On 8/23/25 03:36, Sami Tolvanen wrote:
On Fri, Aug 22, 2025 at 5:55 AM Jinchao Wang <wangjinchao...@gmail.com> wrote:
The current signature check logic incorrectly fails modules that have
valid signatures when the caller specifies MODULE_INIT_IGNORE_MODVERSIONS
or MODULE_INIT_IGNORE_VERMAGIC flags. This happens because the code
treats these flags as indicating a "mangled module" and skips signature
verification entirely.
The key insight is that the intent of the caller (to ignore modversions
or vermagic) should not affect signature verification. A module with
a valid signature should be verified regardless of whether the caller
wants to ignore versioning information.
Why would you need to ignore versions when loading signed modules?
Here's the original series that added this check and I feel it's very
much relevant still:
https://lore.kernel.org/lkml/20160423184421.gl3...@decadent.org.uk/
Sami
Hi Sami,
Thanks for explaining the historical context. I think there are two
possible understandings of "ignore."
The original seems to be "do not check, but still taint the module." My
patch was based on the understanding that "ignore" means to allow the
module, even if it is not signed or is signed with a different key.
Given your feedback, I've decided to drop the patch for now.
--
Best regards,
Jinchao
