MODSIGN: Export module signature definitions

IMA will use the module_signature format for append signatures, so export the relevant definitions and factor out the code which verifies that the appended signature trailer is valid. Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it and be able to use mod_check_sig() without having to depend on either CONFIG_MODULE_SIG or CONFIG_MODULES. s390 duplicated the definition of struct module_signature so now they can use the new <linux/module_signature.h> header instead. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Acked-by: Jessica Yu <jeyu@kernel.org> Reviewed-by: Philipp Rudo <prudo@linux.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Thiago Jung Bauermann <bauerman@linux.ibm.com> 2019-07-04 14:57:34 -0400
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-08-05 18:39:56 -0400
commit: c8424e776b093280d3fdd104d850706b3b229ac8 (patch)
tree: 3f14381fe576439fa1fa94736b67d1015c40752d /arch/s390
parent: b36f281f4a314de4be0a51d6511b794691f8a244 (diff)
2 files changed, 2 insertions, 24 deletions
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index a4ad2733eedf..e0ae0d51f985 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -538,7 +538,7 @@ config ARCH_HAS_KEXEC_PURGATORY
 config KEXEC_VERIFY_SIG
        bool "Verify kernel signature during kexec_file_load() syscall"
-        depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION
+        depends on KEXEC_FILE && MODULE_SIG_FORMAT
        help
          This option makes kernel signature verification mandatory for
          the kexec_file_load() syscall.
diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index fbdd3ea73667..1ac9fbc6e01e 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -10,7 +10,7 @@
 #include <linux/elf.h>
 #include <linux/errno.h>
 #include <linux/kexec.h>
-#include <linux/module.h>
+#include <linux/module_signature.h>
 #include <linux/verification.h>
 #include <asm/boot_data.h>
 #include <asm/ipl.h>
@@ -23,28 +23,6 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
 };
 #ifdef CONFIG_KEXEC_VERIFY_SIG
-/*
- * Module signature information block.
- *
- * The constituents of the signature section are, in order:
- *
- *      - Signer's name
- *      - Key identifier
- *      - Signature data
- *      - Information block
- */
-struct module_signature {
-        u8      algo;           /* Public-key crypto algorithm [0] */
-        u8      hash;           /* Digest algorithm [0] */
-        u8      id_type;        /* Key identifier type [PKEY_ID_PKCS7] */
-        u8      signer_len;     /* Length of signer's name [0] */
-        u8      key_id_len;     /* Length of key identifier [0] */
-        u8      __pad[3];
-        __be32  sig_len;        /* Length of signature data */
-};
-#define PKEY_ID_PKCS7 2
 int s390_verify_sig(const char *kernel, unsigned long kernel_len)
 {
        const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
author	Thiago Jung Bauermann <bauerman@linux.ibm.com>	2019-07-04 14:57:34 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-08-05 18:39:56 -0400
commit	c8424e776b093280d3fdd104d850706b3b229ac8 (patch)
tree	3f14381fe576439fa1fa94736b67d1015c40752d /arch/s390
parent	b36f281f4a314de4be0a51d6511b794691f8a244 (diff)

diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index a4ad2733eedf..e0ae0d51f985 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig
@@ -538,7 +538,7 @@ config ARCH_HAS_KEXEC_PURGATORY
538		538
539	config KEXEC_VERIFY_SIG	539	config KEXEC_VERIFY_SIG
540	bool "Verify kernel signature during kexec_file_load() syscall"	540	bool "Verify kernel signature during kexec_file_load() syscall"
541	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION	541	depends on KEXEC_FILE && MODULE_SIG_FORMAT
542	help	542	help
543	This option makes kernel signature verification mandatory for	543	This option makes kernel signature verification mandatory for
544	the kexec_file_load() syscall.	544	the kexec_file_load() syscall.


diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index fbdd3ea73667..1ac9fbc6e01e 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c
@@ -10,7 +10,7 @@
10	#include <linux/elf.h>	10	#include <linux/elf.h>
11	#include <linux/errno.h>	11	#include <linux/errno.h>
12	#include <linux/kexec.h>	12	#include <linux/kexec.h>
13	#include <linux/module.h>	13	#include <linux/module_signature.h>
14	#include <linux/verification.h>	14	#include <linux/verification.h>
15	#include <asm/boot_data.h>	15	#include <asm/boot_data.h>
16	#include <asm/ipl.h>	16	#include <asm/ipl.h>
@@ -23,28 +23,6 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
23	};	23	};
24		24
25	#ifdef CONFIG_KEXEC_VERIFY_SIG	25	#ifdef CONFIG_KEXEC_VERIFY_SIG
26	/*
27	* Module signature information block.
28	*
29	* The constituents of the signature section are, in order:
30	*
31	* - Signer's name
32	* - Key identifier
33	* - Signature data
34	* - Information block
35	*/
36	struct module_signature {
37	u8 algo; /* Public-key crypto algorithm [0] */
38	u8 hash; /* Digest algorithm [0] */
39	u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
40	u8 signer_len; /* Length of signer's name [0] */
41	u8 key_id_len; /* Length of key identifier [0] */
42	u8 __pad[3];
43	__be32 sig_len; /* Length of signature data */
44	};
45
46	#define PKEY_ID_PKCS7 2
47
48	int s390_verify_sig(const char *kernel, unsigned long kernel_len)	26	int s390_verify_sig(const char *kernel, unsigned long kernel_len)
49	{	27	{
50	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;	28	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;