projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 29a9679) | patch
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module
authorLee, Chun-Yi <joeyli.kernel@gmail.com>
Tue, 13 Mar 2018 10:38:02 +0000 (18:38 +0800)
committerSalvatore Bonaccorso <carnil@debian.org>
Sun, 8 Nov 2020 12:40:04 +0000 (12:40 +0000)
commitdb3761077a484e60824e45f93b86e6921de6cec6
treec05b2d332063d94ad5c3a07cac954692139bfc58tree | snapshot
parent29a96794c475f24ba02c0ddc8ab3779695fe572bcommit | diff
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

Origin: https://lore.kernel.org/patchwork/patch/933175/

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
kernel/module_signing.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.