{"id":2232778,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2232778/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.2/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net/","date":"2026-05-05T09:05:13","name":"[v5,09/14] module: Move signature type check out of mod_check_sig()","commit_ref":null,"pull_url":null,"state":"handled-elsewhere","archived":false,"hash":"dff1c1aa7f8a29871b9e7819ec5709b516afff1d","submitter":{"id":82751,"url":"http://patchwork.ozlabs.org/api/1.2/people/82751/?format=json","name":"Thomas Weißschuh","email":"linux@weissschuh.net"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net/mbox/","series":[{"id":502791,"url":"http://patchwork.ozlabs.org/api/1.2/series/502791/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=502791","date":"2026-05-05T09:05:17","name":"module: Introduce hash-based integrity checking","version":5,"mbox":"http://patchwork.ozlabs.org/series/502791/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2232778/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2232778/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <linuxppc-dev+bounces-20464-incoming=patchwork.ozlabs.org@lists.ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=owjODUEx;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-20464-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=159.69.126.157","lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net","lists.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=owjODUEx;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=weissschuh.net\n (client-ip=159.69.126.157; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g8t9V1zyTz1yJV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 05 May 2026 19:13:50 +1000 (AEST)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4g8t996ZwFz30gY;\n\tTue, 05 May 2026 19:13:33 +1000 (AEST)","from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4g8t973zXKz30VL\n\tfor <linuxppc-dev@lists.ozlabs.org>; Tue, 05 May 2026 19:13:31 +1000 (AEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1777972413;\n\tcv=none;\n b=lmJUM10MbigI6rRcCa1rXNW6bnXJqGUu3QwITT6R5tZPXom3QcwspRLMyxk0j4Mq+yT1eUe1gQtbYPugEd2B4dFET8ta1E10dPQK62XICXl2oyTDAwQEOui2N4wzUJNJJXHJBS9z68Aof36Jp/KO4mIhpwLXp/ZtRm/TWSp3uVL9yteyvEgc/KD8SMLzV/1MSNqJqKAauowsFDEKjxoaY2co4QqmP7XHHdNIpFLFNZ9+zJS9gpmDHf9YJiZFPDt2zXV36fRuOo/eDj2Y9sVeiLWlILwwwD0ysIOoicHZVedFIB2MUKZPbMTeS5XOWmZgSpRUsh8PWOADjqaGqDdxTA==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1777972413; c=relaxed/relaxed;\n\tbh=1WlkrShLo1yPcOfxX9RV3+PqPx5qMwryzEJF9TCtnhQ=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:\n\t In-Reply-To:To:Cc;\n b=iDg3LCE8+vEe5ecofEfseK4/SCqsyU+QIk4Hhh+BHREE2vw8m2pKKpBtaLi/nXYlurBQlazdgML5L/mMt92ij60Q88EdqlJbIuJpT0xJXTOwo18KPPnWDjR98rsSPvcYW7Q/lAOSx3nzGhKAzoPIYqzzHMjzw9bfYiNwkLdcX43KohkMhznIBmj37r66XEqSi3RDf/xC7XZRmBiG6hWIq3JYQJUbkgeqtvW6eLuqLwuWUz6jckBBhy4c1Le199KJvsggvZTQmQT8//tBTxuYmRdi9V/msOA2Vapxipp1hi0EGjTi3EHR1AHuVYddzKAWe2VUXVpoSCVObJZp6ni96g==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=weissschuh.net;\n dkim=pass (1024-bit key;\n unprotected) header.d=weissschuh.net header.i=@weissschuh.net\n header.a=rsa-sha256 header.s=mail header.b=owjODUEx; dkim-atps=neutral;\n spf=pass (client-ip=159.69.126.157; helo=todd.t-8ch.de;\n envelope-from=linux@weissschuh.net;\n receiver=lists.ozlabs.org) smtp.mailfrom=weissschuh.net","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net;\n\ts=mail; t=1777971923;\n\tbh=6VJvYnOHZshtQlmEnWd/K1udWrIwe9dejx/5mZI/Wtg=;\n\th=From:Date:Subject:References:In-Reply-To:To:Cc:From;\n\tb=owjODUExCCypec6TKWlnIwzT8DVnXMsfb+ZaEjU0MoKmKL+u/Hgk0XMLanRHlOS5p\n\t MNeyeJ7VYX8n6e4baZNE/ejhPU8IePBOA5zatZB7qfpcaHAbaVKcUT7fN5vxhMYVdb\n\t T5d4nFyczBMUPklVRaKpvkmaSNX/c9tzIRq1bRpM=","From":"=?