rpms/kernel-xen-2.6/devel linux-2.6-crash-driver.patch, 1.1.12.1, 1.1.12.2 linux-2.6-modsign-core.patch, 1.2, 1.2.12.1 linux-2.6-modsign-include.patch, 1.2, 1.2.12.1 linux-2.6-modsign-ksign.patch, 1.2, 1.2.12.1 linux-2.6-modsign-mpilib.patch, 1.2, 1.2.12.1 linux-2.6-modsign-script.patch, 1.2, 1.2.12.1
Eduardo Habkost (ehabkost)
fedora-extras-commits at redhat.com
Mon Jul 23 21:24:19 UTC 2007
Author: ehabkost
Update of /cvs/pkgs/rpms/kernel-xen-2.6/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24924
Modified Files:
Tag: private-ehabkost-xen310-k2_6_21-branch
linux-2.6-crash-driver.patch linux-2.6-modsign-core.patch
linux-2.6-modsign-include.patch linux-2.6-modsign-ksign.patch
linux-2.6-modsign-mpilib.patch linux-2.6-modsign-script.patch
Log Message:
Recovering original kernel/F-7 versions of some patches
Don't ask how they got (incorrectly) regenerated. quilt probably didn't
like the 'cp -rl' done from 'vanilla' directory.
linux-2.6-crash-driver.patch:
Index: linux-2.6-crash-driver.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-crash-driver.patch,v
retrieving revision 1.1.12.1
retrieving revision 1.1.12.2
diff -u -r1.1.12.1 -r1.1.12.2
--- linux-2.6-crash-driver.patch 23 Jul 2007 19:36:59 -0000 1.1.12.1
+++ linux-2.6-crash-driver.patch 23 Jul 2007 21:23:44 -0000 1.1.12.2
@@ -1,8 +1,7 @@
-Index: patching/arch/i386/mm/init.c
-===================================================================
---- patching.orig/arch/i386/mm/init.c
-+++ patching/arch/i386/mm/init.c
-@@ -252,6 +252,8 @@ int devmem_is_allowed(unsigned long page
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/arch/i386/mm/init.c linux-1060/arch/i386/mm/init.c
+--- linux-1050/arch/i386/mm/init.c
++++ linux-1060/arch/i386/mm/init.c
+@@ -248,6 +248,8 @@ int devmem_is_allowed(unsigned long page
return 0;
}
@@ -11,11 +10,10 @@
#ifdef CONFIG_HIGHMEM
pte_t *kmap_pte;
pgprot_t kmap_prot;
-Index: patching/arch/ia64/kernel/ia64_ksyms.c
-===================================================================
---- patching.orig/arch/ia64/kernel/ia64_ksyms.c
-+++ patching/arch/ia64/kernel/ia64_ksyms.c
-@@ -86,6 +86,9 @@ EXPORT_SYMBOL(ia64_save_scratch_fpregs);
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/arch/ia64/kernel/ia64_ksyms.c linux-1060/arch/ia64/kernel/ia64_ksyms.c
+--- linux-1050/arch/ia64/kernel/ia64_ksyms.c
++++ linux-1060/arch/ia64/kernel/ia64_ksyms.c
+@@ -106,6 +106,9 @@ EXPORT_SYMBOL(ia64_save_scratch_fpregs);
#include <asm/unwind.h>
EXPORT_SYMBOL(unw_init_running);
@@ -24,20 +22,18 @@
+
#ifdef ASM_SUPPORTED
# ifdef CONFIG_SMP
- # if (__GNUC__ == 3 && __GNUC_MINOR__ < 3)
-Index: patching/arch/x86_64/mm/init.c
-===================================================================
---- patching.orig/arch/x86_64/mm/init.c
-+++ patching/arch/x86_64/mm/init.c
-@@ -6,6 +6,7 @@
- * Copyright (C) 2002,2003 Andi Kleen <ak at suse.de>
+ # if __GNUC__ < 3 || (__GNUC__ == 3 && __GNUC_MINOR__ < 3)
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/arch/x86_64/mm/init.c linux-1060/arch/x86_64/mm/init.c
+--- linux-1050/arch/x86_64/mm/init.c
++++ linux-1060/arch/x86_64/mm/init.c
+@@ -6,5 +6,6 @@
*/
+#include <linux/module.h>
#include <linux/signal.h>
#include <linux/sched.h>
#include <linux/kernel.h>
-@@ -576,6 +577,8 @@ int devmem_is_allowed(unsigned long page
+@@ -417,6 +418,8 @@ int devmem_is_allowed(unsigned long page
}
@@ -46,10 +42,9 @@
static struct kcore_list kcore_mem, kcore_vmalloc, kcore_kernel, kcore_modules,
kcore_vsyscall;
-Index: patching/drivers/char/crash.c
-===================================================================
---- /dev/null
-+++ patching/drivers/char/crash.c
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/drivers/char/crash.c linux-1060/drivers/char/crash.c
+--- linux-1050/drivers/char/crash.c
++++ linux-1060/drivers/char/crash.c
@@ -0,0 +1,128 @@
+/*
+ * linux/drivers/char/crash.c
@@ -179,11 +174,10 @@
+module_exit(crash_cleanup_module);
+
+MODULE_LICENSE("GPL");
-Index: patching/drivers/char/Kconfig
-===================================================================
---- patching.orig/drivers/char/Kconfig
-+++ patching/drivers/char/Kconfig
-@@ -499,6 +499,8 @@ config LEGACY_PTYS
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/drivers/char/Kconfig linux-1060/drivers/char/Kconfig
+--- linux-1050/drivers/char/Kconfig
++++ linux-1060/drivers/char/Kconfig
+@@ -441,6 +441,8 @@ config LEGACY_PTYS
security. This option enables these legacy devices; on most
systems, it is safe to say N.
@@ -192,22 +186,19 @@
config LEGACY_PTY_COUNT
int "Maximum number of legacy PTY in use"
-Index: patching/drivers/char/Makefile
-===================================================================
---- patching.orig/drivers/char/Makefile
-+++ patching/drivers/char/Makefile
-@@ -103,6 +103,7 @@ obj-$(CONFIG_IPMI_HANDLER) += ipmi/
+--- linux-2.6.16.noarch/drivers/char/Makefile~ 2006-03-25 18:50:42.000000000 -0500
++++ linux-2.6.16.noarch/drivers/char/Makefile 2006-03-25 18:50:59.000000000 -0500
+@@ -95,6 +95,7 @@ obj-$(CONFIG_IPMI_HANDLER) += ipmi/
obj-$(CONFIG_HANGCHECK_TIMER) += hangcheck-timer.o
obj-$(CONFIG_TCG_TPM) += tpm/
+obj-$(CONFIG_CRASH) += crash.o
# Files generated that shall be removed upon make clean
- clean-files := consolemap_deftbl.c defkeymap.c
-Index: patching/include/asm-i386/crash.h
-===================================================================
---- /dev/null
-+++ patching/include/asm-i386/crash.h
+ clean-files := consolemap_deftbl.c defkeymap.c qtronixmap.c
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/include/asm-i386/crash.h linux-1060/include/asm-i386/crash.h
+--- linux-1050/include/asm-i386/crash.h
++++ linux-1060/include/asm-i386/crash.h
@@ -0,0 +1,75 @@
+#ifndef _ASM_I386_CRASH_H
+#define _ASM_I386_CRASH_H
@@ -284,10 +275,9 @@
+#endif /* __KERNEL__ */
+
+#endif /* _ASM_I386_CRASH_H */
-Index: patching/include/asm-ia64/crash.h
-===================================================================
---- /dev/null
-+++ patching/include/asm-ia64/crash.h
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/include/asm-ia64/crash.h linux-1060/include/asm-ia64/crash.h
+--- linux-1050/include/asm-ia64/crash.h
++++ linux-1060/include/asm-ia64/crash.h
@@ -0,0 +1,90 @@
+#ifndef _ASM_IA64_CRASH_H
+#define _ASM_IA64_CRASH_H
@@ -379,10 +369,9 @@
+#endif /* __KERNEL__ */
+
+#endif /* _ASM_IA64_CRASH_H */
-Index: patching/include/asm-x86_64/crash.h
-===================================================================
---- /dev/null
-+++ patching/include/asm-x86_64/crash.h
+diff -urNp --exclude-from=/home/davej/.exclude linux-1050/include/asm-x86_64/crash.h linux-1060/include/asm-x86_64/crash.h
+--- linux-1050/include/asm-x86_64/crash.h
++++ linux-1060/include/asm-x86_64/crash.h
@@ -0,0 +1,75 @@
+#ifndef _ASM_X86_64_CRASH_H
+#define _ASM_X86_64_CRASH_H
@@ -459,10 +448,8 @@
+#endif /* __KERNEL__ */
+
+#endif /* _ASM_X86_64_CRASH_H */
-Index: patching/arch/x86_64/kernel/e820.c
-===================================================================
---- patching.orig/arch/x86_64/kernel/e820.c
-+++ patching/arch/x86_64/kernel/e820.c
+--- linux-2.6.21.noarch/arch/x86_64/kernel/e820.c~ 2007-05-04 00:04:56.000000000 -0400
++++ linux-2.6.21.noarch/arch/x86_64/kernel/e820.c 2007-05-04 00:05:02.000000000 -0400
@@ -25,7 +25,7 @@
#include <asm/bootsetup.h>
#include <asm/sections.h>
linux-2.6-modsign-core.patch:
Index: linux-2.6-modsign-core.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-modsign-core.patch,v
retrieving revision 1.2
retrieving revision 1.2.12.1
diff -u -r1.2 -r1.2.12.1
--- linux-2.6-modsign-core.patch 22 Mar 2007 15:40:59 -0000 1.2
+++ linux-2.6-modsign-core.patch 23 Jul 2007 21:23:44 -0000 1.2.12.1
@@ -1,21 +1,43 @@
---- linux-2.6.18.noarch/include/linux/module.h~ 2006-10-14 18:37:27.000000000 -0400
-+++ linux-2.6.18.noarch/include/linux/module.h 2006-10-14 18:38:27.000000000 -0400
-@@ -319,6 +319,9 @@ struct module
-
- unsigned int taints; /* same bits as kernel:tainted */
+MODSIGN: Apply signature checking to modules on module load
+
+From: David Howells <dhowells at redhat.com>
+
+Apply signature checking to modules on module load, checking the signature
+against the ring of public keys compiled into the kernel.
