archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 01:04:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Modules changes for v7.0-rc1

Browse source 
Module signing:
 
   - Remove SHA-1 support for signing modules. SHA-1 is no longer
     considered secure for signatures due to vulnerabilities that can
     lead to hash collisions. None of the major distributions use
     SHA-1 anymore, and the kernel has defaulted to SHA-512 since
     v6.11. Note that loading SHA-1 signed modules is still supported.
 
   - Update scripts/sign-file to use only the OpenSSL CMS API for
     signing. As SHA-1 support is gone, we can drop the legacy PKCS#7
     API which was limited to SHA-1. This also cleans up support for
     legacy OpenSSL versions.
 
 Cleanups and fixes:
 
   - Use system_dfl_wq instead of the per-cpu system_wq following the
     ongoing workqueue API refactoring.
 
   - Avoid open-coded kvrealloc() in module decompression logic by
     using the standard helper.
 
   - Improve section annotations by replacing the custom __modinit
     with __init_or_module and removing several unused __INIT*_OR_MODULE
     macros.
 
   - Fix kernel-doc warnings in include/linux/moduleparam.h.
 
   - Ensure set_module_sig_enforced is only declared when module
     signing is enabled.
 
   - Fix gendwarfksyms build failures on 32-bit hosts.
 
 MAINTAINERS:
 
   - Update the module subsystem entry to reflect the maintainer
     rotation and update the git repository link.
 
 The changes have been soaking in linux-next since -rc2.
 
 Note that like Daniel mentioned in the previous pull request [1], we
 rotate maintainership every 6 months, and I will be handling the module
 subsystem pull requests for the first half of this year.
 
 Link: https://lore.kernel.org/r/20251203234840.3720-1-da.gomez@kernel.org [1]
 Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQSE9au1u/dCZerzchhaByWrOaGnegUCaYYeeAAKCRBaByWrOaGn
 epIxAQDU/VSAC491S9/5dAUeGbOis9/p6QJKQlNgEqU4oTlOsgEA0p8BZ9Spkwzd
 v9BfIl3j9qVt7wUdlLdbHfdvPgtUVgc=
 =at6w
 -----END PGP SIGNATURE-----

Merge tag 'modules-7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux

Pull module updates from Sami Tolvanen:
 "Module signing:

   - Remove SHA-1 support for signing modules.

     SHA-1 is no longer considered secure for signatures due to
     vulnerabilities that can lead to hash collisions. None of the major
     distributions use SHA-1 anymore, and the kernel has defaulted to
     SHA-512 since v6.11.

     Note that loading SHA-1 signed modules is still supported.

   - Update scripts/sign-file to use only the OpenSSL CMS API for
     signing.

     As SHA-1 support is gone, we can drop the legacy PKCS#7 API which
     was limited to SHA-1. This also cleans up support for legacy
     OpenSSL versions.

  Cleanups and fixes:

   - Use system_dfl_wq instead of the per-cpu system_wq following the
     ongoing workqueue API refactoring.

   - Avoid open-coded kvrealloc() in module decompression logic by using
     the standard helper.

   - Improve section annotations by replacing the custom __modinit with
     __init_or_module and removing several unused __INIT*_OR_MODULE
     macros.

   - Fix kernel-doc warnings in include/linux/moduleparam.h.

   - Ensure set_module_sig_enforced is only declared when module signing
     is enabled.

   - Fix gendwarfksyms build failures on 32-bit hosts.

  MAINTAINERS:

   - Update the module subsystem entry to reflect the maintainer
     rotation and update the git repository link"

* tag 'modules-7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/modules/linux:
  modules: moduleparam.h: fix kernel-doc comments
  module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
  module/decompress: Avoid open-coded kvrealloc()
  gendwarfksyms: Fix build on 32-bit hosts
  sign-file: Use only the OpenSSL CMS API for signing
  module: Remove SHA-1 support for module signing
  module: replace use of system_wq with system_dfl_wq
  params: Replace __modinit with __init_or_module
  module: Remove unused __INIT*_OR_MODULE macros
  MAINTAINERS: Update module subsystem maintainers and repository
This commit is contained in:
Linus Torvalds 2026-02-10 09:49:18 -08:00
commit a7423e6ea2
10 changed files with 35 additions and 106 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/gendwarfksyms/dwarf.c
View file

@ -750,6 +750,7 @@ static void process_enumerator_type(struct state *state, struct die *cache,
Dwarf_Die *die)
{
bool overridden = false;
unsigned long override;
Dwarf_Word value;
if (stable) {
@ -761,7 +762,8 @@ static void process_enumerator_type(struct state *state, struct die *cache,
return;
overridden = kabi_get_enumerator_value(
state->expand.current_fqn, cache->fqn, &value);
state->expand.current_fqn, cache->fqn, &override);
value = override;
}
process_list_comma(state, cache);

