| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260113-module-hashes-v4-17-0b932db9b56b@weissschuh.net> Date: Tue, 13 Jan 2026 13:29:01 +0100 From: Thomas Weißschuh <linux@...ssschuh.net> To: Nathan Chancellor <nathan@...nel.org>, Arnd Bergmann <arnd@...db.de>, Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jonathan Corbet <corbet@....net>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Naveen N Rao <naveen@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg <eric.snowberg@...cle.com>, Nicolas Schier <nicolas.schier@...ux.dev>, Daniel Gomez <da.gomez@...nel.org>, Aaron Tomlin <atomlin@...mlin.com>, "Christophe Leroy (CS GROUP)" <chleroy@...nel.org>, Nicolas Schier <nsc@...nel.org>, Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>, Xiu Jianfeng <xiujianfeng@...wei.com>, Nicolas Schier <nsc@...nel.org>, Christophe Leroy <chleroy@...nel.org> Cc: Fabian Grünbichler <f.gruenbichler@...xmox.com>, Arnout Engelen <arnout@...t.net>, Mattia Rizzolo <mattia@...reri.org>, kpcyrd <kpcyrd@...hlinux.org>, Christian Heusel <christian@...sel.eu>, Câju Mihai-Drosi <mcaju95@...il.com>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, linux-modules@...r.kernel.org, linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-integrity@...r.kernel.org, Thomas Weißschuh <linux@...ssschuh.net> Subject: [PATCH v4 17/17] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping CONFIG_MODULE_HASHES needs to process the modules at build time in the exact form they will be loaded at runtime. If the modules are stripped afterwards they will not be loadable anymore. Also evaluate INSTALL_MOD_STRIP at build time and build the hashes based on modules stripped this way. If users specify inconsistent values of INSTALL_MOD_STRIP between build and installation time, an error is reported. Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net> --- .gitignore | 1 + kernel/module/Kconfig | 5 +++++ scripts/Makefile.modfinal | 9 +++++++-- scripts/Makefile.modinst | 4 ++-- scripts/Makefile.vmlinux | 1 + 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 299c54083672..900251c72ade 100644 --- a/.gitignore +++ b/.gitignore @@ -29,6 +29,7 @@ *.gz *.i *.ko +*.ko.stripped *.lex.c *.ll *.lst diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index c00ca830330c..9fd34765ce2c 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -425,6 +425,11 @@ config MODULE_HASHES Also see the warning in MODULE_SIG about stripping modules. +# To validate the consistency of INSTALL_MOD_STRIP for MODULE_HASHES +config MODULE_INSTALL_STRIP + string + default "$(INSTALL_MOD_STRIP)" + config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS bool "Allow loading of modules with missing namespace imports" help diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal index 5b8e94170beb..890724edac69 100644 --- a/scripts/Makefile.modfinal +++ b/scripts/Makefile.modfinal @@ -63,10 +63,14 @@ ifdef CONFIG_DEBUG_INFO_BTF_MODULES endif +$(call cmd,check_tracepoint) +%.ko.stripped: %.ko $(wildcard include/config/MODULE_INSTALL_STRIP) + $(call cmd,install_mod) + $(call cmd,strip_mod) + quiet_cmd_merkle = MERKLE $@ - cmd_merkle = $(objtree)/scripts/modules-merkle-tree $@ .ko + cmd_merkle = $(objtree)/scripts/modules-merkle-tree $@ $(if $(CONFIG_MODULE_INSTALL_STRIP),.ko.stripped,.ko) -.tmp_module_hashes.c: $(modules:%.o=%.ko) $(objtree)/scripts/modules-merkle-tree FORCE +.tmp_module_hashes.c: $(if $(CONFIG_MODULE_INSTALL_STRIP),$(modules:%.o=%.ko.stripped),$(modules:%.o=%.ko)) $(objtree)/scripts/modules-merkle-tree $(wildcard include/config/MODULE_INSTALL_STRIP) FORCE $(call cmd,merkle) ifdef CONFIG_MODULE_HASHES @@ -75,6 +79,7 @@ endif targets += $(modules:%.o=%.ko) $(modules:%.o=%.mod.o) .module-common.o targets += $(modules:%.o=%.merkle) .tmp_module_hashes.c +targets += $(modules:%.o=%.ko.stripped) # Add FORCE to the prerequisites of a target to force it to be always rebuilt. # --------------------------------------------------------------------------- diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 07380c7233a0..45606f994ad9 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -68,8 +68,8 @@ __modinst: $(install-y) ifdef CONFIG_MODULE_HASHES ifeq ($(KBUILD_EXTMOD),) -ifdef INSTALL_MOD_STRIP -$(error CONFIG_MODULE_HASHES and INSTALL_MOD_STRIP are mutually exclusive) +ifneq ($(INSTALL_MOD_STRIP),$(CONFIG_MODULE_INSTALL_STRIP)) +$(error Inconsistent values for INSTALL_MOD_STRIP between build and installation) endif endif endif diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux index f4e38b953b01..4ce849f6253a 100644 --- a/scripts/Makefile.vmlinux +++ b/scripts/Makefile.vmlinux @@ -81,6 +81,7 @@ endif ifdef CONFIG_MODULE_HASHES vmlinux.unstripped: $(objtree)/scripts/modules-merkle-tree vmlinux.unstripped: modules.order +vmlinux.unstripped: $(wildcard include/config/MODULE_INSTALL_STRIP) endif # vmlinux -- 2.52.0
Powered by blists - more mailing lists