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>","Date":"Tue, 05 May 2026 11:05:13 +0200","Subject":"[PATCH v5 09/14] module: Move signature type check out of\n mod_check_sig()","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"<linuxppc-dev.lists.ozlabs.org>","List-Help":"<mailto:linuxppc-dev+help@lists.ozlabs.org>","List-Owner":"<mailto:linuxppc-dev+owner@lists.ozlabs.org>","List-Post":"<mailto:linuxppc-dev@lists.ozlabs.org>","List-Archive":"<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>","List-Subscribe":"<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>","List-Unsubscribe":"<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>","Precedence":"list","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"8bit","Message-Id":"<20260505-module-hashes-v5-9-e174a5a49fce@weissschuh.net>","References":"<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>","In-Reply-To":"<20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net>","To":"Alexei Starovoitov <ast@kernel.org>,\n Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>,\n Eduard Zingerman <eddyz87@gmail.com>,\n Kumar Kartikeya Dwivedi <memxor@gmail.com>,\n Nathan Chancellor <nathan@kernel.org>, Nicolas Schier <nsc@kernel.org>,\n Arnd Bergmann <arnd@arndb.de>, Luis Chamberlain <mcgrof@kernel.org>,\n Petr Pavlu <petr.pavlu@suse.com>, Sami Tolvanen <samitolvanen@google.com>,\n Daniel Gomez <da.gomez@samsung.com>, Paul Moore <paul@paul-moore.com>,\n James Morris <jmorris@namei.org>, \"Serge E. Hallyn\" <serge@hallyn.com>,\n Jonathan Corbet <corbet@lwn.net>, Madhavan Srinivasan <maddy@linux.ibm.com>,\n Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>,\n Naveen N Rao <naveen@kernel.org>, Mimi Zohar <zohar@linux.ibm.com>,\n Roberto Sassu <roberto.sassu@huawei.com>,\n Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,\n Eric Snowberg <eric.snowberg@oracle.com>,\n Nicolas Schier <nicolas.schier@linux.dev>,\n Daniel Gomez <da.gomez@kernel.org>, Aaron Tomlin <atomlin@atomlin.com>,\n \"Christophe Leroy (CS GROUP)\" <chleroy@kernel.org>,\n Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,\n Xiu Jianfeng <xiujianfeng@huawei.com>,\n Christophe Leroy <chleroy@kernel.org>","Cc":"Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>,\n  Yonghong Song <yonghong.song@linux.dev>, Jiri Olsa <jolsa@kernel.org>,\n  bpf@vger.kernel.org,\n =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,\n  Arnout Engelen <arnout@bzzt.net>, Mattia Rizzolo <mattia@mapreri.org>,\n  kpcyrd <kpcyrd@archlinux.org>, Christian Heusel <christian@heusel.eu>,\n\t=?utf-8?q?C=C3=A2ju_Mihai-Drosi?