[PATCH v4 11/17] module: Move lockdown check into generic module loader
Thomas Weißschuh
linux at weissschuh.net
Tue Jan 13 12:28:55 UTC 2026
The lockdown check buried in module_sig_check() will not compose well
with the introduction of hash-based module validation.
Move it into module_integrity_check() which will work better.
Signed-off-by: Thomas Weißschuh <linux at weissschuh.net>
---
kernel/module/main.c | 6 +++++-
kernel/module/signing.c | 3 +--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 9c570078aa9c..c09b25c0166a 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3351,7 +3351,11 @@ static int module_integrity_check(struct load_info *info, int flags)
if (IS_ENABLED(CONFIG_MODULE_SIG))
err = module_sig_check(info, flags);
- return err;
+ if (err)
+ return err;
+ if (info->sig_ok)
+ return 0;
+ return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
}
/*
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index 66d90784de89..8a5f66389116 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -11,7 +11,6 @@
#include <linux/module_signature.h>
#include <linux/string.h>
#include <linux/verification.h>
-#include <linux/security.h>
#include <crypto/public_key.h>
#include <uapi/linux/module.h>
#include "internal.h"
@@ -68,5 +67,5 @@ int module_sig_check(struct load_info *info, int flags)
return -EKEYREJECTED;
}
- return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
+ return 0;
}
--
2.52.0
More information about the Linux-security-module-archive
mailing list