Kyle McMartin <k...@redhat.com> writes:
> Commit 1d0059f3a added a test to check if the system is booted in fips
> mode, and if so, panic the system if an unsigned module is loaded.
> However the wording of the changelog "in signature enforcing mode" leads
> one to assume that sig_enforce should be set for the panic to occur and
> that these two tests are transposed.
>
> Move the test for -ENOKEY && !sig_enforce before the test of fips_mode,
> so that err will be 0, and the panic will not trigger unless we've
> explicitly disabled unsigned modules with sig_enforce set, so that
> systemtap and 3rd party modules will work in fips mode. (This also
> matches the behaviour by Red Hat Enterprise Linux 6.)
>
> Things which need to deny module loading such as secure boot already set
> sig_enforce, so there's no issue here.
>
> Reported-by: Jan Stancek <jstan...@redhat.com>
> Signed-off-by: Kyle McMartin <k...@redhat.com>
Seems reasonable, but I'll want David Howells' Ack.
Thanks,
Rusty.
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -2460,11 +2460,11 @@ static int module_sig_check(struct load_info *info)
> }
>
> /* Not having a signature is only an error if we're strict. */
> + if (err == -ENOKEY && !sig_enforce)
> + err = 0;
> if (err < 0 && fips_enabled)
> panic("Module verification failed with error %d in FIPS mode\n",
> err);
> - if (err == -ENOKEY && !sig_enforce)
> - err = 0;
>
> return err;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
