-
Notifications
You must be signed in to change notification settings - Fork 59
/
0114-add-boot-option-to-allow-unsigned-modules.patch
47 lines (41 loc) · 1.52 KB
/
0114-add-boot-option-to-allow-unsigned-modules.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Brett T. Warden" <[email protected]>
Date: Mon, 13 Aug 2018 04:01:21 -0500
Subject: [PATCH] add boot option to allow unsigned modules
Add module.sig_unenforce boot parameter to allow loading unsigned kernel
modules. Parameter is only effective if CONFIG_MODULE_SIG_FORCE is
enabled and system is *not* SecureBooted.
Signed-off-by: Brett T. Warden <[email protected]>
Signed-off-by: Miguel Bernal Marin <[email protected]>
---
kernel/module.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- linux-5.19.1/kernel/module/signing.c~ 2022-08-11 11:22:05.000000000 +0000
+++ linux-5.19.1/kernel/module/signing.c 2022-08-11 15:20:18.199749857 +0000
@@ -14,6 +14,8 @@
#include <linux/security.h>
#include <crypto/public_key.h>
#include <uapi/linux/module.h>
+#include <linux/efi.h>
+
#include "internal.h"
#undef MODULE_PARAM_PREFIX
@@ -21,6 +23,11 @@
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
module_param(sig_enforce, bool_enable_only, 0644);
+/* Allow disabling module signature requirement by adding boot param */
+static bool sig_unenforce = false;
+module_param(sig_unenforce, bool_enable_only, 0644);
+
+extern struct boot_params boot_params;
/*
* Export sig_enforce kernel cmdline parameter to allow other subsystems rely
@@ -28,6 +35,8 @@
*/
bool is_module_sig_enforced(void)
{
+ if (sig_unenforce)
+ return false;
return sig_enforce;
}
EXPORT_SYMBOL(is_module_sig_enforced);