig(const void *mod, struct load_info *info)\n+int module_sig_check(const void *mod, size_t mod_len, const void *sig, size_t sig_len)\n {\n-\tstruct module_signature ms;\n-\tsize_t sig_len, modlen = info->len;\n-\tint ret;\n-\n-\tif (modlen <= sizeof(ms))\n-\t\treturn -EBADMSG;\n-\n-\tmemcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));\n-\n-\tret = mod_check_sig(&ms, modlen, \"module\");\n-\tif (ret)\n-\t\treturn ret;\n-\n-\tsig_len = be32_to_cpu(ms.sig_len);\n-\tmodlen -= sig_len + sizeof(ms);\n-\tinfo->len = modlen;\n-\n-\treturn verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,\n+\treturn verify_pkcs7_signature(mod, mod_len, sig, sig_len,\n \t\t\t\t      VERIFY_USE_SECONDARY_KEYRING,\n \t\t\t\t      VERIFYING_MODULE_SIGNATURE,\n \t\t\t\t      NULL, NULL);\n }\n-\n-int module_sig_check(struct load_info *info, int flags)\n-{\n-\tint err = -ENODATA;\n-\tconst unsigned long markerlen = sizeof(MODULE_SIGNATURE_MARKER) - 1;\n-\tconst char *reason;\n-\tconst void *mod = info->hdr;\n-\tbool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |\n-\t\t\t\t       MODULE_INIT_IGNORE_VERMAGIC);\n-\t/*\n-\t * Do not allow mangled modules as a module with version information\n-\t * removed is no longer the module that was signed.\n-\t */\n-\tif (!mangled_module &&\n-\t    info->len > markerlen &&\n-\t    memcmp(mod + info->len - markerlen, MODULE_SIGNATURE_MARKER, markerlen) == 0) {\n-\t\t/* We truncate the module to discard the signature */\n-\t\tinfo->len -= markerlen;\n-\t\terr = mod_verify_sig(mod, info);\n-\t\tif (!err) {\n-\t\t\tinfo->auth_ok = true;\n-\t\t\treturn 0;\n-\t\t}\n-\t}\n-\n-\t/*\n-\t * We don't permit modules to be loaded into the trusted kernels\n-\t * without a valid signature on them, but if we're not enforcing,\n-\t * certain errors are non-fatal.\n-\t */\n-\tswitch (err) {\n-\tcase -ENODATA:\n-\t\treason = \"unsigned module\";\n-\t\tbreak;\n-\tcase -ENOPKG:\n-\t\treason = \"module with unsupported crypto\";\n-\t\tbreak;\n-\tcase -ENOKEY:\n-\t\treason = \"module with unavailable key\";\n-\t\tbreak;\n-\n-\tdefault:\n-\t\t/*\n-\t\t * All other errors are fatal, including lack of memory,\n-\t\t * unparseable signatures, and signature check failures --\n-\t\t * even if signatures aren't required.\n-\t\t */\n-\t\treturn err;\n-\t}\n-\n-\tif (is_module_sig_enforced()) {\n-\t\tpr_notice(\"Loading of %s is rejected\\n\", reason);\n-\t\treturn -EKEYREJECTED;\n-\t}\n-\n-\treturn security_locked_down(LOCKDOWN_MODULE_SIGNATURE);\n-}\n",
    "prefixes": [
        "v5",
        "08/14"
    ]
}