+
+Signed-Off-By: David Howells <dhowells at redhat.com>
+---
+
+ include/linux/module.h | 3
+ init/Kconfig | 18 ++
+ kernel/Makefile | 1
+ kernel/module-verify-sig.c | 450 ++++++++++++++++++++++++++++++++++++++++++++
+ kernel/module-verify.c | 5
+ kernel/module-verify.h | 12 +
+ kernel/module.c | 12 +
+ 7 files changed, 498 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/module.h b/include/linux/module.h
+index 10f771a..159560d 100644
+--- a/include/linux/module.h
++++ b/include/linux/module.h
+@@ -326,6 +326,9 @@ #ifdef CONFIG_GENERIC_BUG
+ unsigned num_bugs;
+ #endif
-+ /* Am I gpg signed */
++ /* Is this module GPG signed */
+ int gpgsig_ok;
+
#ifdef CONFIG_MODULE_UNLOAD
/* Reference counts */
struct module_ref ref[NR_CPUS];
-diff -urNp --exclude-from=/home/davej/.exclude linux-811/init/Kconfig linux-900/init/Kconfig
---- linux-811/init/Kconfig
-+++ linux-900/init/Kconfig
-@@ -434,6 +434,22 @@ config MODULE_SRCVERSION_ALL
- the version). With this option, such a "srcversion" field
- will be created for all modules. If unsure, say N.
+diff --git a/init/Kconfig b/init/Kconfig
+index d1ca69b..b03e9f3 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -555,10 +555,26 @@ config MODULE_VERIFY_ELF
+ help
+ Check ELF structure of modules upon load
+config MODULE_SIG
+ bool "Module signature verification (EXPERIMENTAL)"
@@ -33,469 +55,32 @@
+ Reject unsigned modules or signed modules for which we don't have a
+ key.
+
+ config MODULE_VERIFY
+ bool
+ depends on MODULES
+- default y if MODULE_VERIFY_ELF
++ default y if MODULE_VERIFY_ELF || MODULE_SIG
+
config KMOD
bool "Automatic kernel module loading"
- depends on MODULES
---- linux-2.6.17.noarch/kernel/Makefile~ 2006-06-21 23:47:11.000000000 -0400
-+++ linux-2.6.17.noarch/kernel/Makefile 2006-06-21 23:47:19.000000000 -0400
-@@ -19,7 +19,8 @@ obj-$(CONFIG_GENERIC_ISA_DMA) += dma.o
- obj-$(CONFIG_SMP) += cpu.o spinlock.o
- obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
- obj-$(CONFIG_UID16) += uid16.o
--obj-$(CONFIG_MODULES) += module.o
-+obj-$(CONFIG_MODULES) += module.o module-verify.o
+diff --git a/kernel/Makefile b/kernel/Makefile
+index 5ed0824..715da89 100644
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -32,6 +32,7 @@ obj-$(CONFIG_UID16) += uid16.o
+ obj-$(CONFIG_MODULES) += module.o
+ obj-$(CONFIG_MODULE_VERIFY) += module-verify.o
+ obj-$(CONFIG_MODULE_VERIFY_ELF) += module-verify-elf.o
+obj-$(CONFIG_MODULE_SIG) += module-verify-sig.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_PM) += power/
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
-diff -urNp --exclude-from=/home/davej/.exclude linux-811/kernel/module.c linux-900/kernel/module.c
---- linux-811/kernel/module.c
-+++ linux-900/kernel/module.c
-@@ -45,6 +45,7 @@
- #include <asm/semaphore.h>
- #include <asm/cacheflush.h>
- #include <linux/license.h>
-+#include "module-verify.h"
-
- #if 0
- #define DEBUGP printk
-@@ -1413,6 +1414,7 @@ static struct module *load_module(void _
- long err = 0;
- void *percpu = NULL, *ptr = NULL; /* Stops spurious gcc warning */
- struct exception_table_entry *extable;
- mm_segment_t old_fs;
-+ int gpgsig_ok;
-
- DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
-@@ -1438,8 +1440,13 @@ static struct module *load_module(void _
- goto free_hdr;
- }
-
-- if (len < hdr->e_shoff + hdr->e_shnum * sizeof(Elf_Shdr))
-- goto truncated;
-+ /* verify the module (validates ELF and checks signature) */
-+ gpgsig_ok = 0;
-+ err = module_verify(hdr, len);
-+ if (err < 0)
-+ goto free_hdr;
-+ if (err == 1)
-+ gpgsig_ok = 1;
-
- /* Convenience variables */
- sechdrs = (void *)hdr + hdr->e_shoff;
-@@ -1476,6 +1483,7 @@ static struct module *load_module(void _
- goto free_hdr;
- }
- mod = (void *)sechdrs[modindex].sh_addr;
-+ mod->gpgsig_ok = gpgsig_ok;
-
- if (symindex == 0) {
- printk(KERN_WARNING "%s: module has no symbols (stripped?)\n",
---- linux-2.6.18.noarch/kernel/module.c~ 2006-10-14 18:39:12.000000000 -0400
-+++ linux-2.6.18.noarch/kernel/module.c 2006-10-14 18:39:43.000000000 -0400
-@@ -2276,8 +2276,13 @@ void print_modules(void)
- char buf[8];
-
- printk("Modules linked in:");
-- list_for_each_entry(mod, &modules, list)
-+ list_for_each_entry(mod, &modules, list) {
- printk(" %s%s", mod->name, taint_flags(mod->taints, buf));
-+#if CONFIG_MODULE_SIG
-+ if (!mod->gpgsig_ok)
-+ printk("(U)");
-+#endif
-+ }
- printk("\n");
- }
-
-diff -urNp --exclude-from=/home/davej/.exclude linux-811/kernel/module-verify.c linux-900/kernel/module-verify.c
---- linux-811/kernel/module-verify.c
-+++ linux-900/kernel/module-verify.c
-@@ -0,0 +1,339 @@
-+/* module-verify.c: module verifier
-+ *
-+ * Written by David Howells (dhowells at redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the License, or (at your option) any later version.
-+ */
-+
-+#include <linux/kernel.h>
-+#include <linux/module.h>
-+#include <linux/slab.h>
-+#include <linux/elf.h>
-+#include <linux/crypto.h>
-+#include <linux/crypto/ksign.h>
-+#include "module-verify.h"
-+
-+#if 0
-+#define _debug(FMT, ...) printk(FMT, ##__VA_ARGS__)
-+#else
-+#define _debug(FMT, ...) do {} while (0)
-+#endif
-+
-+static int module_verify_elf(struct module_verify_data *mvdata);
-+
-+/*****************************************************************************/
-+/*
-+ * verify a module's integrity
-+ * - check the ELF is viable
-+ * - check the module's signature if it has one
-+ */
-+int module_verify(const Elf_Ehdr *hdr, size_t size)
-+{
-+ struct module_verify_data mvdata;
-+ int ret;
-+
-+ memset(&mvdata, 0, sizeof(mvdata));
-+ mvdata.buffer = hdr;
-+ mvdata.hdr = hdr;
-+ mvdata.size = size;
-+
-+ ret = module_verify_elf(&mvdata);
-+ if (ret < 0) {
-+ if (ret == -ELIBBAD)
-+ printk("Module failed ELF checks\n");
-+ goto error;
-+ }
-+
-+#ifdef CONFIG_MODULE_SIG
-+ ret = module_verify_signature(&mvdata);
-+#endif
-+
-+ error:
-+ kfree(mvdata.secsizes);
-+ kfree(mvdata.canonlist);
-+ return ret;
-+
-+} /* end module_verify() */
-+
-+/*****************************************************************************/
-+/*
-+ * verify the ELF structure of a module
-+ */
-+static int module_verify_elf(struct module_verify_data *mvdata)
-+{
-+ const Elf_Ehdr *hdr = mvdata->hdr;
-+ const Elf_Shdr *section, *section2, *secstop;
-+ const Elf_Rela *relas, *rela, *relastop;
-+ const Elf_Rel *rels, *rel, *relstop;
-+ const Elf_Sym *symbol, *symstop;
-+ size_t size, sssize, *secsize, tmp, tmp2;
-+ long last;
-+ int line;
-+
-+ size = mvdata->size;
-+ mvdata->nsects = hdr->e_shnum;
-+
-+#define elfcheck(X) \
-+do { if (unlikely(!(X))) { line = __LINE__; goto elfcheck_error; } } while(0)
-+
-+#define seccheck(X) \
-+do { if (unlikely(!(X))) { line = __LINE__; goto seccheck_error; } } while(0)
-+
-+#define symcheck(X) \
-+do { if (unlikely(!(X))) { line = __LINE__; goto symcheck_error; } } while(0)
-+
-+#define relcheck(X) \
-+do { if (unlikely(!(X))) { line = __LINE__; goto relcheck_error; } } while(0)
-+
-+#define relacheck(X) \
-+do { if (unlikely(!(X))) { line = __LINE__; goto relacheck_error; } } while(0)
-+
-+ /* validate the ELF header */
-+ elfcheck(hdr->e_ehsize < size);
-+ elfcheck(hdr->e_entry == 0);
