module: Move extra signature support out of core code

#endif

}

bool is_module_sig_enforced(void);

void set_module_sig_enforced(void);

#else /* !CONFIG_MODULES... */

	return false;

}

static inline bool is_module_sig_enforced(void)

{

	return false;

}

static inline void set_module_sig_enforced(void)

{

#endif

#ifdef CONFIG_MODULE_SIG

bool is_module_sig_enforced(void);

static inline bool module_sig_ok(struct module *module)

{

	return module->sig_ok;

}

#else	/* !CONFIG_MODULE_SIG */

static inline bool is_module_sig_enforced(void)

{

	return false;

}

static inline bool module_sig_ok(struct module *module)

{

	return true;

	return 0;

}

#endif /* CONFIG_STRICT_MODULE_RWX */

#ifdef CONFIG_MODULE_SIG

int module_sig_check(struct load_info *info, int flags);

#else /* !CONFIG_MODULE_SIG */

static inline int module_sig_check(struct load_info *info, int flags)

{

	return 0;

}

#endif /* !CONFIG_MODULE_SIG */

#include <linux/vmalloc.h>

#include <linux/elf.h>

#include <linux/proc_fs.h>

#include <linux/security.h>

#include <linux/seq_file.h>

#include <linux/syscalls.h>

#include <linux/fcntl.h>

#endif

}

#ifdef CONFIG_MODULE_SIG

static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);

module_param(sig_enforce, bool_enable_only, 0644);

void set_module_sig_enforced(void)

{

	sig_enforce = true;

}

#else

#define sig_enforce false

#endif

/*

 * Export sig_enforce kernel cmdline parameter to allow other subsystems rely

 * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.

 */

bool is_module_sig_enforced(void)

{

	return sig_enforce;

}

EXPORT_SYMBOL(is_module_sig_enforced);

/* Block module loading/unloading? */

int modules_disabled = 0;

core_param(nomodule, modules_disabled, bint, 0);

}

#endif

#ifdef CONFIG_MODULE_SIG

static int module_sig_check(struct load_info *info, int flags)

{

	int err = -ENODATA;

	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;

	const char *reason;

	const void *mod = info->hdr;

	bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |

				       MODULE_INIT_IGNORE_VERMAGIC);

	/*

	 * Do not allow mangled modules as a module with version information

	 * removed is no longer the module that was signed.

	 */

	if (!mangled_module &&

	    info->len > markerlen &&

	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {

		/* We truncate the module to discard the signature */

		info->len -= markerlen;

		err = mod_verify_sig(mod, info);

		if (!err) {

			info->sig_ok = true;

			return 0;

		}

	}

	/*

	 * We don't permit modules to be loaded into the trusted kernels

	 * without a valid signature on them, but if we're not enforcing,

	 * certain errors are non-fatal.

	 */

	switch (err) {

	case -ENODATA:

		reason = "unsigned module";

		break;

	case -ENOPKG:

		reason = "module with unsupported crypto";

		break;

	case -ENOKEY:

		reason = "module with unavailable key";

		break;

	default:

		/*

		 * All other errors are fatal, including lack of memory,

		 * unparseable signatures, and signature check failures --

		 * even if signatures aren't required.

		 */

		return err;

	}

	if (is_module_sig_enforced()) {

		pr_notice("Loading of %s is rejected\n", reason);

		return -EKEYREJECTED;

	}

	return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);

}

#else /* !CONFIG_MODULE_SIG */

static int module_sig_check(struct load_info *info, int flags)

{

	return 0;

}

#endif /* !CONFIG_MODULE_SIG */

static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr)

{

#if defined(CONFIG_64BIT)

#include <linux/module_signature.h>

#include <linux/string.h>

#include <linux/verification.h>

#include <linux/security.h>

#include <crypto/public_key.h>

#include <uapi/linux/module.h>

#include "internal.h"

static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);

module_param(sig_enforce, bool_enable_only, 0644);

/*

 * Export sig_enforce kernel cmdline parameter to allow other subsystems rely

 * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.

 */

bool is_module_sig_enforced(void)

{

	return sig_enforce;

}

EXPORT_SYMBOL(is_module_sig_enforced);

void set_module_sig_enforced(void)

{

	sig_enforce = true;

}

/*

 * Verify the signature on a module.

 */

				      VERIFYING_MODULE_SIGNATURE,

				      NULL, NULL);

}

int module_sig_check(struct load_info *info, int flags)

{

	int err = -ENODATA;

	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;

	const char *reason;

	const void *mod = info->hdr;

	bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |

				       MODULE_INIT_IGNORE_VERMAGIC);

	/*

	 * Do not allow mangled modules as a module with version information

	 * removed is no longer the module that was signed.

	 */

	if (!mangled_module &&

	    info->len > markerlen &&

	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {

		/* We truncate the module to discard the signature */

		info->len -= markerlen;

		err = mod_verify_sig(mod, info);

		if (!err) {

			info->sig_ok = true;

			return 0;

		}

	}

	/*

	 * We don't permit modules to be loaded into the trusted kernels

	 * without a valid signature on them, but if we're not enforcing,

	 * certain errors are non-fatal.

	 */

	switch (err) {

	case -ENODATA:

		reason = "unsigned module";

		break;

	case -ENOPKG:

		reason = "module with unsupported crypto";

		break;

	case -ENOKEY:

		reason = "module with unavailable key";

		break;

	default:

		/*

		 * All other errors are fatal, including lack of memory,

		 * unparseable signatures, and signature check failures --

		 * even if signatures aren't required.

		 */

		return err;

	}

	if (is_module_sig_enforced()) {

		pr_notice("Loading of %s is rejected\n", reason);

		return -EKEYREJECTED;

	}

	return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);

}