5
scripts/gendwarfksyms/symbols.c
View file

@ -3,6 +3,7 @@
* Copyright (C) 2024 Google LLC
*/
#include <inttypes.h>
#include "gendwarfksyms.h"
#define SYMBOL_HASH_BITS 12
@ -242,7 +243,7 @@ static void elf_for_each_global(int fd, elf_symbol_callback_t func, void *arg)
error("elf_getdata failed: %s", elf_errmsg(-1));
if (shdr->sh_entsize != sym_size)
error("expected sh_entsize (%lu) to be %zu",
error("expected sh_entsize (%" PRIu64 ") to be %zu",
shdr->sh_entsize, sym_size);
nsyms = shdr->sh_size / shdr->sh_entsize;
@ -292,7 +293,7 @@ static void set_symbol_addr(struct symbol *sym, void *arg)
hash_add(symbol_addrs, &sym->addr_hash,
symbol_addr_hash(&sym->addr));
debug("%s -> { %u, %lx }", sym->name, sym->addr.section,
debug("%s -> { %u, %" PRIx64 " }", sym->name, sym->addr.section,
sym->addr.address);
} else if (sym->addr.section != addr->section ||
sym->addr.address != addr->address) {

68
scripts/sign-file.c
View file

@ -24,6 +24,7 @@
#include <arpa/inet.h>
#include <openssl/opensslv.h>
#include <openssl/bio.h>
#include <openssl/cms.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>
@ -39,29 +40,6 @@
#endif
#include "ssl-common.h"
/*
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
* assume that it's not available and its header file is missing and that we
* should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
* the options we have on specifying the X.509 certificate we want.
*
* Further, older versions of OpenSSL don't support manually adding signers to
* the PKCS#7 message so have to accept that we get a certificate included in
* the signature message. Nor do such older versions of OpenSSL support
* signing with anything other than SHA1 - so we're stuck with that if such is
* the case.
*/
#if defined(LIBRESSL_VERSION_NUMBER) || \
OPENSSL_VERSION_NUMBER < 0x10000000L || \
defined(OPENSSL_NO_CMS)
#define USE_PKCS7
#endif
#ifndef USE_PKCS7
#include <openssl/cms.h>
#else
#include <openssl/pkcs7.h>
#endif
struct module_signature {
uint8_t algo; /* Public-key crypto algorithm [0] */
uint8_t hash; /* Digest algorithm [0] */
@ -228,15 +206,10 @@ int main(int argc, char **argv)
bool raw_sig = false;
unsigned char buf[4096];
unsigned long module_size, sig_size;
unsigned int use_signed_attrs;
const EVP_MD *digest_algo;
EVP_PKEY *private_key;
#ifndef USE_PKCS7
CMS_ContentInfo *cms = NULL;
unsigned int use_keyid = 0;
#else
PKCS7 *pkcs7 = NULL;
#endif
X509 *x509;
BIO *bd, *bm;
int opt, n;
@ -246,21 +219,13 @@ int main(int argc, char **argv)
key_pass = getenv("KBUILD_SIGN_PIN");
#ifndef USE_PKCS7
use_signed_attrs = CMS_NOATTR;
#else
use_signed_attrs = PKCS7_NOATTR;
#endif
do {
opt = getopt(argc, argv, "sdpk");
switch (opt) {
case 's': raw_sig = true; break;
case 'p': save_sig = true; break;
case 'd': sign_only = true; save_sig = true; break;
#ifndef USE_PKCS7
case 'k': use_keyid = CMS_USE_KEYID; break;
#endif
case -1: break;
default: format();
}
@ -289,14 +254,6 @@ int main(int argc, char **argv)
replace_orig = true;
}
#ifdef USE_PKCS7
if (strcmp(hash_algo, "sha1") != 0) {
fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
OPENSSL_VERSION_TEXT);
exit(3);
}
#endif
/* Open the module file */
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
@ -314,10 +271,9 @@ int main(int argc, char **argv)
digest_algo = EVP_get_digestbyname(hash_algo);
ERR(!digest_algo, "EVP_get_digestbyname");
#ifndef USE_PKCS7
unsigned int flags =
CMS_NOCERTS |
CMS_NOATTR |
CMS_PARTIAL |
CMS_BINARY |
CMS_DETACHED |
@ -335,12 +291,10 @@ int main(int argc, char **argv)
/* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
* and before.
*/
use_signed_attrs = 0;
flags &= ~CMS_NOATTR;
}
#endif
flags |= use_signed_attrs;
/* Load the signature message from the digest buffer. */
cms = CMS_sign(NULL, NULL, NULL, NULL, flags);
ERR(!cms, "CMS_sign");
@ -350,13 +304,6 @@ int main(int argc, char **argv)
ERR(CMS_final(cms, bm, NULL, flags) != 1,
"CMS_final");
#else
pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
PKCS7_NOCERTS | PKCS7_BINARY |
PKCS7_DETACHED | use_signed_attrs);
ERR(!pkcs7, "PKCS7_sign");
#endif
if (save_sig) {
char *sig_file_name;
BIO *b;
@ -365,13 +312,8 @@ int main(int argc, char **argv)
"asprintf");
b = BIO_new_file(sig_file_name, "wb");
ERR(!b, "%s", sig_file_name);
#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) != 1,
"%s", sig_file_name);
#else
ERR(i2d_PKCS7_bio(b, pkcs7) != 1,
"%s", sig_file_name);
#endif
BIO_free(b);
}
@ -398,11 +340,7 @@ int main(int argc, char **argv)
module_size = BIO_number_written(bd);
if (!raw_sig) {
#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) != 1, "%s", dest_name);
#else
ERR(i2d_PKCS7_bio(bd, pkcs7) != 1, "%s", dest_name);
#endif
} else {
BIO *b;