-+ elfcheck(hdr->e_phoff == 0);
-+ elfcheck(hdr->e_phnum == 0);
-+
-+ elfcheck(hdr->e_shnum < SHN_LORESERVE);
-+ elfcheck(hdr->e_shoff < size);
-+ elfcheck(hdr->e_shoff >= hdr->e_ehsize);
-+ elfcheck((hdr->e_shoff & (sizeof(long) - 1)) == 0);
-+ elfcheck(hdr->e_shstrndx > 0);
-+ elfcheck(hdr->e_shstrndx < hdr->e_shnum);
-+ elfcheck(hdr->e_shentsize == sizeof(Elf_Shdr));
-+
-+ tmp = (size_t) hdr->e_shentsize * (size_t) hdr->e_shnum;
-+ elfcheck(tmp < size - hdr->e_shoff);
-+
-+ /* allocate a table to hold in-file section sizes */
-+ mvdata->secsizes = kmalloc(hdr->e_shnum * sizeof(size_t), GFP_KERNEL);
-+ if (!mvdata->secsizes)
-+ return -ENOMEM;
-+
-+ memset(mvdata->secsizes, 0, hdr->e_shnum * sizeof(size_t));
-+
-+ /* validate the ELF section headers */
-+ mvdata->sections = mvdata->buffer + hdr->e_shoff;
-+ secstop = mvdata->sections + mvdata->nsects;
-+
-+ sssize = mvdata->sections[hdr->e_shstrndx].sh_size;
-+ elfcheck(sssize > 0);
-+
-+ section = mvdata->sections;
-+ seccheck(section->sh_type == SHT_NULL);
-+ seccheck(section->sh_size == 0);
-+ seccheck(section->sh_offset == 0);
-+
-+ secsize = mvdata->secsizes + 1;
-+ for (section++; section < secstop; secsize++, section++) {
-+ seccheck(section->sh_name < sssize);
-+ seccheck(section->sh_link < hdr->e_shnum);
-+
-+ if (section->sh_entsize > 0)
-+ seccheck(section->sh_size % section->sh_entsize == 0);
-+
-+ seccheck(section->sh_offset >= hdr->e_ehsize);
-+ seccheck(section->sh_offset < size);
-+
-+ /* determine the section's in-file size */
-+ tmp = size - section->sh_offset;
-+ if (section->sh_offset < hdr->e_shoff)
-+ tmp = hdr->e_shoff - section->sh_offset;
-+
-+ for (section2 = mvdata->sections + 1; section2 < secstop; section2++) {
-+ if (section->sh_offset < section2->sh_offset) {
-+ tmp2 = section2->sh_offset - section->sh_offset;
-+ if (tmp2 < tmp)
-+ tmp = tmp2;
-+ }
-+ }
-+ *secsize = tmp;
-+
-+ _debug("Section %ld: %zx bytes at %lx\n",
-+ section - mvdata->sections,
-+ *secsize,
-+ section->sh_offset);
-+
-+ /* perform section type specific checks */
-+ switch (section->sh_type) {
-+ case SHT_NOBITS:
-+ break;
-+
-+ case SHT_REL:
-+ seccheck(section->sh_entsize == sizeof(Elf_Rel));
-+ goto more_rel_checks;
-+
-+ case SHT_RELA:
-+ seccheck(section->sh_entsize == sizeof(Elf_Rela));
-+ more_rel_checks:
-+ seccheck(section->sh_info > 0);
-+ seccheck(section->sh_info < hdr->e_shnum);
-+ goto more_sec_checks;
-+
-+ case SHT_SYMTAB:
-+ seccheck(section->sh_entsize == sizeof(Elf_Sym));
-+ goto more_sec_checks;
-+
-+ default:
-+ more_sec_checks:
-+ /* most types of section must be contained entirely
-+ * within the file */
-+ seccheck(section->sh_size <= *secsize);
-+ break;
-+ }
-+ }
-+
-+ /* validate the ELF section names */
-+ section = &mvdata->sections[hdr->e_shstrndx];
-+
-+ seccheck(section->sh_offset != hdr->e_shoff);
-+
-+ mvdata->secstrings = mvdata->buffer + section->sh_offset;
-+
-+ last = -1;
-+ for (section = mvdata->sections + 1; section < secstop; section++) {
-+ const char *secname;
-+ tmp = sssize - section->sh_name;
-+ secname = mvdata->secstrings + section->sh_name;
-+ seccheck(secname[0] != 0);
-+ if (section->sh_name > last)
-+ last = section->sh_name;
-+ }
-+
-+ if (last > -1) {
-+ tmp = sssize - last;
-+ elfcheck(memchr(mvdata->secstrings + last, 0, tmp) != NULL);
-+ }
-+
-+ /* look for various sections in the module */
-+ for (section = mvdata->sections + 1; section < secstop; section++) {
-+ switch (section->sh_type) {
-+ case SHT_SYMTAB:
-+ if (strcmp(mvdata->secstrings + section->sh_name,
-+ ".symtab") == 0
-+ ) {
-+ seccheck(mvdata->symbols == NULL);
-+ mvdata->symbols =
-+ mvdata->buffer + section->sh_offset;
-+ mvdata->nsyms =
-+ section->sh_size / sizeof(Elf_Sym);
-+ seccheck(section->sh_size > 0);
-+ }
-+ break;
-+
-+ case SHT_STRTAB:
-+ if (strcmp(mvdata->secstrings + section->sh_name,
-+ ".strtab") == 0
-+ ) {
-+ seccheck(mvdata->strings == NULL);
-+ mvdata->strings =
-+ mvdata->buffer + section->sh_offset;
-+ sssize = mvdata->nstrings = section->sh_size;
-+ seccheck(section->sh_size > 0);
-+ }
-+ break;
-+ }
-+ }
-+
-+ if (!mvdata->symbols) {
-+ printk("Couldn't locate module symbol table\n");
-+ goto format_error;
-+ }
-+
-+ if (!mvdata->strings) {
-+ printk("Couldn't locate module strings table\n");
-+ goto format_error;
-+ }
-+
-+ /* validate the symbol table */
-+ symstop = mvdata->symbols + mvdata->nsyms;
-+
-+ symbol = mvdata->symbols;
-+ symcheck(ELF_ST_TYPE(symbol[0].st_info) == STT_NOTYPE);
-+ symcheck(symbol[0].st_shndx == SHN_UNDEF);
-+ symcheck(symbol[0].st_value == 0);
-+ symcheck(symbol[0].st_size == 0);
-+
-+ last = -1;
-+ for (symbol++; symbol < symstop; symbol++) {
-+ symcheck(symbol->st_name < sssize);
-+ if (symbol->st_name > last)
-+ last = symbol->st_name;
-+ symcheck(symbol->st_shndx < mvdata->nsects ||
-+ symbol->st_shndx >= SHN_LORESERVE);
-+ }
-+
-+ if (last > -1) {
-+ tmp = sssize - last;
-+ elfcheck(memchr(mvdata->strings + last, 0, tmp) != NULL);
-+ }
-+
-+ /* validate each relocation table as best we can */
-+ for (section = mvdata->sections + 1; section < secstop; section++) {
-+ section2 = mvdata->sections + section->sh_info;
-+
-+ switch (section->sh_type) {
-+ case SHT_REL:
-+ rels = mvdata->buffer + section->sh_offset;
-+ relstop = mvdata->buffer + section->sh_offset + section->sh_size;
-+
-+ for (rel = rels; rel < relstop; rel++) {
-+ relcheck(rel->r_offset < section2->sh_size);
-+ relcheck(ELF_R_SYM(rel->r_info) < mvdata->nsyms);
-+ }
-+
-+ break;
-+
-+ case SHT_RELA:
-+ relas = mvdata->buffer + section->sh_offset;
-+ relastop = mvdata->buffer + section->sh_offset + section->sh_size;
-+
-+ for (rela = relas; rela < relastop; rela++) {
-+ relacheck(rela->r_offset < section2->sh_size);
-+ relacheck(ELF_R_SYM(rela->r_info) < mvdata->nsyms);
-+ }
-+
-+ break;
-+
-+ default:
-+ break;
-+ }
-+ }
-+
-+
-+ _debug("ELF okay\n");
-+ return 0;
-+
-+ elfcheck_error:
-+ printk("Verify ELF error (assertion %d)\n", line);
-+ goto format_error;
-+
-+ seccheck_error:
-+ printk("Verify ELF error [sec %ld] (assertion %d)\n",
-+ (long)(section - mvdata->sections), line);
-+ goto format_error;
-+
-+ symcheck_error:
-+ printk("Verify ELF error [sym %ld] (assertion %d)\n",
-+ (long)(symbol - mvdata->symbols), line);
-+ goto format_error;
-+
-+ relcheck_error:
-+ printk("Verify ELF error [sec %ld rel %ld] (assertion %d)\n",
-+ (long)(section - mvdata->sections),
-+ (long)(rel - rels), line);
-+ goto format_error;
-+
-+ relacheck_error:
-+ printk("Verify ELF error [sec %ld rela %ld] (assertion %d)\n",
-+ (long)(section - mvdata->sections),
-+ (long)(rela - relas), line);
-+ goto format_error;
-+
-+ format_error:
-+ return -ELIBBAD;
-+
-+} /* end module_verify_elf() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-811/kernel/module-verify.h linux-900/kernel/module-verify.h
---- linux-811/kernel/module-verify.h
-+++ linux-900/kernel/module-verify.h
-@@ -0,0 +1,37 @@
-+/* module-verify.h: module verification definitions
-+ *
-+ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells at redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the License, or (at your option) any later version.