= <mcaju95@gmail.com>,\n  Eric Biggers <ebiggers@kernel.org>,\n  Sebastian Andrzej Siewior <bigeasy@linutronix.de>,\n  linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,\n  linux-arch@vger.kernel.org, linux-modules@vger.kernel.org,\n  linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,\n  linuxppc-dev@lists.ozlabs.org, linux-integrity@vger.kernel.org,\n  debian-kernel@lists.debian.org,\n =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>","X-Mailer":"b4 0.15.2","X-Developer-Signature":"v=1; a=ed25519-sha256; t=1777971921; l=2558;\n i=linux@weissschuh.net; s=20221212; h=from:subject:message-id;\n bh=6VJvYnOHZshtQlmEnWd/K1udWrIwe9dejx/5mZI/Wtg=;\n b=CMdNpxTCGkVu3CYbUQ//Xh1Da5BfQXG6erPbBdP2NTFne3QRqh52DC/9CSjILoKbNrS8gBQHS\n 8rcJfdzG3nTABuTlKzuzZV5cQk7a/PkWY+ZZAqFMl0YgtXmFbCISOTR","X-Developer-Key":"i=linux@weissschuh.net; a=ed25519;\n pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw=","X-Spam-Status":"No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"Additional signature types are about to be added.\nAs each caller of mod_check_sig() can have different support for these,\nmove the type validation into the callers.\n\nSigned-off-by: Thomas Weißschuh <linux@weissschuh.net>\n---\n kernel/module/auth.c                | 5 +++++\n kernel/module_signature.c           | 8 +-------\n security/integrity/ima/ima_modsig.c | 5 +++++\n 3 files changed, 11 insertions(+), 7 deletions(-)","diff":"diff --git a/kernel/module/auth.c b/kernel/module/auth.c\nindex 831a13eb0c9b..21e49eb4967c 100644\n--- a/kernel/module/auth.c\n+++ b/kernel/module/auth.c\n@@ -48,6 +48,11 @@ static int mod_verify_sig(const void *mod, struct load_info *info)\n \n \tmemcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));\n \n+\tif (ms.id_type != MODULE_SIGNATURE_TYPE_PKCS7) {\n+\t\tpr_err(\"module: not signed with expected PKCS#7 message\\n\");\n+\t\treturn -ENOPKG;\n+\t}\n+\n \tret = mod_check_sig(&ms, modlen, \"module\");\n \tif (ret)\n \t\treturn ret;\ndiff --git a/kernel/module_signature.c b/kernel/module_signature.c\nindex a0eee2fe4368..4d0476bcdb72 100644\n--- a/kernel/module_signature.c\n+++ b/kernel/module_signature.c\n@@ -24,12 +24,6 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,\n \tif (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))\n \t\treturn -EBADMSG;\n \n-\tif (ms->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {\n-\t\tpr_err(\"%s: not signed with expected PKCS#7 message\\n\",\n-\t\t       name);\n-\t\treturn -ENOPKG;\n-\t}\n-\n \tif (ms->algo != 0 ||\n \t    ms->hash != 0 ||\n \t    ms->signer_len != 0 ||\n@@ -37,7 +31,7 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len,\n \t    ms->__pad[0] != 0 ||\n \t    ms->__pad[1] != 0 ||\n \t    ms->__pad[2] != 0) {\n-\t\tpr_err(\"%s: PKCS#7 signature info has unexpected non-zero params\\n\",\n+\t\tpr_err(\"%s: signature info has unexpected non-zero params\\n\",\n \t\t       name);\n \t\treturn -EBADMSG;\n \t}\ndiff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c\nindex 632c746fd81e..ebfcdd368a2a 100644\n--- a/security/integrity/ima/ima_modsig.c\n+++ b/security/integrity/ima/ima_modsig.c\n@@ -57,6 +57,11 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,\n \tbuf_len -= marker_len;\n \tsig = (const struct module_signature *)(p - sizeof(*sig));\n \n+\tif (sig->id_type != MODULE_SIGNATURE_TYPE_PKCS7) {\n+\t\tpr_err(\"%s: not signed with expected PKCS#7 message\\n\", func_tokens[func]);\n+\t\treturn -ENOPKG;\n+\t}\n+\n \trc = mod_check_sig(sig, buf_len, func_tokens[func]);\n \tif (rc)\n \t\treturn rc;\n","prefixes":["v5","09/14"]}