gentoo-overlay/sys-kernel/hardened-kernel/files/linux-5.4/9116_0116-Add-boot-option-t...

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Brett T. Warden" <brett.t.warden@intel.com>
Date: Mon, 13 Aug 2018 04:01:21 -0500
Subject: [PATCH] Add boot option to allow unsigned modules

Add module.sig_unenforce boot parameter to allow loading unsigned kernel
modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is
enabled and system is *not* SecureBooted.

Signed-off-by: Brett T. Warden <brett.t.warden@intel.com>
Signed-off-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
---
 kernel/module.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/kernel/module.c b/kernel/module.c
index ff2d7359a418..f6368b8f90b6 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -53,6 +53,7 @@
 #include <linux/bsearch.h>
 #include <linux/dynamic_debug.h>
 #include <linux/audit.h>
+#include <linux/efi.h>
 #include <uapi/linux/module.h>
 #include "module-internal.h"
 
@@ -268,6 +269,10 @@ static void module_assert_mutex_or_preempt(void)
 
 static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
 module_param(sig_enforce, bool_enable_only, 0644);
+/* Allow disabling module signature requirement by adding boot param */
+static bool sig_unenforce = false;
+module_param(sig_unenforce, bool_enable_only, 0644);
+
 
 /*
  * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
@@ -393,6 +398,8 @@ extern const s32 __start___kcrctab_unused[];
 extern const s32 __start___kcrctab_unused_gpl[];
 #endif
 
+extern struct boot_params boot_params;
+
 #ifndef CONFIG_MODVERSIONS
 #define symversion(base, idx) NULL
 #else
@@ -4401,6 +4408,20 @@ static const struct file_operations proc_modules_operations = {
 static int __init proc_modules_init(void)
 {
 	proc_create("modules", 0, NULL, &proc_modules_operations);
+
+#ifdef CONFIG_MODULE_SIG_FORCE
+	switch (boot_params.secure_boot) {
+	case efi_secureboot_mode_unset:
+	case efi_secureboot_mode_unknown:
+	case efi_secureboot_mode_disabled:
+		/*
+		 * sig_unenforce is only applied if SecureBoot is not
+		 * enabled.
+		 */
+		sig_enforce = !sig_unenforce;
+	}
+#endif
+
 	return 0;
 }
 module_init(proc_modules_init);
-- 
https://clearlinux.org
sys-kernel/linux-hardened-sources: bump 5.4 version with Clear Linux patches 2020-03-29 09:31:47 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: "Brett T. Warden" <brett.t.warden@intel.com>`
			`Date: Mon, 13 Aug 2018 04:01:21 -0500`
			`Subject: [PATCH] Add boot option to allow unsigned modules`

			`Add module.sig_unenforce boot parameter to allow loading unsigned kernel`
			`modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is`
			`enabled and system is not SecureBooted.`

			`Signed-off-by: Brett T. Warden <brett.t.warden@intel.com>`
			`Signed-off-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>`
			`---`
			`kernel/module.c \| 21 +++++++++++++++++++++`
			`1 file changed, 21 insertions(+)`

			`diff --git a/kernel/module.c b/kernel/module.c`
			`index ff2d7359a418..f6368b8f90b6 100644`
			`--- a/kernel/module.c`
			`+++ b/kernel/module.c`
			`@@ -53,6 +53,7 @@`
			`#include <linux/bsearch.h>`
			`#include <linux/dynamic_debug.h>`
			`#include <linux/audit.h>`
			`+#include <linux/efi.h>`
			`#include <uapi/linux/module.h>`
			`#include "module-internal.h"`

			`@@ -268,6 +269,10 @@ static void module_assert_mutex_or_preempt(void)`

			`static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);`
			`module_param(sig_enforce, bool_enable_only, 0644);`
			`+/* Allow disabling module signature requirement by adding boot param */`
			`+static bool sig_unenforce = false;`
			`+module_param(sig_unenforce, bool_enable_only, 0644);`
			`+`

			`/*`
			`* Export sig_enforce kernel cmdline parameter to allow other subsystems rely`
			`@@ -393,6 +398,8 @@ extern const s32 __start___kcrctab_unused[];`
			`extern const s32 __start___kcrctab_unused_gpl[];`
			`#endif`

			`+extern struct boot_params boot_params;`
			`+`
			`#ifndef CONFIG_MODVERSIONS`
			`#define symversion(base, idx) NULL`
			`#else`
			`@@ -4401,6 +4408,20 @@ static const struct file_operations proc_modules_operations = {`
			`static int __init proc_modules_init(void)`
			`{`
			`proc_create("modules", 0, NULL, &proc_modules_operations);`
			`+`
			`+#ifdef CONFIG_MODULE_SIG_FORCE`
			`+ switch (boot_params.secure_boot) {`
			`+ case efi_secureboot_mode_unset:`
			`+ case efi_secureboot_mode_unknown:`
			`+ case efi_secureboot_mode_disabled:`
			`+ /*`
			`+ * sig_unenforce is only applied if SecureBoot is not`
			`+ * enabled.`
			`+ */`
			`+ sig_enforce = !sig_unenforce;`
			`+ }`
			`+#endif`
			`+`
			`return 0;`
			`}`
			`module_init(proc_modules_init);`
			`--`
			`https://clearlinux.org`