-+ */
-+
-+#include <linux/types.h>
-+#include <asm/module.h>
-+
-+struct module_verify_data {
-+ struct crypto_tfm *digest; /* module signature digest */
-+ const void *buffer; /* module buffer */
-+ const Elf_Ehdr *hdr; /* ELF header */
-+ const Elf_Shdr *sections; /* ELF section table */
-+ const Elf_Sym *symbols; /* ELF symbol table */
-+ const char *secstrings; /* ELF section string table */
-+ const char *strings; /* ELF string table */
-+ size_t *secsizes; /* section size list */
-+ size_t size; /* module object size */
-+ size_t nsects; /* number of sections */
-+ size_t nsyms; /* number of symbols */
-+ size_t nstrings; /* size of strings section */
-+ size_t signed_size; /* count of bytes contributed to digest */
-+ int *canonlist; /* list of canonicalised sections */
-+ int *canonmap; /* section canonicalisation map */
-+ int sig_index; /* module signature section index */
-+ uint8_t xcsum; /* checksum of bytes contributed to digest */
-+ uint8_t csum; /* checksum of bytes representing a section */
-+};
-+
-+extern int module_verify(const Elf_Ehdr *hdr, size_t size);
-+extern int module_verify_signature(struct module_verify_data *mvdata);
-diff -urNp --exclude-from=/home/davej/.exclude linux-811/kernel/module-verify-sig.c linux-900/kernel/module-verify-sig.c
---- linux-811/kernel/module-verify-sig.c
-+++ linux-900/kernel/module-verify-sig.c
-@@ -0,0 +1,441 @@
+diff --git a/kernel/module-verify-sig.c b/kernel/module-verify-sig.c
+new file mode 100644
+index 0000000..45cb967
+--- /dev/null
++++ b/kernel/module-verify-sig.c
+@@ -0,0 +1,450 @@
+/* module-verify-sig.c: module signature checker
+ *
+ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
@@ -546,7 +131,7 @@
+ size_t __n = (N); \
+ uint8_t *__p = (uint8_t *)(PTR); \
+ count_and_csum((C), __p, __n); \
-+ crypto_digest_update_kernel((C)->digest, __p, __n); \
++ crypto_hash_update_kernel(&(C)->hash, __p, __n); \
+} while(0)
+
+#define crypto_digest_update_val(C,VAL) \
@@ -554,7 +139,7 @@
+ size_t __n = sizeof(VAL); \
+ uint8_t *__p = (uint8_t *)&(VAL); \
+ count_and_csum((C), __p, __n); \
-+ crypto_digest_update_kernel((C)->digest, __p, __n); \
++ crypto_hash_update_kernel(&(C)->hash, __p, __n); \
+} while(0)
+
+static int module_verify_canonicalise(struct module_verify_data *mvdata);
@@ -571,7 +156,13 @@
+
+static int signedonly;
+
-+/*****************************************************************************/
++static int __init sign_setup(char *str)
++{
++ signedonly = 1;
++ return 0;
++}
++__setup("enforcemodulesig", sign_setup);
++
+/*
+ * verify a module's signature
+ */
@@ -611,13 +202,13 @@
+ /* grab an SHA1 transformation context
+ * - !!! if this tries to load the sha1.ko module, we will deadlock!!!
+ */
-+ mvdata->digest = crypto_alloc_tfm2("sha1", 0, 1);
-+ if (!mvdata->digest) {
++ mvdata->hash.tfm = crypto_hash_cast(crypto_alloc_tfm2("sha1", 0, 1));
++ if (!mvdata->hash.tfm) {
+ printk("Couldn't load module - SHA1 transform unavailable\n");
+ return -EPERM;
+ }
+
-+ crypto_digest_init(mvdata->digest);
++ crypto_hash_init(&mvdata->hash);
+
+#ifdef MODSIGN_DEBUG
+ mvdata->xcsum = 0;
@@ -698,28 +289,39 @@
+ mvdata->signed_size, mvdata->xcsum);
+
+ /* do the actual signature verification */
-+ i = ksign_verify_signature(sig, sig_size, mvdata->digest);
++ ret = ksign_verify_signature(sig, sig_size, mvdata->hash.tfm);
+
-+ _debug("verify-sig : %d\n", i);
++ _debug("verify-sig : %d\n", ret);
+
-+ if (i == 0)
-+ i = 1;
-+ return i;
++ switch (ret) {
++ case 0: /* good signature */
++ ret = 1;
++ break;
++ case -EKEYREJECTED: /* signature mismatch or number format error */
++ printk(KERN_ERR "Module signature verification failed\n");
++ break;
++ case -ENOKEY: /* signed, but we don't have the public key */
++ printk(KERN_ERR "Module signed with unknown public key\n");
++ break;
++ default: /* other error (probably ENOMEM) */
++ break;
++ }
+
-+ format_error:
-+ crypto_free_tfm(mvdata->digest);
++ return ret;
++
++format_error:
++ crypto_free_hash(mvdata->hash.tfm);
++ printk(KERN_ERR "Module format error encountered\n");
+ return -ELIBBAD;
+
+ /* deal with the case of an unsigned module */
-+ no_signature:
++no_signature:
+ if (!signedonly)
+ return 0;
-+ printk("An attempt to load unsigned module was rejected\n");
-+ return -EPERM;
-+
-+} /* end module_verify_signature() */
++ printk(KERN_ERR "An attempt to load unsigned module was rejected\n");
++ return -EKEYREJECTED;
++}
+
-+/*****************************************************************************/
+/*
+ * canonicalise the section table index numbers
+ */
@@ -775,12 +377,10 @@
+ mvdata->canonmap[mvdata->canonlist[loop]] = loop + 1;
+
+ return 0;
++}
+
-+} /* end module_verify_canonicalise() */
-+
-+/*****************************************************************************/
+/*
-+ * extract a RELA table
++ * extract an ELF RELA table
+ * - need to canonicalise the entries in case section addition/removal has
+ * rearranged the symbol table and the section table
+ */
@@ -855,11 +455,12 @@
+ mvdata->signed_size, mvdata->csum, sh_name, nrels);
+
+ return 0;
-+} /* end extract_elf_rela() */
++}
+
-+/*****************************************************************************/
+/*
-+ *
++ * extract an ELF REL table
++ * - need to canonicalise the entries in case section addition/removal has
++ * rearranged the symbol table and the section table
+ */
+static int extract_elf_rel(struct module_verify_data *mvdata,
+ int secix,
@@ -929,23 +530,109 @@
+ mvdata->signed_size, mvdata->csum, sh_name, nrels);
+
+ return 0;
-+} /* end extract_elf_rel() */
-+
-+static int __init sign_setup(char *str)
-+{
-+ signedonly = 1;
-+ return 0;
+}
-+__setup("enforcemodulesig", sign_setup);
---- linux-2.6.12/kernel/module-verify.c.~1~ 2005-08-07 17:39:38.000000000 -0700
-+++ linux-2.6.12/kernel/module-verify.c 2005-08-10 00:48:43.000000000 -0700
-@@ -107,7 +107,7 @@ do { if (unlikely(!(X))) { line = __LINE
- elfcheck(hdr->e_shentsize == sizeof(Elf_Shdr));
-
- tmp = (size_t) hdr->e_shentsize * (size_t) hdr->e_shnum;
-- elfcheck(tmp < size - hdr->e_shoff);
-+ elfcheck(tmp <= size - hdr->e_shoff);
+diff --git a/kernel/module-verify.c b/kernel/module-verify.c
+index 875279f..04920b2 100644
+--- a/kernel/module-verify.c
++++ b/kernel/module-verify.c
+@@ -16,6 +16,9 @@ #include "module-verify.h"
+ /*
+ * verify a module's integrity
+ * - check the ELF is viable
++ * - return 1 if the module has a correct signature
++ * - return 0 if the module has no signature or one we don't have a key for
++ * - return -ve on error
+ */
+ int module_verify(const Elf_Ehdr *hdr, size_t size)
+ {
+@@ -34,6 +37,8 @@ int module_verify(const Elf_Ehdr *hdr, s
+ goto error;
+ }
+
++ ret = module_verify_signature(&mvdata);
++
+ error:
+ kfree(mvdata.secsizes);
+ kfree(mvdata.canonlist);
+diff --git a/kernel/module-verify.h b/kernel/module-verify.h
+index 63f5e08..f4e3dc7 100644
+--- a/kernel/module-verify.h
++++ b/kernel/module-verify.h
+@@ -10,11 +10,12 @@
+ */
+
+ #include <linux/types.h>
++#include <linux/crypto.h>
+ #include <asm/module.h>
+
+ #ifdef CONFIG_MODULE_VERIFY
+ struct module_verify_data {
+- struct crypto_tfm *digest; /* module signature digest */
++ struct hash_desc hash; /* module signature digest */
+ const void *buffer; /* module buffer */
+ const Elf_Ehdr *hdr; /* ELF header */
+ const Elf_Shdr *sections; /* ELF section table */
+@@ -48,6 +49,15 @@ #else
+ #define module_verify_elf(m) (0)
+ #endif
+
++/*
++ * module-verify-sig.c
++ */
++#ifdef CONFIG_MODULE_SIG
++extern int module_verify_signature(struct module_verify_data *mvdata);
++#else
++#define module_verify_signature(m) (0)
++#endif
++
+ #else
+ #define module_verify(h, s) (0)
+ #endif
+diff --git a/kernel/module.c b/kernel/module.c
+index 9d5787d..6825888 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1567,6 +1567,7 @@ static struct module *load_module(void _
+ void *percpu = NULL, *ptr = NULL; /* Stops spurious gcc warning */
+ struct exception_table_entry *extable;
+ mm_segment_t old_fs;
++ int gpgsig_ok;
+
+ DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
+ umod, len, uargs);
+@@ -1593,9 +1594,12 @@ static struct module *load_module(void _
+ }
+
+ /* Verify the module's contents */
++ gpgsig_ok = 0;
+ err = module_verify(hdr, len);
+ if (err < 0)
+ goto free_hdr;
++ if (err == 1)
++ gpgsig_ok = 1;
+
+ /* Convenience variables */
+ sechdrs = (void *)hdr + hdr->e_shoff;
+@@ -1632,6 +1636,7 @@ #endif
+ goto free_hdr;
+ }
+ mod = (void *)sechdrs[modindex].sh_addr;
++ mod->gpgsig_ok = gpgsig_ok;
+
+ if (symindex == 0) {
+ printk(KERN_WARNING "%s: module has no symbols (stripped?)\n",
+@@ -2325,8 +2330,13 @@ void print_modules(void)
+ char buf[8];
+
+ printk("Modules linked in:");
+- list_for_each_entry(mod, &modules, list)
++ list_for_each_entry(mod, &modules, list) {
+ printk(" %s%s", mod->name, taint_flags(mod->taints, buf));
++#if CONFIG_MODULE_SIG
++ if (!mod->gpgsig_ok)
++ printk("(U)");
++#endif
++ }
+ printk("\n");
+ }
- /* allocate a table to hold in-file section sizes */
- mvdata->secsizes = kmalloc(hdr->e_shnum * sizeof(size_t), GFP_KERNEL);
-
linux-2.6-modsign-include.patch:
Index: linux-2.6-modsign-include.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-modsign-include.patch,v
retrieving revision 1.2
retrieving revision 1.2.12.1
diff -u -r1.2 -r1.2.12.1
--- linux-2.6-modsign-include.patch 22 Mar 2007 15:40:59 -0000 1.2
+++ linux-2.6-modsign-include.patch 23 Jul 2007 21:23:44 -0000 1.2.12.1
@@ -1,6 +1,36 @@
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-alpha/module.h linux-905/include/asm-alpha/module.h
---- linux-904/include/asm-alpha/module.h
-+++ linux-905/include/asm-alpha/module.h
+MODSIGN: Add indications of module ELF types
+
+From: David Howells <dhowells at redhat.com>
+
+Add per-arch indications of module ELF types and relocation table entry types.
