Merge tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

Pull module update from Rusty Russell: "The sweeping change is to make add_taint() explicitly indicate whether to disable lockdep, but it's a mechanical change." * tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: MODSIGN: Add option to not sign modules during modules_install MODSIGN: Add -s <signature> option to sign-file MODSIGN: Specify the hash algorithm on sign-file command line MODSIGN: Simplify Makefile with a Kconfig helper module: clean up load_module a little more. modpost: Ignore ARC specific non-alloc sections module: constify within_module_* taint: add explicit flag to show whether lock dep is still OK. module: printk message when module signature fail taints kernel.
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-02-25 18:41:43 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-02-25 18:41:43 -0500
commit: 9043a2650cd21f96f831a97f516c2c302e21fb70 (patch)
tree: 926720afb0acc7bad8cfcae537dc58de552f9249 /scripts
parent: ab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
parent: d9d8d7ed498ec65bea72dd24be7b9cd35af0c200 (diff)
2 files changed, 65 insertions, 71 deletions
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index ff36c508a10e..1c6fbb1a4f8e 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -830,6 +830,8 @@ static const char *section_white_list[] =
        ".toc*",
        ".xt.prop",                              /* xtensa */
        ".xt.lit",         /* xtensa */
+        ".arcextmap*",                  /* arc */
+        ".gnu.linkonce.arcext*",        /* arc : modules */
        NULL
 };
diff --git a/scripts/sign-file b/scripts/sign-file
index 974a20b661b7..2b7c4484d46c 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -2,51 +2,45 @@
 #
 # Sign a module file using the given key.
 #
-# Format:
-#
+my $USAGE =
-#       ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]
+"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-#
+"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
-#
 use strict;
 use FileHandle;
 use IPC::Open2;
+use Getopt::Std;
-my $verbose = 0;
+my %opts;
-if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
+getopts('vs:', \%opts) or die $USAGE;
-    $verbose = 1;
+my $verbose = $opts{'v'};
-    shift;
+my $signature_file = $opts{'s'};
-}
-die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n"
+die $USAGE if ($#ARGV > 4);
-    if ($#ARGV != 2 && $#ARGV != 3);
+die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
-my $private_key = $ARGV[0];
+my $dgst = shift @ARGV;
-my $x509 = $ARGV[1];
+my $private_key;
-my $module = $ARGV[2];
+if (!$signature_file) {
-my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";
+        $private_key = shift @ARGV;
+}
+my $x509 = shift @ARGV;
+my $module = shift @ARGV;
+my ($dest, $keep_orig);
+if (@ARGV) {
+        $dest = $ARGV[0];
+        $keep_orig = 1;
+} else {
+        $dest = $module . "~";
+}
-die "Can't read private key\n" unless (-r $private_key);
+die "Can't read private key\n" if (!$signature_file && !-r $private_key);
+die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
 die "Can't read X.509 certificate\n" unless (-r $x509);
 die "Can't read module\n" unless (-r $module);
 #
-# Read the kernel configuration
-#
-my %config = (
-    CONFIG_MODULE_SIG_SHA512 => 1
-    );
-if (-r ".config") {
-    open(FD, "<.config") || die ".config";
-    while (<FD>) {
-        if ($_ =~ /^(CONFIG_.*)=[ym]/) {
-            $config{$1} = 1;
-        }
-    }
-    close(FD);
