The FIPS module is assumed to be loaded from a trusted source (e.g. a
byte array embedded in vmlinux, which is already verified by the boot
loader). We can therefore ignore it for the purposes of module signature
verification in the crypto API.
(One could ask what the purpose of this check is in the first place,
given that modules can always fudge their alg->cra_module to bypass it
-- IOW, this isn't really an effective security check anyway, as far as
I can tell.)
Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
---
crypto/algapi.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 09faecd47ea7..54b8d4acd651 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -24,7 +24,19 @@ static LIST_HEAD(crypto_template_list);
static inline void crypto_check_module_sig(struct module *mod)
{
- if (fips_enabled && mod && !module_sig_ok(mod))
+#ifdef FIPS_MODULE
+ /*
+ * The FIPS module should ignore its own signature as it was
+ * loaded from a trusted source.
+ */
+ if (mod == THIS_MODULE)
+ return;
+#else
+ if (!fips_enabled)
+ return;
+#endif
+
+ if (mod && !module_sig_ok(mod))
panic("Module %s signature verification failed in FIPS mode\n",
module_name(mod));
}
--
2.39.3
