Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea0b6dcf authored by David Howells's avatar David Howells Committed by Rusty Russell
Browse files

MODSIGN: Provide Kconfig options 



Provide kernel configuration options for module signing.

The following configuration options are added:

     CONFIG_MODULE_SIG_SHA1
     CONFIG_MODULE_SIG_SHA224
     CONFIG_MODULE_SIG_SHA256
     CONFIG_MODULE_SIG_SHA384
     CONFIG_MODULE_SIG_SHA512

These select the cryptographic hash used to digest the data prior to signing.
Additionally, the crypto module selected will be built into the kernel as it
won't be possible to load it as a module without incurring a circular
dependency when the kernel tries to check its signature.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent addbcdbb

init/Kconfig

+38 −0
Original line number Diff line number Diff line
@@ -1593,12 +1593,50 @@ config MODULE_SIG 
	  is simply appended to the module. For more information see

	  Documentation/module-signing.txt.



	  !!!WARNING!!!  If you enable this option, you MUST make sure that the

	  module DOES NOT get stripped after being signed.  This includes the

	  debuginfo strip done by some packagers (such as rpmbuild) and

	  inclusion into an initramfs that wants the module size reduced.



config MODULE_SIG_FORCE

	bool "Require modules to be validly signed"

	depends on MODULE_SIG

	help

	  Reject unsigned modules or signed modules for which we don't have a

	  key.  Without this, such modules will simply taint the kernel.



choice

	prompt "Which hash algorithm should modules be signed with?"

	depends on MODULE_SIG

	help

	  This determines which sort of hashing algorithm will be used during

	  signature generation.  This algorithm _must_ be built into the kernel

	  directly so that signature verification can take place.  It is not

	  possible to load a signed module containing the algorithm to check

	  the signature on that module.



config MODULE_SIG_SHA1

	bool "Sign modules with SHA-1"

	select CRYPTO_SHA1



config MODULE_SIG_SHA224

	bool "Sign modules with SHA-224"

	select CRYPTO_SHA256



config MODULE_SIG_SHA256

	bool "Sign modules with SHA-256"

	select CRYPTO_SHA256



config MODULE_SIG_SHA384

	bool "Sign modules with SHA-384"

	select CRYPTO_SHA512



config MODULE_SIG_SHA512

	bool "Sign modules with SHA-512"

	select CRYPTO_SHA512



endchoice



endif # MODULES



config INIT_ALL_POSSIBLE