-}
-#
 # Function to read the contents of a file into a variable.
 #
 sub read_file($)
@@ -321,73 +315,71 @@ my $id_type = 1;	# Identifier type: X.509
 #
 # Digest the data
 #
-my ($dgst, $prologue) = ();
+my $prologue;
-if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) {
+if ($dgst eq "sha1") {
    $prologue = pack("C*",
                     0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
                     0x2B, 0x0E, 0x03, 0x02, 0x1A,
                     0x05, 0x00, 0x04, 0x14);
-    $dgst = "-sha1";
    $hash = 2;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) {
+} elsif ($dgst eq "sha224") {
    $prologue = pack("C*",
                     0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
                     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
                     0x05, 0x00, 0x04, 0x1C);
-    $dgst = "-sha224";
    $hash = 7;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) {
+} elsif ($dgst eq "sha256") {
    $prologue = pack("C*",
                     0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
                     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
                     0x05, 0x00, 0x04, 0x20);
-    $dgst = "-sha256";
    $hash = 4;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) {
+} elsif ($dgst eq "sha384") {
    $prologue = pack("C*",
                     0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
                     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
                     0x05, 0x00, 0x04, 0x30);
-    $dgst = "-sha384";
    $hash = 5;
-} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) {
+} elsif ($dgst eq "sha512") {
    $prologue = pack("C*",
                     0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
                     0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
                     0x05, 0x00, 0x04, 0x40);
-    $dgst = "-sha512";
    $hash = 6;
 } else {
-    die "Can't determine hash algorithm";
+    die "Unknown hash algorithm: $dgst\n";
 }
-#
-# Generate the digest and read from openssl's stdout
-#
-my $digest;
-$digest = readpipe("openssl dgst $dgst -binary $module") || die "openssl dgst";
-#
-# Generate the binary signature, which will be just the integer that comprises
-# the signature with no metadata attached.
-#
-my $pid;
-$pid = open2(*read_from, *write_to,
-             "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-    die "openssl rsautl";
-binmode write_to;
-print write_to $prologue . $digest || die "pipe to openssl rsautl";
-close(write_to) || die "pipe to openssl rsautl";
-binmode read_from;
 my $signature;
-read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+if ($signature_file) {
-close(read_from) || die "pipe from openssl rsautl";
+        $signature = read_file($signature_file);
+} else {
+        #
+        # Generate the digest and read from openssl's stdout
+        #
+        my $digest;
+        $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
+        #
+        # Generate the binary signature, which will be just the integer that
+        # comprises the signature with no metadata attached.
+        #
+        my $pid;
+        $pid = open2(*read_from, *write_to,
+                     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+            die "openssl rsautl";
+        binmode write_to;
+        print write_to $prologue . $digest || die "pipe to openssl rsautl";
+        close(write_to) || die "pipe to openssl rsautl";
+        binmode read_from;
+        read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+        close(read_from) || die "pipe from openssl rsautl";
+        waitpid($pid, 0) || die;
+        die "openssl rsautl died: $?" if ($? >> 8);
+}
 $signature = pack("n", length($signature)) . $signature,
-waitpid($pid, 0) || die;
-die "openssl rsautl died: $?" if ($? >> 8);
 #
 # Build the signed binary
 #
@@ -424,6 +416,6 @@ print FD
    ;
 close FD || die $dest;
-if ($#ARGV != 3) {
+if (!$keep_orig) {
    rename($dest, $module) || die $module;
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-02-25 18:41:43 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-02-25 18:41:43 -0500
commit	9043a2650cd21f96f831a97f516c2c302e21fb70 (patch)
tree	926720afb0acc7bad8cfcae537dc58de552f9249 /scripts
parent	ab7826595e9ec51a51f622c5fc91e2f59440481a (diff)
parent	d9d8d7ed498ec65bea72dd24be7b9cd35af0c200 (diff)

diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c index ff36c508a10e..1c6fbb1a4f8e 100644 --- a/scripts/mod/modpost.c +++ b/scripts/mod/modpost.c
@@ -830,6 +830,8 @@ static const char *section_white_list[] =
830	".toc*",	830	".toc*",
831	".xt.prop", /* xtensa */	831	".xt.prop", /* xtensa */
832	".xt.lit", /* xtensa */	832	".xt.lit", /* xtensa */
		833	".arcextmap", / arc */
		834	".gnu.linkonce.arcext", / arc : modules */
833	NULL	835	NULL
834	};	836	};
835		837


diff --git a/scripts/sign-file b/scripts/sign-file index 974a20b661b7..2b7c4484d46c 100755 --- a/scripts/sign-file +++ b/scripts/sign-file
@@ -2,51 +2,45 @@
2	#	2	#
3	# Sign a module file using the given key.	3	# Sign a module file using the given key.