+
+Signed-Off-By: David Howells <dhowells at redhat.com>
+---
+
+ include/asm-alpha/module.h | 3 +++
+ include/asm-arm/module.h | 5 +++++
+ include/asm-cris/module.h | 5 +++++
+ include/asm-h8300/module.h | 5 +++++
+ include/asm-i386/module.h | 5 +++++
+ include/asm-ia64/module.h | 5 +++++
+ include/asm-m32r/module.h | 5 +++++
+ include/asm-m68k/module.h | 5 +++++
+ include/asm-mips/module.h | 12 ++++++++++--
+ include/asm-parisc/module.h | 8 ++++++++
+ include/asm-powerpc/module.h | 10 ++++++++++
+ include/asm-s390/module.h | 3 +++
+ include/asm-sh/module.h | 5 +++++
+ include/asm-sparc/module.h | 5 +++++
+ include/asm-sparc64/module.h | 5 +++++
+ include/asm-um/module-i386.h | 4 ++++
+ include/asm-v850/module.h | 5 +++++
+ include/asm-x86_64/module.h | 5 +++++
+ 18 files changed, 98 insertions(+), 2 deletions(-)
+
+diff --git a/include/asm-alpha/module.h b/include/asm-alpha/module.h
+index 7b63743..3d5a3ea 100644
+--- a/include/asm-alpha/module.h
++++ b/include/asm-alpha/module.h
@@ -6,6 +6,7 @@ struct mod_arch_specific
unsigned int gotsecindex;
};
@@ -9,7 +39,7 @@
#define Elf_Sym Elf64_Sym
#define Elf_Shdr Elf64_Shdr
#define Elf_Ehdr Elf64_Ehdr
-@@ -13,6 +14,8 @@ struct mod_arch_specific
+@@ -13,6 +14,8 @@ #define Elf_Phdr Elf64_Phdr
#define Elf_Dyn Elf64_Dyn
#define Elf_Rel Elf64_Rel
#define Elf_Rela Elf64_Rela
@@ -18,9 +48,10 @@
#define ARCH_SHF_SMALL SHF_ALPHA_GPREL
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-arm/module.h linux-905/include/asm-arm/module.h
---- linux-904/include/asm-arm/module.h
-+++ linux-905/include/asm-arm/module.h
+diff --git a/include/asm-arm/module.h b/include/asm-arm/module.h
+index 24b168d..f1558f3 100644
+--- a/include/asm-arm/module.h
++++ b/include/asm-arm/module.h
@@ -6,9 +6,14 @@ struct mod_arch_specific
int foo;
};
@@ -36,10 +67,11 @@
/*
* Include the ARM architecture version.
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-cris/module.h linux-905/include/asm-cris/module.h
---- linux-904/include/asm-cris/module.h
-+++ linux-905/include/asm-cris/module.h
-@@ -3,7 +3,12 @@
+diff --git a/include/asm-cris/module.h b/include/asm-cris/module.h
+index 7ee7231..03f7b2e 100644
+--- a/include/asm-cris/module.h
++++ b/include/asm-cris/module.h
+@@ -3,7 +3,12 @@ #define _ASM_CRIS_MODULE_H
/* cris is simple */
struct mod_arch_specific { };
@@ -52,10 +84,11 @@
+#define ELF_R_TYPE(X) ELF32_R_TYPE(X)
+#define ELF_R_SYM(X) ELF32_R_SYM(X)
#endif /* _ASM_CRIS_MODULE_H */
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-h8300/module.h linux-905/include/asm-h8300/module.h
---- linux-904/include/asm-h8300/module.h
-+++ linux-905/include/asm-h8300/module.h
-@@ -4,9 +4,14 @@
+diff --git a/include/asm-h8300/module.h b/include/asm-h8300/module.h
+index de23231..b1c08e2 100644
+--- a/include/asm-h8300/module.h
++++ b/include/asm-h8300/module.h
+@@ -4,9 +4,14 @@ #define _ASM_H8300_MODULE_H
* This file contains the H8/300 architecture specific module code.
*/
struct mod_arch_specific { };
@@ -70,9 +103,10 @@
#define MODULE_SYMBOL_PREFIX "_"
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-i386/module.h linux-905/include/asm-i386/module.h
---- linux-904/include/asm-i386/module.h
-+++ linux-905/include/asm-i386/module.h
+diff --git a/include/asm-i386/module.h b/include/asm-i386/module.h
+index 02f8f54..42ab093 100644
+--- a/include/asm-i386/module.h
++++ b/include/asm-i386/module.h
@@ -6,9 +6,14 @@ struct mod_arch_specific
{
};
@@ -88,9 +122,10 @@
#ifdef CONFIG_M386
#define MODULE_PROC_FAMILY "386 "
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-ia64/module.h linux-905/include/asm-ia64/module.h
---- linux-904/include/asm-ia64/module.h
-+++ linux-905/include/asm-ia64/module.h
+diff --git a/include/asm-ia64/module.h b/include/asm-ia64/module.h
+index d2da61e..191355a 100644
+--- a/include/asm-ia64/module.h
++++ b/include/asm-ia64/module.h
@@ -23,9 +23,14 @@ struct mod_arch_specific {
unsigned int next_got_entry; /* index of next available got entry */
};
@@ -105,11 +140,12 @@
+#define ELF_R_SYM(X) ELF64_R_SYM(X)
#define MODULE_PROC_FAMILY "ia64"
- #define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-m32r/module.h linux-905/include/asm-m32r/module.h
---- linux-904/include/asm-m32r/module.h
-+++ linux-905/include/asm-m32r/module.h
-@@ -5,9 +5,14 @@
+ #define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY \
+diff --git a/include/asm-m32r/module.h b/include/asm-m32r/module.h
+index 3f2541c..6ca963a 100644
+--- a/include/asm-m32r/module.h
++++ b/include/asm-m32r/module.h
+@@ -5,9 +5,14 @@ #define _ASM_M32R_MODULE_H
struct mod_arch_specific { };
@@ -124,9 +160,10 @@
#endif /* _ASM_M32R_MODULE_H */
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-m68k/module.h linux-905/include/asm-m68k/module.h
---- linux-904/include/asm-m68k/module.h
-+++ linux-905/include/asm-m68k/module.h
+diff --git a/include/asm-m68k/module.h b/include/asm-m68k/module.h
+index c6d75af..ee98908 100644
+--- a/include/asm-m68k/module.h
++++ b/include/asm-m68k/module.h
@@ -1,7 +1,12 @@
#ifndef _ASM_M68K_MODULE_H
#define _ASM_M68K_MODULE_H
@@ -140,10 +177,11 @@
+#define ELF_R_TYPE(X) ELF32_R_TYPE(X)
+#define ELF_R_SYM(X) ELF32_R_SYM(X)
#endif /* _ASM_M68K_MODULE_H */
-
---- linux-2.6.14/include/asm-mips/module.h~ 2005-10-30 21:31:42.000000000 -0500
-+++ linux-2.6.14/include/asm-mips/module.h 2005-10-30 21:33:30.000000000 -0500
-@@ -34,11 +34,15 @@ typedef struct {
+diff --git a/include/asm-mips/module.h b/include/asm-mips/module.h
+index 399d03f..694f979 100644
+--- a/include/asm-mips/module.h
++++ b/include/asm-mips/module.h
+@@ -33,11 +33,15 @@ typedef struct {
} Elf64_Mips_Rela;
#ifdef CONFIG_32BIT
@@ -160,7 +198,7 @@
#define Elf_Mips_Rel Elf32_Rel
#define Elf_Mips_Rela Elf32_Rela
-@@ -49,11 +53,15 @@ typedef struct {
+@@ -48,11 +52,15 @@ #define ELF_MIPS_R_TYPE(rel) ELF32_R_TYP
#endif
#ifdef CONFIG_64BIT
@@ -177,13 +215,14 @@
#define Elf_Mips_Rel Elf64_Mips_Rel
#define Elf_Mips_Rela Elf64_Mips_Rela
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-parisc/module.h linux-905/include/asm-parisc/module.h
---- linux-904/include/asm-parisc/module.h
-+++ linux-905/include/asm-parisc/module.h
-@@ -4,17 +4,25 @@
+diff --git a/include/asm-parisc/module.h b/include/asm-parisc/module.h
+index 00f0688..ebd9a5e 100644
+--- a/include/asm-parisc/module.h
++++ b/include/asm-parisc/module.h
+@@ -4,17 +4,25 @@ #define _ASM_PARISC_MODULE_H
* This file contains the parisc architecture specific module code.
