27 lines
925 B
Diff
27 lines
925 B
Diff
|
From: David Howells <dhowells@redhat.com>
|
||
|
Date: Wed, 5 Apr 2017 17:40:30 +0100
|
||
|
Subject: [42/62] Enforce module signatures if the kernel is locked down
|
||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=a9643aef5a6c576f32a97053b4024638943044ca
|
||
|
|
||
|
If the kernel is locked down, require that all modules have valid
|
||
|
signatures that we can verify.
|
||
|
|
||
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||
|
---
|
||
|
kernel/module.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/kernel/module.c b/kernel/module.c
|
||
|
index 7eba6dea4f41..3331f2eb9b93 100644
|
||
|
--- a/kernel/module.c
|
||
|
+++ b/kernel/module.c
|
||
|
@@ -2756,7 +2756,7 @@ static int module_sig_check(struct load_info *info, int flags)
|
||
|
}
|
||
|
|
||
|
/* Not having a signature is only an error if we're strict. */
|
||
|
- if (err == -ENOKEY && !sig_enforce)
|
||
|
+ if (err == -ENOKEY && !sig_enforce && !kernel_is_locked_down())
|
||
|
err = 0;
|
||
|
|
||
|
return err;
|