4	#	4	#
5	# Format:	5
6	#	6	my $USAGE =
7	# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]	7	"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
8	#	8	" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
9	#	9
10	use strict;	10	use strict;
11	use FileHandle;	11	use FileHandle;
12	use IPC::Open2;	12	use IPC::Open2;
		13	use Getopt::Std;
13		14
14	my $verbose = 0;	15	my %opts;
15	if ($#ARGV >= 0 && $ARGV[0] eq "-v") {	16	getopts('vs:', \%opts) or die $USAGE;
16	$verbose = 1;	17	my $verbose = $opts{'v'};
17	shift;	18	my $signature_file = $opts{'s'};
18	}
19		19
20	die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n"	20	die $USAGE if ($#ARGV > 4);
21	if ($#ARGV != 2 && $#ARGV != 3);	21	die $USAGE if (!$signature_file && $#ARGV < 3 \|\| $signature_file && $#ARGV < 2);
22		22
23	my $private_key = $ARGV[0];	23	my $dgst = shift @ARGV;
24	my $x509 = $ARGV[1];	24	my $private_key;
25	my $module = $ARGV[2];	25	if (!$signature_file) {
26	my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";	26	$private_key = shift @ARGV;
		27	}
		28	my $x509 = shift @ARGV;
		29	my $module = shift @ARGV;
		30	my ($dest, $keep_orig);
		31	if (@ARGV) {
		32	$dest = $ARGV[0];
		33	$keep_orig = 1;
		34	} else {
		35	$dest = $module . "~";
		36	}
27		37
28	die "Can't read private key\n" unless (-r $private_key);	38	die "Can't read private key\n" if (!$signature_file && !-r $private_key);
		39	die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
29	die "Can't read X.509 certificate\n" unless (-r $x509);	40	die "Can't read X.509 certificate\n" unless (-r $x509);
30	die "Can't read module\n" unless (-r $module);	41	die "Can't read module\n" unless (-r $module);
31		42
32	#	43	#
33	# Read the kernel configuration
34	#
35	my %config = (
36	CONFIG_MODULE_SIG_SHA512 => 1
37	);
38
39	if (-r ".config") {
40	open(FD, "<.config") \|\| die ".config";
41	while (<FD>) {
42	if ($_ =~ /^(CONFIG_.*)=[ym]/) {
43	$config{$1} = 1;
44	}
45	}
46	close(FD);
47	}
48
49	#
50	# Function to read the contents of a file into a variable.	44	# Function to read the contents of a file into a variable.
51	#	45	#
52	sub read_file($)	46	sub read_file($)
@@ -321,73 +315,71 @@ my $id_type = 1; # Identifier type: X.509
321	#	315	#
322	# Digest the data	316	# Digest the data
323	#	317	#
324	my ($dgst, $prologue) = ();	318	my $prologue;
325	if (exists $config{"CONFIG_MODULE_SIG_SHA1"}) {	319	if ($dgst eq "sha1") {
326	$prologue = pack("C*",	320	$prologue = pack("C*",
327	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,	321	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
328	0x2B, 0x0E, 0x03, 0x02, 0x1A,	322	0x2B, 0x0E, 0x03, 0x02, 0x1A,
329	0x05, 0x00, 0x04, 0x14);	323	0x05, 0x00, 0x04, 0x14);
330	$dgst = "-sha1";
331	$hash = 2;	324	$hash = 2;
332	} elsif (exists $config{"CONFIG_MODULE_SIG_SHA224"}) {	325	} elsif ($dgst eq "sha224") {
333	$prologue = pack("C*",	326	$prologue = pack("C*",
334	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,	327	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
335	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,	328	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
336	0x05, 0x00, 0x04, 0x1C);	329	0x05, 0x00, 0x04, 0x1C);
337	$dgst = "-sha224";
338	$hash = 7;	330	$hash = 7;
339	} elsif (exists $config{"CONFIG_MODULE_SIG_SHA256"}) {	331	} elsif ($dgst eq "sha256") {
340	$prologue = pack("C*",	332	$prologue = pack("C*",
341	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,	333	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
342	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,	334	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
