tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

module: Fix the modversions and signing submenus

The module Kconfig file contains a set of options related to "Module
versioning support" (depends on MODVERSIONS) and "Module signature
verification" (depends on MODULE_SIG). The Kconfig tool automatically
creates submenus when an entry for a symbol is followed by consecutive
items that all depend on the symbol. However, this functionality doesn't
work for the mentioned module options. The MODVERSIONS options are
interleaved with ASM_MODVERSIONS, which has no 'depends on MODVERSIONS' but
instead uses 'default HAVE_ASM_MODVERSIONS && MODVERSIONS'. Similarly, the
MODULE_SIG options are interleaved by a comment warning not to forget
signing modules with scripts/sign-file, which uses the condition 'depends
on MODULE_SIG_FORCE && !MODULE_SIG_ALL'.

The result is that the options are confusingly shown when using
a menuconfig tool, as follows:

[*] Module versioning support
Module versioning implementation (genksyms (from source code)) --->
[ ] Extended Module Versioning Support
[*] Basic Module Versioning Support
[*] Source checksum for all modules
[*] Module signature verification
[ ] Require modules to be validly signed
[ ] Automatically sign all modules
Hash algorithm to sign modules (SHA-256) --->

Fix the issue by using if/endif to group related options together in
kernel/module/Kconfig, similarly to how the MODULE_DEBUG options are
already grouped. Note that the signing-related options depend on
'MODULE_SIG || IMA_APPRAISE_MODSIG', with the exception of
MODULE_SIG_FORCE, which is valid only for MODULE_SIG and is therefore kept
separately. For consistency, do the same for the MODULE_COMPRESS entries.
The options are then properly placed into submenus, as follows:

[*] Module versioning support
Module versioning implementation (genksyms (from source code)) --->
[ ] Extended Module Versioning Support
[*] Basic Module Versioning Support
[*] Source checksum for all modules
[*] Module signature verification
[ ] Require modules to be validly signed
[ ] Automatically sign all modules
Hash algorithm to sign modules (SHA-256) --->

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

authored by

Petr Pavlu and committed by
Sami Tolvanen 8d597ba6 a7b4bc09

+13 -10
+13 -10
kernel/module/Kconfig
··· 169 169 make them incompatible with the kernel you are running. If 170 170 unsure, say N. 171 171 172 + if MODVERSIONS 173 + 172 174 choice 173 175 prompt "Module versioning implementation" 174 - depends on MODVERSIONS 175 176 help 176 177 Select the tool used to calculate symbol versions for modules. 177 178 ··· 207 206 208 207 config ASM_MODVERSIONS 209 208 bool 210 - default HAVE_ASM_MODVERSIONS && MODVERSIONS 209 + default HAVE_ASM_MODVERSIONS 211 210 help 212 211 This enables module versioning for exported symbols also from 213 212 assembly. This can be enabled only when the target architecture ··· 215 214 216 215 config EXTENDED_MODVERSIONS 217 216 bool "Extended Module Versioning Support" 218 - depends on MODVERSIONS 219 217 help 220 218 This enables extended MODVERSIONs support, allowing long symbol 221 219 names to be versioned. ··· 224 224 225 225 config BASIC_MODVERSIONS 226 226 bool "Basic Module Versioning Support" 227 - depends on MODVERSIONS 228 227 default y 229 228 help 230 229 This enables basic MODVERSIONS support, allowing older tools or ··· 235 236 236 237 This is enabled by default when MODVERSIONS are enabled. 237 238 If unsure, say Y. 239 + 240 + endif # MODVERSIONS 238 241 239 242 config MODULE_SRCVERSION_ALL 240 243 bool "Source checksum for all modules" ··· 278 277 Reject unsigned modules or signed modules for which we don't have a 279 278 key. Without this, such modules will simply taint the kernel. 280 279 280 + if MODULE_SIG || IMA_APPRAISE_MODSIG 281 + 281 282 config MODULE_SIG_ALL 282 283 bool "Automatically sign all modules" 283 284 default y 284 - depends on MODULE_SIG || IMA_APPRAISE_MODSIG 285 285 help 286 286 Sign all modules during make modules_install. Without this option, 287 287 modules must be signed manually, using the scripts/sign-file tool. ··· 292 290 293 291 choice 294 292 prompt "Hash algorithm to sign modules" 295 - depends on MODULE_SIG || IMA_APPRAISE_MODSIG 296 293 default MODULE_SIG_SHA512 297 294 help 298 295 This determines which sort of hashing algorithm will be used during ··· 328 327 329 328 config MODULE_SIG_HASH 330 329 string 331 - depends on MODULE_SIG || IMA_APPRAISE_MODSIG 332 330 default "sha256" if MODULE_SIG_SHA256 333 331 default "sha384" if MODULE_SIG_SHA384 334 332 default "sha512" if MODULE_SIG_SHA512 335 333 default "sha3-256" if MODULE_SIG_SHA3_256 336 334 default "sha3-384" if MODULE_SIG_SHA3_384 337 335 default "sha3-512" if MODULE_SIG_SHA3_512 336 + 337 + endif # MODULE_SIG || IMA_APPRAISE_MODSIG 338 338 339 339 config MODULE_COMPRESS 340 340 bool "Module compression" ··· 352 350 353 351 If unsure, say N. 354 352 353 + if MODULE_COMPRESS 354 + 355 355 choice 356 356 prompt "Module compression type" 357 - depends on MODULE_COMPRESS 358 357 help 359 358 Choose the supported algorithm for module compression. 360 359 ··· 382 379 config MODULE_COMPRESS_ALL 383 380 bool "Automatically compress all modules" 384 381 default y 385 - depends on MODULE_COMPRESS 386 382 help 387 383 Compress all modules during 'make modules_install'. 388 384 ··· 391 389 392 390 config MODULE_DECOMPRESS 393 391 bool "Support in-kernel module decompression" 394 - depends on MODULE_COMPRESS 395 392 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 396 393 select XZ_DEC if MODULE_COMPRESS_XZ 397 394 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD ··· 400 399 load pinning security policy is enabled. 401 400 402 401 If unsure, say N. 402 + 403 + endif # MODULE_COMPRESS 403 404 404 405 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 405 406 bool "Allow loading of modules with missing namespace imports"