*/
- #ifdef __LP64__
+ #ifdef CONFIG_64BIT
+#define MODULES_ARE_ELF64
#define Elf_Shdr Elf64_Shdr
#define Elf_Sym Elf64_Sym
@@ -206,9 +245,11 @@
#endif
struct unwind_table;
---- linux-2.6.13/include/asm-powerpc/module.h~ 2005-09-08 01:05:31.000000000 -0400
-+++ linux-2.6.13/include/asm-powerpc/module.h 2005-09-08 01:11:30.000000000 -0400
-@@ -53,16 +53,26 @@ extern struct bug_entry *module_find_bug
+diff --git a/include/asm-powerpc/module.h b/include/asm-powerpc/module.h
+index e5f14b1..f9baae1 100644
+--- a/include/asm-powerpc/module.h
++++ b/include/asm-powerpc/module.h
+@@ -52,16 +52,26 @@ #endif
*/
#ifdef __powerpc64__
@@ -235,9 +276,10 @@
# ifdef MODULE
asm(".section .plt,\"ax\", at nobits; .align 3; .previous");
asm(".section .init.plt,\"ax\", at nobits; .align 3; .previous");
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-s390/module.h linux-905/include/asm-s390/module.h
---- linux-904/include/asm-s390/module.h
-+++ linux-905/include/asm-s390/module.h
+diff --git a/include/asm-s390/module.h b/include/asm-s390/module.h
+index 1cc1c5a..b64dab0 100644
+--- a/include/asm-s390/module.h
++++ b/include/asm-s390/module.h
@@ -29,14 +29,17 @@ struct mod_arch_specific
};
@@ -256,9 +298,10 @@
#define Elf_Rela ElfW(Rela)
#define Elf_Shdr ElfW(Shdr)
#define Elf_Sym ElfW(Sym)
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-sh/module.h linux-905/include/asm-sh/module.h
---- linux-904/include/asm-sh/module.h
-+++ linux-905/include/asm-sh/module.h
+diff --git a/include/asm-sh/module.h b/include/asm-sh/module.h
+index 118d5a2..c3cf495 100644
+--- a/include/asm-sh/module.h
++++ b/include/asm-sh/module.h
@@ -9,9 +9,14 @@ struct mod_arch_specific {
/* Nothing to see here .. */
};
@@ -274,9 +317,10 @@
#ifdef CONFIG_CPU_LITTLE_ENDIAN
# ifdef CONFIG_CPU_SH2
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-sparc/module.h linux-905/include/asm-sparc/module.h
---- linux-904/include/asm-sparc/module.h
-+++ linux-905/include/asm-sparc/module.h
+diff --git a/include/asm-sparc/module.h b/include/asm-sparc/module.h
+index cbd9e67..e2921e2 100644
+--- a/include/asm-sparc/module.h
++++ b/include/asm-sparc/module.h
@@ -1,7 +1,12 @@
#ifndef _ASM_SPARC_MODULE_H
#define _ASM_SPARC_MODULE_H
@@ -290,9 +334,10 @@
+#define ELF_R_TYPE(X) ELF32_R_TYPE(X)
+#define ELF_R_SYM(X) ELF32_R_SYM(X)
#endif /* _ASM_SPARC_MODULE_H */
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-sparc64/module.h linux-905/include/asm-sparc64/module.h
---- linux-904/include/asm-sparc64/module.h
-+++ linux-905/include/asm-sparc64/module.h
+diff --git a/include/asm-sparc64/module.h b/include/asm-sparc64/module.h
+index 3d77ba4..2e7ca17 100644
+--- a/include/asm-sparc64/module.h
++++ b/include/asm-sparc64/module.h
@@ -1,7 +1,12 @@
#ifndef _ASM_SPARC64_MODULE_H
#define _ASM_SPARC64_MODULE_H
@@ -306,9 +351,10 @@
+#define ELF_R_TYPE(X) ELF64_R_TYPE(X)
+#define ELF_R_SYM(X) ELF64_R_SYM(X)
#endif /* _ASM_SPARC64_MODULE_H */
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-um/module-i386.h linux-905/include/asm-um/module-i386.h
---- linux-904/include/asm-um/module-i386.h
-+++ linux-905/include/asm-um/module-i386.h
+diff --git a/include/asm-um/module-i386.h b/include/asm-um/module-i386.h
+index 5ead4a0..b441057 100644
+--- a/include/asm-um/module-i386.h
++++ b/include/asm-um/module-i386.h
@@ -9,5 +9,9 @@ struct mod_arch_specific
#define Elf_Shdr Elf32_Shdr
#define Elf_Sym Elf32_Sym
@@ -319,9 +365,10 @@
+#define ELF_R_SYM(X) ELF32_R_SYM(X)
#endif
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-v850/module.h linux-905/include/asm-v850/module.h
---- linux-904/include/asm-v850/module.h
-+++ linux-905/include/asm-v850/module.h
+diff --git a/include/asm-v850/module.h b/include/asm-v850/module.h
+index 2c2f494..48752f3 100644
+--- a/include/asm-v850/module.h
++++ b/include/asm-v850/module.h
@@ -31,9 +31,14 @@ struct mod_arch_specific
unsigned int core_plt_section, init_plt_section;
};
@@ -337,10 +384,11 @@
/* Make empty sections for module_frob_arch_sections to expand. */
#ifdef MODULE
-diff -urNp --exclude-from=/home/davej/.exclude linux-904/include/asm-x86_64/module.h linux-905/include/asm-x86_64/module.h
---- linux-904/include/asm-x86_64/module.h
-+++ linux-905/include/asm-x86_64/module.h
-@@ -3,8 +3,13 @@
+diff --git a/include/asm-x86_64/module.h b/include/asm-x86_64/module.h
+index 67f8f69..3a7373a 100644
+--- a/include/asm-x86_64/module.h
++++ b/include/asm-x86_64/module.h
+@@ -3,8 +3,13 @@ #define _ASM_X8664_MODULE_H
struct mod_arch_specific {};
linux-2.6-modsign-ksign.patch:
Index: linux-2.6-modsign-ksign.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-modsign-ksign.patch,v
retrieving revision 1.2
retrieving revision 1.2.12.1
diff -u -r1.2 -r1.2.12.1
--- linux-2.6-modsign-ksign.patch 22 Mar 2007 15:40:59 -0000 1.2
+++ linux-2.6-modsign-ksign.patch 23 Jul 2007 21:23:44 -0000 1.2.12.1
@@ -1,31 +1,81 @@
---- linux-2.6.18.noarch/crypto/digest.c~ 2006-10-14 18:53:16.000000000 -0400
-+++ linux-2.6.18.noarch/crypto/digest.c 2006-10-14 18:54:08.000000000 -0400
-@@ -45,6 +45,13 @@ void crypto_digest_update(struct crypto_
- }
- EXPORT_SYMBOL_GPL(crypto_digest_update);
+MODSIGN: Module signature checker and key manager
+
+From: David Howells <dhowells at redhat.com>
+
+Add a facility to retain public keys and to verify signatures made with those
+public keys, given a signature and crypto_hash of the data that was signed.
+
+Signed-Off-By: David Howells <dhowells at redhat.com>
+---
+
+ crypto/Kconfig | 13 +
+ crypto/Makefile | 1
+ crypto/signature/Makefile | 10 +
+ crypto/signature/dsa.c | 96 ++++++
+ crypto/signature/key.h | 7
+ crypto/signature/ksign-keyring.c | 116 +++++++
+ crypto/signature/ksign-parse.c | 603 ++++++++++++++++++++++++++++++++++++
+ crypto/signature/ksign-publickey.c | 18 +
+ crypto/signature/ksign.c | 180 +++++++++++
+ crypto/signature/local.h | 160 ++++++++++
+ include/linux/crypto/ksign.h | 22 +
+ 11 files changed, 1226 insertions(+), 0 deletions(-)
+
+diff --git a/crypto/Kconfig b/crypto/Kconfig
+index d768c46..205cbdf 100644
+--- a/crypto/Kconfig
++++ b/crypto/Kconfig
+@@ -471,6 +471,19 @@ config CRYPTO_MPILIB
+ help
+ Multiprecision maths library from GnuPG
-+static void crypto_update_kernel(struct crypto_tfm *tfm,
-+ const void *data, size_t count)
-+{
-+ tfm->__crt_alg->cra_digest.dia_update(tfm, data, count);
-+ crypto_yield(tfm);
-+}
++config CRYPTO_SIGNATURE
++ bool "In-kernel signature checker (EXPERIMENTAL)"
++ depends on CRYPTO
++ help
++ Signature checker (used for module sig checking).
++
++config CRYPTO_SIGNATURE_DSA
++ bool "Handle DSA signatures (EXPERIMENTAL)"
++ depends on CRYPTO_SIGNATURE
++ select CRYPTO_MPILIB
++ help
++ DSA Signature checker.
