| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jun 2024 10:39:23 +0000
From: Yusong Gao <a869920004@...il.com>
To: mcgrof@...nel.org
Cc: linux-modules@...r.kernel.org,
linux-kernel@...r.kernel.org,
a869920004@...il.com
Subject: [PATCH v3] module: Add log info for verifying module signature
Add log information in kernel-space when loading module failures.
Try to load the unsigned module and the module with bad signature
when set 1 to /sys/module/module/parameters/sig_enforce.
Unsigned module case:
(linux) insmod unsigned.ko
[ 18.714661] Loading of unsigned module is rejected
insmod: can't insert 'unsigned.ko': Key was rejected by service
(linux)
Bad signature module case:
(linux) insmod bad_signature.ko
insmod: can't insert 'bad_signature.ko': Key was rejected by service
(linux)
There have different logging behavior the bad signature case only log
in user-space, add log info for fatal errors in module_sig_check().
Signed-off-by: Yusong Gao <a869920004@...il.com>
---
V3: Clarify the message type and the error code meaning.
V2: Change print level from notice to debug.
---
kernel/module/signing.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..826cdab8e3e4 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -67,6 +67,31 @@ int mod_verify_sig(const void *mod, struct load_info *info)
NULL, NULL);
}
+static const char *mod_decode_error(int errno)
+{
+ char *errstr = "Unrecognized error";
+
+ switch (errno) {
+ case -ENOMEM:
+ errstr = "Out of memory";
+ break;
+ case -EINVAL:
+ errstr = "Invalid argument";
+ break;
+ case -EBADMSG:
+ errstr = "Invaild module signature format";
+ break;
+ case -EMSGSIZE:
+ errstr = "Message too long";
+ break;
+ case -EKEYREJECTED:
+ errstr = "Key was rejected by service";
+ break;
+ }
+
+ return errstr;
+}
+
int module_sig_check(struct load_info *info, int flags)
{
int err = -ENODATA;
@@ -113,6 +138,8 @@ int module_sig_check(struct load_info *info, int flags)
* unparseable signatures, and signature check failures --
* even if signatures aren't required.
*/
+ pr_debug("Verifying module signature failed: %s\n",
+ mod_decode_error(err));
return err;
}
--
2.34.1
Powered by blists - more mailing lists