projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e1a7167) | patch
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module
authorLee, Chun-Yi <joeyli.kernel@gmail.com>
Tue, 13 Mar 2018 10:38:02 +0000 (18:38 +0800)
committerBen Hutchings <benh@debian.org>
Wed, 15 Apr 2020 02:37:48 +0000 (03:37 +0100)
commitbabac9d837776fa9f6144ecd6d61cde99fc23a2b
tree9a1aa86ee014518dafc0c28a3e26eb745ff1d1a9tree | snapshot
parente1a7167daa38f134538fe70c63da5d98be5184dfcommit | diff
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

Origin: https://lore.kernel.org/patchwork/patch/933175/

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
kernel/module_signing.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.