From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: "Brett T. Warden" Date: Mon, 13 Aug 2018 04:01:21 -0500 Subject: [PATCH] Add boot option to allow unsigned modules Add module.sig_unenforce boot parameter to allow loading unsigned kernel modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is enabled and system is *not* SecureBooted. Signed-off-by: Brett T. Warden Signed-off-by: Miguel Bernal Marin --- kernel/module.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/kernel/module.c b/kernel/module.c index ff2d7359a418..f6368b8f90b6 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -53,6 +53,7 @@ #include #include #include +#include #include #include "module-internal.h" @@ -268,6 +269,10 @@ static void module_assert_mutex_or_preempt(void) static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); module_param(sig_enforce, bool_enable_only, 0644); +/* Allow disabling module signature requirement by adding boot param */ +static bool sig_unenforce = false; +module_param(sig_unenforce, bool_enable_only, 0644); + /* * Export sig_enforce kernel cmdline parameter to allow other subsystems rely @@ -393,6 +398,8 @@ extern const s32 __start___kcrctab_unused[]; extern const s32 __start___kcrctab_unused_gpl[]; #endif +extern struct boot_params boot_params; + #ifndef CONFIG_MODVERSIONS #define symversion(base, idx) NULL #else @@ -4401,6 +4408,20 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { proc_create("modules", 0, NULL, &proc_modules_operations); + +#ifdef CONFIG_MODULE_SIG_FORCE + switch (boot_params.secure_boot) { + case efi_secureboot_mode_unset: + case efi_secureboot_mode_unknown: + case efi_secureboot_mode_disabled: + /* + * sig_unenforce is only applied if SecureBoot is not + * enabled. + */ + sig_enforce = !sig_unenforce; + } +#endif + return 0; } module_init(proc_modules_init); -- https://clearlinux.org