forked from clearlinux-pkgs/linux
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path0116-Add-boot-option-to-allow-unsigned-modules.patch
71 lines (63 loc) · 2.15 KB
/
0116-Add-boot-option-to-allow-unsigned-modules.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Brett T. Warden" <[email protected]>
Date: Mon, 13 Aug 2018 04:01:21 -0500
Subject: [PATCH] Add boot option to allow unsigned modules
Add module.sig_unenforce boot parameter to allow loading unsigned kernel
modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is
enabled and system is *not* SecureBooted.
Signed-off-by: Brett T. Warden <[email protected]>
Signed-off-by: Miguel Bernal Marin <[email protected]>
---
kernel/module.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
index 9ee93421269c..1b4ec7cac45e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -52,6 +52,7 @@
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
#include <linux/audit.h>
+#include <linux/efi.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -267,6 +268,10 @@ static void module_assert_mutex_or_preempt(void)
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
+/* Allow disabling module signature requirement by adding boot param */
+static bool sig_unenforce = false;
+module_param(sig_unenforce, bool_enable_only, 0644);
+
/*
* Export sig_enforce kernel cmdline parameter to allow other subsystems rely
@@ -392,6 +397,8 @@ extern const s32 __start___kcrctab_unused[];
extern const s32 __start___kcrctab_unused_gpl[];
#endif
+extern struct boot_params boot_params;
+
#ifndef CONFIG_MODVERSIONS
#define symversion(base, idx) NULL
#else
@@ -4315,6 +4322,20 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
proc_create("modules", 0, NULL, &proc_modules_operations);
+
+#ifdef CONFIG_MODULE_SIG_FORCE
+ switch (boot_params.secure_boot) {
+ case efi_secureboot_mode_unset:
+ case efi_secureboot_mode_unknown:
+ case efi_secureboot_mode_disabled:
+ /*
+ * sig_unenforce is only applied if SecureBoot is not
+ * enabled.
+ */
+ sig_enforce = !sig_unenforce;
+ }
+#endif
+
return 0;
}
module_init(proc_modules_init);
--
https://clearlinux.org