projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7034207) | patch
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module
authorLee, Chun-Yi <joeyli.kernel@gmail.com>
Tue, 13 Mar 2018 10:38:02 +0000 (18:38 +0800)
committerSalvatore Bonaccorso <carnil@debian.org>
Tue, 2 Mar 2021 16:49:25 +0000 (16:49 +0000)
commitdf6d1187e850af50013f907e5b7be760d7ae6fd3
tree6247bb60e58c4bc9823a2658e1f949e5842dd3dftree | snapshot
parent703420755fb371ca90fc76d63c4fc3e21fc969c8commit | diff
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

Origin: https://lore.kernel.org/patchwork/patch/933175/

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
kernel/module_signing.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.