projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0247409) | patch
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module
authorLee, Chun-Yi <joeyli.kernel@gmail.com>
Tue, 13 Mar 2018 10:38:02 +0000 (18:38 +0800)
committerSalvatore Bonaccorso <carnil@debian.org>
Sun, 31 Dec 2023 15:46:35 +0000 (16:46 +0100)
commit3733cf16628f59718b13ec20a562f221231c6fdb
tree019bbd60f38710c85be2b71c18908c17a13863e8tree | snapshot
parent0247409e4a55fdaa6b14afecead7e3df423c6a21commit | diff
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

Origin: https://lore.kernel.org/patchwork/patch/933175/

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
kernel/module_signing.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.