path: root/init
diff options
authorRusty Russell <rusty@rustcorp.com.au>2012-09-26 10:09:40 +0100
committerRusty Russell <rusty@rustcorp.com.au>2012-10-10 20:00:55 +1030
commit106a4ee258d14818467829bf0e12aeae14c16cd7 (patch)
tree4a5d002eceff4a028ebc8d88223b1ed735bee224 /init
parentX.509: Add a crypto key parser for binary (DER) X.509 certificates (diff)
module: signature checking hook
We do a very simple search for a particular string appended to the module (which is cache-hot and about to be SHA'd anyway). There's both a config option and a boot parameter which control whether we accept or fail with unsigned modules and modules that are signed with an unknown key. If module signing is enabled, the kernel will be tainted if a module is loaded that is unsigned or has a signature for which we don't have the key. (Useful feedback and tweaks by David Howells <dhowells@redhat.com>) Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'init')
1 files changed, 14 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 66cc885abbc6..fa8ccad1ea43 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1585,6 +1585,20 @@ config MODULE_SRCVERSION_ALL
the version). With this option, such a "srcversion" field
will be created for all modules. If unsure, say N.
+config MODULE_SIG
+ bool "Module signature verification"
+ depends on MODULES
+ help
+ Check modules for valid signatures upon load: the signature
+ is simply appended to the module. For more information see
+ Documentation/module-signing.txt.
+ bool "Require modules to be validly signed"
+ depends on MODULE_SIG
+ help
+ Reject unsigned modules or signed modules for which we don't have a
+ key. Without this, such modules will simply taint the kernel.
endif # MODULES