[PATCH v3 8/8] selftests/bpf: verify_pkcs7_sig: Use 'struct module_signature' from the UAPI headers
Thomas Weißschuh
thomas.weissschuh at linutronix.de
Thu Mar 5 09:31:44 UTC 2026
Now that the UAPI headers provide the required definitions, use those.
Some symbols have been renamed, adapt to those.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
Reviewed-by: Petr Pavlu <petr.pavlu at suse.com>
---
.../selftests/bpf/prog_tests/verify_pkcs7_sig.c | 28 +++-------------------
1 file changed, 3 insertions(+), 25 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c b/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
index 4d69d9d55e17..f327feb8e38c 100644
--- a/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
+++ b/tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c
@@ -18,6 +18,7 @@
#include <linux/keyctl.h>
#include <sys/xattr.h>
#include <linux/fsverity.h>
+#include <linux/module_signature.h>
#include <test_progs.h>
#include "test_verify_pkcs7_sig.skel.h"
@@ -33,29 +34,6 @@
#define SHA256_DIGEST_SIZE 32
#endif
-/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
-#define MODULE_SIG_STRING "~Module signature appended~\n"
-
-/*
- * Module signature information block.
- *
- * The constituents of the signature section are, in order:
- *
- * - Signer's name
- * - Key identifier
- * - Signature data
- * - Information block
- */
-struct module_signature {
- __u8 algo; /* Public-key crypto algorithm [0] */
- __u8 hash; /* Digest algorithm [0] */
- __u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
- __u8 signer_len; /* Length of signer's name [0] */
- __u8 key_id_len; /* Length of key identifier [0] */
- __u8 __pad[3];
- __be32 sig_len; /* Length of signature data */
-};
-
struct data {
__u8 data[MAX_DATA_SIZE];
__u32 data_len;
@@ -215,7 +193,7 @@ static int populate_data_item_mod(struct data *data_item)
return 0;
modlen = st.st_size;
- marker_len = sizeof(MODULE_SIG_STRING) - 1;
+ marker_len = sizeof(MODULE_SIGNATURE_MARKER) - 1;
fd = open(mod_path, O_RDONLY);
if (fd == -1)
@@ -228,7 +206,7 @@ static int populate_data_item_mod(struct data *data_item)
if (mod == MAP_FAILED)
return -errno;
- if (strncmp(mod + modlen - marker_len, MODULE_SIG_STRING, marker_len)) {
+ if (strncmp(mod + modlen - marker_len, MODULE_SIGNATURE_MARKER, marker_len)) {
ret = -EINVAL;
goto out;
}
--
2.53.0
More information about the Linux-security-module-archive
mailing list