gentoo-overlay/sys-kernel/hardened-kernel/files/linux-5.4/9116_0116-Add-boot-option-t...

72 lines
2.1 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Brett T. Warden" <brett.t.warden@intel.com>
Date: Mon, 13 Aug 2018 04:01:21 -0500
Subject: [PATCH] Add boot option to allow unsigned modules
Add module.sig_unenforce boot parameter to allow loading unsigned kernel
modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is
enabled and system is *not* SecureBooted.
Signed-off-by: Brett T. Warden <brett.t.warden@intel.com>
Signed-off-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
---
kernel/module.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
index ff2d7359a418..f6368b8f90b6 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -53,6 +53,7 @@
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
#include <linux/audit.h>
+#include <linux/efi.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -268,6 +269,10 @@ static void module_assert_mutex_or_preempt(void)
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
+/* Allow disabling module signature requirement by adding boot param */
+static bool sig_unenforce = false;
+module_param(sig_unenforce, bool_enable_only, 0644);
+
/*
* Export sig_enforce kernel cmdline parameter to allow other subsystems rely
@@ -393,6 +398,8 @@ extern const s32 __start___kcrctab_unused[];
extern const s32 __start___kcrctab_unused_gpl[];
#endif
+extern struct boot_params boot_params;
+
#ifndef CONFIG_MODVERSIONS
#define symversion(base, idx) NULL
#else
@@ -4401,6 +4408,20 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
proc_create("modules", 0, NULL, &proc_modules_operations);
+
+#ifdef CONFIG_MODULE_SIG_FORCE
+ switch (boot_params.secure_boot) {
+ case efi_secureboot_mode_unset:
+ case efi_secureboot_mode_unknown:
+ case efi_secureboot_mode_disabled:
+ /*
+ * sig_unenforce is only applied if SecureBoot is not
+ * enabled.
+ */
+ sig_enforce = !sig_unenforce;
+ }
+#endif
+
return 0;
}
module_init(proc_modules_init);
--
https://clearlinux.org