++
+ source "drivers/crypto/Kconfig"
+
+ endif # if CRYPTO
+diff --git a/crypto/Makefile b/crypto/Makefile
+index 36a6211..309a806 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -47,3 +47,4 @@ obj-$(CONFIG_CRYPTO_CRC32C) += crc32c.o
+ obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o
+
+ obj-$(CONFIG_CRYPTO_MPILIB) += mpi/
++obj-$(CONFIG_CRYPTO_SIGNATURE) += signature/
+diff --git a/crypto/signature/Makefile b/crypto/signature/Makefile
+new file mode 100644
+index 0000000..4d1042e
+--- /dev/null
++++ b/crypto/signature/Makefile
+@@ -0,0 +1,10 @@
++#
++# Makefile for the signature checker
++#
+
- void crypto_digest_final(struct crypto_tfm *tfm, u8 *out)
- {
- struct crypto_hash *hash = crypto_hash_cast(tfm);
-@@ -186,6 +193,7 @@ int crypto_init_digest_ops(struct crypto
-
- ops->init = init;
- ops->update = update;
-+ ops->dit_update_kernel = crypto_update_kernel;
- ops->final = final;
- ops->digest = digest;
- ops->setkey = dalg->dia_setkey ? setkey : nosetkey;
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/dsa.c linux-902/crypto/signature/dsa.c
---- linux-901/crypto/signature/dsa.c
-+++ linux-902/crypto/signature/dsa.c
-@@ -0,0 +1,98 @@
++obj-y := \
++ ksign.o \
++ ksign-parse.o \
++ ksign-keyring.o \
++ ksign-publickey.o \
++ dsa.o
+diff --git a/crypto/signature/dsa.c b/crypto/signature/dsa.c
+new file mode 100644
+index 0000000..469539c
+--- /dev/null
++++ b/crypto/signature/dsa.c
+@@ -0,0 +1,96 @@
+/* dsa.c - DSA signature algorithm
+ * Copyright (C) 1998, 1999, 2000 Free Software Foundation, Inc.
+ *
@@ -51,7 +101,6 @@
+#include <asm/errno.h>
+#include "local.h"
+
-+/*****************************************************************************/
+/*
+ * perform DSA algorithm signature verification
+ */
@@ -65,8 +114,7 @@
+
+ if (!datahash ||
+ !sig[0] || !sig[1] ||
-+ !pkey[0] || !pkey[1] || !pkey[2] || !pkey[3]
-+ )
++ !pkey[0] || !pkey[1] || !pkey[2] || !pkey[3])
+ return -EINVAL;
+
+ p = pkey[0]; /* prime */
@@ -78,12 +126,12 @@
+
+ if (!(mpi_cmp_ui(r, 0) > 0 && mpi_cmp(r, q) < 0)) {
+ printk("DSA_verify assertion failed [0 < r < q]\n");
-+ return -EPERM;
++ return -EKEYREJECTED;
+ }
+
+ if (!(mpi_cmp_ui(s, 0) > 0 && mpi_cmp(s, q) < 0)) {
+ printk("DSA_verify assertion failed [0 < s < q]\n");
-+ return -EPERM;
++ return -EKEYREJECTED;
+ }
+
+ rc = -ENOMEM;
@@ -115,18 +163,20 @@
+ if (mpi_fdiv_r(v, v, q) < 0)
+ goto cleanup;
+
-+ rc = mpi_cmp(v, r) == 0 ? 0 : -EPERM;
++ rc = (mpi_cmp(v, r) == 0) ? 0 : -EKEYREJECTED;
+
-+ cleanup:
++cleanup:
+ mpi_free(w);
+ mpi_free(u1);
+ mpi_free(u2);
+ mpi_free(v);
+ return rc;
-+} /* end DSA_verify() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/key.h linux-902/crypto/signature/key.h
---- linux-901/crypto/signature/key.h
-+++ linux-902/crypto/signature/key.h
++}
+diff --git a/crypto/signature/key.h b/crypto/signature/key.h
+new file mode 100644
+index 0000000..7297968
+--- /dev/null
++++ b/crypto/signature/key.h
@@ -0,0 +1,7 @@
+const int ksign_def_public_key_size = 0;
+/* automatically generated by bin2hex */
@@ -135,193 +185,12 @@
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/ksign.c linux-902/crypto/signature/ksign.c
---- linux-901/crypto/signature/ksign.c
-+++ linux-902/crypto/signature/ksign.c
-@@ -0,0 +1,179 @@
-+/* ksign.c: signature checker
-+ *
-+ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells at redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the License, or (at your option) any later version.
-+ */
-+
-+#include <linux/kernel.h>
-+#include <asm/errno.h>
-+#include "local.h"
-+
-+#if 0
-+#define _debug(FMT, ...) printk(KERN_DEBUG FMT, ##__VA_ARGS__)
-+#else
-+#define _debug(FMT, ...) do { ; } while (0)
-+#endif
-+
-+/*****************************************************************************/
-+/*
-+ * check the signature which is contained in SIG.
-+ */
-+static int ksign_signature_check(const struct ksign_signature *sig,
-+ struct crypto_tfm *sha1_tfm)
-+{
-+ struct ksign_public_key *pk;
-+ uint8_t sha1[SHA1_DIGEST_SIZE];
-+ MPI result = NULL;
-+ int rc = 0;
-+
-+ pk = ksign_get_public_key(sig->keyid);
-+ if (!pk) {
-+ printk("ksign: module signed with unknown public key\n");
-+ printk("- signature keyid: %08x%08x ver=%u\n",
-+ sig->keyid[0], sig->keyid[1], sig->version);
-+ return -EPERM;
-+ }
-+
-+ if (pk->timestamp > sig->timestamp)
-+ printk("ksign:"
-+ " public key is %lu seconds newer than the signature\n",
-+ pk->timestamp - sig->timestamp);
-+
-+ /* complete the digest */
-+ if (sig->version >= 4)
-+ SHA1_putc(sha1_tfm, sig->version);
-+ SHA1_putc(sha1_tfm, sig->sig_class);
-+
-+ if (sig->version < 4) {
-+ u32 a = sig->timestamp;
-+ SHA1_putc(sha1_tfm, (a >> 24) & 0xff);
-+ SHA1_putc(sha1_tfm, (a >> 16) & 0xff);
-+ SHA1_putc(sha1_tfm, (a >> 8) & 0xff);
-+ SHA1_putc(sha1_tfm, (a >> 0) & 0xff);
-+ }
-+ else {
-+ uint8_t buf[6];
-+ size_t n;
-+ SHA1_putc(sha1_tfm, PUBKEY_ALGO_DSA);
-+ SHA1_putc(sha1_tfm, DIGEST_ALGO_SHA1);
-+ if (sig->hashed_data) {
-+ n = (sig->hashed_data[0] << 8) | sig->hashed_data[1];
-+ SHA1_write(sha1_tfm, sig->hashed_data, n + 2);
-+ n += 6;
-+ }
-+ else {
-+ n = 6;
-+ }
-+
-+ /* add some magic */
-+ buf[0] = sig->version;
-+ buf[1] = 0xff;
-+ buf[2] = n >> 24;
-+ buf[3] = n >> 16;
-+ buf[4] = n >> 8;
-+ buf[5] = n;
-+ SHA1_write(sha1_tfm, buf, 6);
-+ }
-+
-+ crypto_digest_final(sha1_tfm, sha1);
-+ crypto_free_tfm(sha1_tfm);
-+
-+
-+
-+
-+
-+
-+ rc = -ENOMEM;
-+ result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB);
-+ if (!result)
-+ goto cleanup;
-+
-+ rc = mpi_set_buffer(result, sha1, SHA1_DIGEST_SIZE, 0);
-+ if (rc < 0)
-+ goto cleanup;
-+
-+ rc = DSA_verify(result, sig->data, pk->pkey);
-+
-+ cleanup:
-+ mpi_free(result);
-+ ksign_put_public_key(pk);
-+
-+ return rc;
-+} /* end ksign_signature_check() */
-+
-+/*****************************************************************************/
-+/*
-+ * examine the signatures that are parsed out of the signature data - we keep
-+ * the first one that's appropriate and ignore the rest
-+ * - return 0 if signature of interest (sig not freed by caller)
-+ * - return 1 if no interest (caller frees)
-+ */
-+static int ksign_grab_signature(struct ksign_signature *sig, void *fnxdata)
-+{
-+ struct ksign_signature **_sig = fnxdata;
-+
-+ if (sig->sig_class != 0x00) {
-+ _debug("ksign: standalone signature of class 0x%02x\n",
-+ sig->sig_class);
-+ return 1;
-+ }
-+
-+ if (*_sig)
-+ return 1;
-+
-+ *_sig = sig;
-+ return 0;
-+} /* end ksign_grab_signature() */
-+
-+/*****************************************************************************/
-+/*
-+ * verify the signature of some data with one of the kernel's known public keys
-+ * - the SHA1 context should be currently open with the signed data digested
-+ * into it so that more data can be appended
-+ * - the SHA1 context is finalised and freed before returning
-+ */
-+int ksign_verify_signature(const char *sigdata, unsigned sig_size,
-+ struct crypto_tfm *sha1)
-+{
-+ struct ksign_signature *sig = NULL;
-+ int retval;
-+
-+ /* parse the signature data to get the actual signature */
-+ retval = ksign_parse_packets(sigdata, sig_size,
-+ &ksign_grab_signature, NULL, NULL,
-+ &sig);
-+ if (retval < 0)
-+ goto cleanup;
-+
-+ if (!sig) {
-+ printk("Couldn't find valid DSA signature in module\n");
-+ return -ENOENT;
-+ }
-+
-+ _debug("signature keyid: %08x%08x ver=%u\n",
-+ sig->keyid[0], sig->keyid[1], sig->version);
-+
-+ /* check the data SHA1 transformation against the public key */
-+ retval = ksign_signature_check(sig, sha1);
-+ if (retval == 0) {
-+ _debug("ksign: Signature check succeeded\n");
-+ }
-+ else if (retval != -ENOMEM) {
-+ _debug("ksign: Signature check failed\n");
-+ retval = -EPERM;
-+ }
-+ else {
-+ _debug("ksign: Signature check ENOMEM\n");
-+ }
-+
-+ cleanup:
-+ if (sig)
-+ ksign_free_signature(sig);
-+
-+ return retval;
-+} /* end ksign_verify_signature() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/ksign-keyring.c linux-902/crypto/signature/ksign-keyring.c
---- linux-901/crypto/signature/ksign-keyring.c
-+++ linux-902/crypto/signature/ksign-keyring.c
-@@ -0,0 +1,112 @@
+diff --git a/crypto/signature/ksign-keyring.c b/crypto/signature/ksign-keyring.c
+new file mode 100644
+index 0000000..a839261
+--- /dev/null
++++ b/crypto/signature/ksign-keyring.c
+@@ -0,0 +1,116 @@
+/* ksign-keyring.c: public key cache
+ *
+ * Copyright (C) 2001 Red Hat, Inc. All Rights Reserved.