343	0x05, 0x00, 0x04, 0x20);	335	0x05, 0x00, 0x04, 0x20);
344	$dgst = "-sha256";
345	$hash = 4;	336	$hash = 4;
346	} elsif (exists $config{"CONFIG_MODULE_SIG_SHA384"}) {	337	} elsif ($dgst eq "sha384") {
347	$prologue = pack("C*",	338	$prologue = pack("C*",
348	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,	339	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
349	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,	340	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
350	0x05, 0x00, 0x04, 0x30);	341	0x05, 0x00, 0x04, 0x30);
351	$dgst = "-sha384";
352	$hash = 5;	342	$hash = 5;
353	} elsif (exists $config{"CONFIG_MODULE_SIG_SHA512"}) {	343	} elsif ($dgst eq "sha512") {
354	$prologue = pack("C*",	344	$prologue = pack("C*",
355	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,	345	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
356	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,	346	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
357	0x05, 0x00, 0x04, 0x40);	347	0x05, 0x00, 0x04, 0x40);
358	$dgst = "-sha512";
359	$hash = 6;	348	$hash = 6;
360	} else {	349	} else {
361	die "Can't determine hash algorithm";	350	die "Unknown hash algorithm: $dgst\n";
362	}	351	}
363		352
364	#
365	# Generate the digest and read from openssl's stdout
366	#
367	my $digest;
368	$digest = readpipe("openssl dgst $dgst -binary $module") \|\| die "openssl dgst";
369
370	#
371	# Generate the binary signature, which will be just the integer that comprises
372	# the signature with no metadata attached.
373	#
374	my $pid;
375	$pid = open2(read_from, write_to,
376	"openssl rsautl -sign -inkey $private_key -keyform PEM") \|\|
377	die "openssl rsautl";
378	binmode write_to;
379	print write_to $prologue . $digest \|\| die "pipe to openssl rsautl";
380	close(write_to) \|\| die "pipe to openssl rsautl";
381
382	binmode read_from;
383	my $signature;	353	my $signature;
384	read(read_from, $signature, 4096) \|\| die "pipe from openssl rsautl";	354	if ($signature_file) {
385	close(read_from) \|\| die "pipe from openssl rsautl";	355	$signature = read_file($signature_file);
		356	} else {
		357	#
		358	# Generate the digest and read from openssl's stdout
		359	#
		360	my $digest;
		361	$digest = readpipe("openssl dgst -$dgst -binary $module") \|\| die "openssl dgst";
		362
		363	#
		364	# Generate the binary signature, which will be just the integer that
		365	# comprises the signature with no metadata attached.
		366	#
		367	my $pid;
		368	$pid = open2(read_from, write_to,
		369	"openssl rsautl -sign -inkey $private_key -keyform PEM") \|\|
		370	die "openssl rsautl";
		371	binmode write_to;
		372	print write_to $prologue . $digest \|\| die "pipe to openssl rsautl";
		373	close(write_to) \|\| die "pipe to openssl rsautl";
		374
		375	binmode read_from;
		376	read(read_from, $signature, 4096) \|\| die "pipe from openssl rsautl";
		377	close(read_from) \|\| die "pipe from openssl rsautl";
		378	waitpid($pid, 0) \|\| die;
		379	die "openssl rsautl died: $?" if ($? >> 8);
		380	}
386	$signature = pack("n", length($signature)) . $signature,	381	$signature = pack("n", length($signature)) . $signature,
387		382
388	waitpid($pid, 0) \|\| die;
389	die "openssl rsautl died: $?" if ($? >> 8);
390
391	#	383	#
392	# Build the signed binary	384	# Build the signed binary
393	#	385	#
@@ -424,6 +416,6 @@ print FD
424	;	416	;
425	close FD \|\| die $dest;	417	close FD \|\| die $dest;
426		418
427	if ($#ARGV != 3) {	419	if (!$keep_orig) {
428	rename($dest, $module) \|\| die $module;	420	rename($dest, $module) \|\| die $module;
429	}	421	}