1 /* module-verify.c: description
3 * Written by David Howells (dhowells@redhat.com)
4 * - Derived from GregKH's RSA module signer
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #include <linux/config.h>
13 #include <linux/kernel.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
17 #include <linux/vmalloc.h>
18 #include <linux/elf.h>
19 #include <linux/crypto.h>
20 #include <linux/crypto/ksign.h>
21 #include <asm/scatterlist.h>
22 #include "module-verify.h"
25 #define _debug(FMT, ...) printk(KERN_DEBUG FMT, ##__VA_ARGS__)
27 #define _debug(FMT, ...) do { ; } while (0)
30 static int signedonly;
32 /*****************************************************************************/
34 * verify the signature attached to a module
36 int module_verify_sig(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, const char *secstrings, struct module *mod)
38 struct crypto_tfm *sha1_tfm;
39 unsigned sig_index, sig_size;
43 /* pull the signature out of the file */
45 for (i = 1; i < hdr->e_shnum; i++) {
46 if (strcmp(secstrings + sechdrs[i].sh_name,
56 _debug("sig in section %d (size %d)\n",
57 sig_index, sechdrs[sig_index].sh_size);
59 sig = (char *) sechdrs[sig_index].sh_addr;
60 sig_size = sechdrs[sig_index].sh_size;
67 /* grab an SHA1 transformation context
68 * - !!! if this tries to load the sha1.ko module, we will deadlock!!!
70 sha1_tfm = crypto_alloc_tfm2("sha1", 0, 1);
72 printk("Couldn't load module - SHA1 transform unavailable\n");
76 crypto_digest_init(sha1_tfm);
78 for (i = 1; i < hdr->e_shnum; i++) {
81 const char *name = secstrings + sechdrs[i].sh_name;
83 /* We only care about sections with "text" or "data" in their names */
84 if ((strstr(name, "text") == NULL) &&
85 (strstr(name, "data") == NULL))
88 /* avoid the ".rel.*" sections too. */
89 if (strstr(name, ".rel.") != NULL)
92 /* avoid the ".rel.*" sections too. */
93 if (strstr(name, ".rela.") != NULL)
96 data = (uint8_t *) sechdrs[i].sh_addr;
97 size = sechdrs[i].sh_size;
99 _debug("SHA1ing the %s section, size %d\n", name, size);
100 _debug("idata [ %02x%02x%02x%02x ]\n",
101 data[0], data[1], data[2], data[3]);
103 crypto_digest_update_kernel(sha1_tfm, data, size);
106 /* do the actual signature verification */
107 i = ksign_verify_signature(sig, sig_size, sha1_tfm);
113 /* deal with the case of an unsigned module */
117 printk("An attempt to load unsigned module was rejected\n");
119 } /* end module_verify_sig() */
121 static int __init sign_setup(char *str)
126 __setup("enforcemodulesig", sign_setup);