projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7f45bf2) | patch
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module
authorLee, Chun-Yi <joeyli.kernel@gmail.com>
Tue, 13 Mar 2018 10:38:02 +0000 (18:38 +0800)
committerSalvatore Bonaccorso <carnil@debian.org>
Fri, 29 Sep 2023 04:25:15 +0000 (05:25 +0100)
commitfcd04f0d80c340330a02e8dae44f066472fa97b9
treed750df2e0f0e6d0cc88cb62503d39e4e6acc50d0tree | snapshot
parent7f45bf2d5acabacdcbf90024a234981fd4a1b4adcommit | diff
[PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module

Origin: https://lore.kernel.org/patchwork/patch/933175/

This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.

For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT

Whether the signature on ko file is stripped or not, the hash can be
compared by kernel.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
kernel/module_signing.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.