On 2026-01-29 15:41:43+0100, Petr Pavlu wrote:
> On 1/13/26 1:28 PM, Thomas Weißschuh wrote:
> > The signature splitting will also be used by CONFIG_MODULE_HASHES.
> > 
> > Move it up the callchain, so the result can be reused.
> > 
> > Signed-off-by: Thomas Weißschuh <[email protected]>
> > ---
> > [...]
> > diff --git a/kernel/module/main.c b/kernel/module/main.c
> > index c09b25c0166a..d65bc300a78c 100644
> > --- a/kernel/module/main.c
> > +++ b/kernel/module/main.c
> > @@ -3346,10 +3346,21 @@ static int early_mod_check(struct load_info *info, 
> > int flags)
> >  
> >  static int module_integrity_check(struct load_info *info, int flags)
> >  {
> > +   bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
> > +                                  MODULE_INIT_IGNORE_VERMAGIC);
> > +   size_t sig_len;
> > +   const u8 *sig;
> >     int err = 0;
> >  
> > +   if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) {
> > +           err = mod_split_sig(info->hdr, &info->len, mangled_module,
> > +                               &sig_len, &sig, "module");
> > +           if (err)
> > +                   return err;
> > +   }
> > +
> >     if (IS_ENABLED(CONFIG_MODULE_SIG))
> > -           err = module_sig_check(info, flags);
> > +           err = module_sig_check(info, sig, sig_len);
> >  
> >     if (err)
> >             return err;
> 
> I suggest moving the IS_ENABLED(CONFIG_MODULE_SIG) block under the
> new IS_ENABLED(CONFIG_MODULE_SIG_POLICY) section. I realize that
> CONFIG_MODULE_SIG implies CONFIG_MODULE_SIG_POLICY, but I believe this
> change makes it more apparent that this it the case. Otherwise, one
> might for example wonder if sig_len in the module_sig_check() call can
> be undefined.
> 
>       if (IS_ENABLED(CONFIG_MODULE_SIG_POLICY)) {
>               err = mod_split_sig(info->hdr, &info->len, mangled_module,
>                                   &sig_len, &sig, "module");
>               if (err)
>                       return err;
> 
>               if (IS_ENABLED(CONFIG_MODULE_SIG))
>                       err = module_sig_check(info, sig, sig_len);
>       }

Ack.

Reply via email to