MODSIGN: Export module signature definitions

config KEXEC_VERIFY_SIG

	bool "Verify kernel signature during kexec_file_load() syscall"

	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION

	depends on KEXEC_FILE && MODULE_SIG_FORMAT

	help

	  This option makes kernel signature verification mandatory for

	  the kexec_file_load() syscall.

#include <linux/elf.h>

#include <linux/errno.h>

#include <linux/kexec.h>

#include <linux/module.h>

#include <linux/module_signature.h>

#include <linux/verification.h>

#include <asm/boot_data.h>

#include <asm/ipl.h>

};

#ifdef CONFIG_KEXEC_VERIFY_SIG

/*

 * Module signature information block.

 *

 * The constituents of the signature section are, in order:

 *

 *	- Signer's name

 *	- Key identifier

 *	- Signature data

 *	- Information block

 */

struct module_signature {

	u8	algo;		/* Public-key crypto algorithm [0] */

	u8	hash;		/* Digest algorithm [0] */

	u8	id_type;	/* Key identifier type [PKEY_ID_PKCS7] */

	u8	signer_len;	/* Length of signer's name [0] */

	u8	key_id_len;	/* Length of key identifier [0] */

	u8	__pad[3];

	__be32	sig_len;	/* Length of signature data */

};

#define PKEY_ID_PKCS7 2

int s390_verify_sig(const char *kernel, unsigned long kernel_len)

{

	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;

#include <linux/percpu.h>

#include <asm/module.h>

/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */

#define MODULE_SIG_STRING "~Module signature appended~\n"

/* Not Yet Implemented */

#define MODULE_SUPPORTED_DEVICE(name)

/* SPDX-License-Identifier: GPL-2.0+ */

/*

 * Module signature handling.

 *

 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 */

#ifndef _LINUX_MODULE_SIGNATURE_H

#define _LINUX_MODULE_SIGNATURE_H

/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */

#define MODULE_SIG_STRING "~Module signature appended~\n"

enum pkey_id_type {

	PKEY_ID_PGP,		/* OpenPGP generated key ID */

	PKEY_ID_X509,		/* X.509 arbitrary subjectKeyIdentifier */

	PKEY_ID_PKCS7,		/* Signature in PKCS#7 message */

};

/*

 * Module signature information block.

 *

 * The constituents of the signature section are, in order:

 *

 *	- Signer's name

 *	- Key identifier

 *	- Signature data

 *	- Information block

 */

struct module_signature {

	u8	algo;		/* Public-key crypto algorithm [0] */

	u8	hash;		/* Digest algorithm [0] */

	u8	id_type;	/* Key identifier type [PKEY_ID_PKCS7] */

	u8	signer_len;	/* Length of signer's name [0] */

	u8	key_id_len;	/* Length of key identifier [0] */

	u8	__pad[3];

	__be32	sig_len;	/* Length of signature data */

};

int mod_check_sig(const struct module_signature *ms, size_t file_len,

		  const char *name);

#endif /* _LINUX_MODULE_SIGNATURE_H */

	default 0 if BASE_FULL

	default 1 if !BASE_FULL

config MODULE_SIG_FORMAT

	def_bool n

	select SYSTEM_DATA_VERIFICATION

menuconfig MODULES

	bool "Enable loadable module support"

	option modules

config MODULE_SIG

	bool "Module signature verification"

	depends on MODULES

	select SYSTEM_DATA_VERIFICATION

	select MODULE_SIG_FORMAT

	help

	  Check modules for valid signatures upon load: the signature

	  is simply appended to the module. For more information see