@@ -350,6 +219,9 @@
+static LIST_HEAD(keyring);
+static DECLARE_RWSEM(keyring_sem);
+
++/*
++ * handle a public key element parsed from the keyring blob
++ */
+static int add_keyblock_key(struct ksign_public_key *pk, void *data)
+{
+ printk("- Added public key %X%X\n", pk->keyid[0], pk->keyid[1]);
@@ -370,15 +242,17 @@
+ return 0;
+}
+
++/*
++ * handle a user ID element parsed from the keyring blob
++ */
+static int add_keyblock_uid(struct ksign_user_id *uid, void *data)
+{
+ printk("- User ID: %s\n", uid->name);
+ return 1;
+}
+
-+/*****************************************************************************/
+/*
-+ *
++ * add the keys from a ASN.1 encoded blob into the keyring
+ */
+int ksign_load_keyring_from_buffer(const void *buffer, size_t size)
+{
@@ -390,11 +264,10 @@
+ add_keyblock_key,
+ add_keyblock_uid,
+ NULL);
-+} /* end ksign_load_keyring_from_buffer() */
++}
+
-+/*****************************************************************************/
+/*
-+ *
++ * find a public key by ID
+ */
+struct ksign_public_key *ksign_get_public_key(const uint32_t *keyid)
+{
@@ -409,15 +282,15 @@
+ }
+ }
+
-+ found:
-+ up_read(&keyring_sem);
++ pk = NULL;
+
++found:
++ up_read(&keyring_sem);
+ return pk;
-+} /* end ksign_get_public_key() */
++}
+
-+/*****************************************************************************/
+/*
-+ * clear the public key keyring
++ * clear the public-key keyring
+ */
+void ksign_clear_keyring(void)
+{
@@ -433,12 +306,14 @@
+ }
+
+ up_write(&keyring_sem);
-+} /* end ksign_clear_keyring() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/ksign-parse.c linux-902/crypto/signature/ksign-parse.c
---- linux-901/crypto/signature/ksign-parse.c
-+++ linux-902/crypto/signature/ksign-parse.c
-@@ -0,0 +1,609 @@
-+/* parse-packet.c - read packets
++}
+diff --git a/crypto/signature/ksign-parse.c b/crypto/signature/ksign-parse.c
+new file mode 100644
+index 0000000..96e2ff5
+--- /dev/null
++++ b/crypto/signature/ksign-parse.c
+@@ -0,0 +1,603 @@
++/* parse packet data
+ * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
@@ -495,14 +370,13 @@
+{
+ int i;
+
-+ if (!sig)
-+ return;
-+
-+ for (i = 0; i < DSA_NSIG; i++)
-+ mpi_free(sig->data[i]);
-+ kfree(sig->hashed_data);
-+ kfree(sig->unhashed_data);
-+ kfree(sig);
++ if (sig) {
++ for (i = 0; i < DSA_NSIG; i++)
++ mpi_free(sig->data[i]);
++ kfree(sig->hashed_data);
++ kfree(sig->unhashed_data);
++ kfree(sig);
++ }
+}
+
+void ksign_free_public_key(struct ksign_public_key *pk)
@@ -518,15 +392,13 @@
+
+void ksign_free_user_id(struct ksign_user_id *uid)
+{
-+ if (uid)
-+ kfree(uid);
++ kfree(uid);
+}
+
-+/*****************************************************************************/
+/*
+ *
+ */
-+static void ksign_calc_pk_keyid(struct crypto_tfm *sha1,
++static void ksign_calc_pk_keyid(struct hash_desc *sha1,
+ struct ksign_public_key *pk)
+{
+ unsigned n;
@@ -537,7 +409,7 @@
+ int i;
+ int npkey = DSA_NPKEY;
+
-+ crypto_digest_init(sha1);
++ crypto_hash_init(sha1);
+
+ n = pk->version < 4 ? 8 : 6;
+ for (i = 0; i < npkey; i++) {
@@ -550,7 +422,7 @@
+ SHA1_putc(sha1, n >> 8); /* 2 uint8_t length header */
+ SHA1_putc(sha1, n);
+
-+ if( pk->version < 4)
++ if (pk->version < 4)
+ SHA1_putc(sha1, 3);
+ else
+ SHA1_putc(sha1, 4);
@@ -565,7 +437,8 @@
+ uint16_t a16;
+
+ if( pk->expiredate )
-+ a16 = (uint16_t) ((pk->expiredate - pk->timestamp) / 86400L);
++ a16 = (uint16_t)
++ ((pk->expiredate - pk->timestamp) / 86400L);
+ else
+ a16 = 0;
+ SHA1_putc(sha1, a16 >> 8);
@@ -580,10 +453,8 @@
+ SHA1_write(sha1, pp[i], nn[i]);
+ kfree(pp[i]);
+ }
++}
+
-+} /* end ksign_calc_pk_keyid() */
-+
-+/*****************************************************************************/
+/*
+ * parse a user ID embedded in a signature
+ */
@@ -614,9 +485,8 @@
+
+ ksign_free_user_id(uid);
+ return rc;
-+} /* end ksign_parse_user_id() */
++}
+
-+/*****************************************************************************/
+/*
+ * extract a public key embedded in a signature
+ */
@@ -625,9 +495,9 @@
+ ksign_public_key_actor_t pkfnx, void *fnxdata)
+{
+ struct ksign_public_key *pk;
-+ struct crypto_tfm *sha1_tfm;
++ struct hash_desc sha1;
+ unsigned long timestamp, expiredate;
-+ uint8_t sha1[SHA1_DIGEST_SIZE];
++ uint8_t hash[SHA1_DIGEST_SIZE];
+ int i, version;
+ int is_v4 = 0;
+ int rc = 0;
@@ -651,9 +521,9 @@
+ }
+
+ timestamp = read_32(&datap);
-+ if (is_v4)
++ if (is_v4) {
+ expiredate = 0; /* have to get it from the selfsignature */
-+ else {
++ } else {
+ unsigned short ndays;
+ ndays = read_16(&datap);
+ if (ndays)
@@ -669,11 +539,10 @@
+ }
+
+ /* extract the stuff from the DSA public key */
-+ pk = kmalloc(sizeof(struct ksign_public_key), GFP_KERNEL);
++ pk = kzalloc(sizeof(struct ksign_public_key), GFP_KERNEL);
+ if (!pk)
+ return -ENOMEM;
+
-+ memset(pk, 0, sizeof(struct ksign_public_key));
+ atomic_set(&pk->count, 1);
+ pk->timestamp = timestamp;
+ pk->expiredate = expiredate;
@@ -688,29 +557,29 @@
+
+ rc = -ENOMEM;
+
-+ sha1_tfm = crypto_alloc_tfm2("sha1", 0, 1);
-+ if (!sha1_tfm)
++ sha1.tfm = crypto_hash_cast(crypto_alloc_tfm2("sha1", 0, 1));
++ if (!sha1.tfm)
+ goto cleanup;
++ sha1.flags = 0;
+
-+ ksign_calc_pk_keyid(sha1_tfm, pk);
-+ crypto_digest_final(sha1_tfm, sha1);
-+ crypto_free_tfm(sha1_tfm);
++ ksign_calc_pk_keyid(&sha1, pk);
++ crypto_hash_final(&sha1, hash);
++ crypto_free_hash(sha1.tfm);
+
-+ pk->keyid[0] = sha1[12] << 24 | sha1[13] << 16 | sha1[14] << 8 | sha1[15];
-+ pk->keyid[1] = sha1[16] << 24 | sha1[17] << 16 | sha1[18] << 8 | sha1[19];
++ pk->keyid[0] = hash[12] << 24 | hash[13] << 16 | hash[14] << 8 | hash[15];
++ pk->keyid[1] = hash[16] << 24 | hash[17] << 16 | hash[18] << 8 | hash[19];
+
+ rc = 0;
+ if (pkfnx)
+ rc = pkfnx(pk, fnxdata);
+
-+ cleanup:
++cleanup:
+ ksign_put_public_key(pk);
+ return rc;
-+} /* end ksign_parse_key() */
++}
+
-+/*****************************************************************************/
+/*
-+ *
++ * find an element representing the issuer
+ */
+static const uint8_t *ksign_find_sig_issuer(const uint8_t *buffer)
+{
@@ -730,8 +599,7 @@
+ goto too_short;
+ n = read_32(&buffer);
+ buflen -= 4;
-+ }
-+ else if (n >= 192) {
++ } else if (n >= 192) {
+ if(buflen < 2)
+ goto too_short;
+ n = ((n - 192) << 8) + *buffer + 192;
@@ -743,9 +611,10 @@
+ goto too_short;
+
+ type = *buffer & 0x7f;
-+ if (!(++seq > 0))
++ if (!(++seq > 0)) {
+ ;
-+ else if (type == SIGSUBPKT_ISSUER) { /* found */
++ } else if (type == SIGSUBPKT_ISSUER) {
++ /* found */
+ buffer++;
+ n--;
+ if (n > buflen || n < 8)
@@ -757,11 +626,10 @@
+ buflen -= n;
+ }
+
-+ too_short:
++too_short:
+ return NULL; /* end of subpackets; not found */
-+} /* end ksign_find_sig_issuer() */
++}
+
-+/*****************************************************************************/
+/*
+ * extract signature data embedded in a signature
+ */
@@ -787,16 +655,16 @@
+ case 2:
+ break;
+ default:
-+ printk("ksign: signature packet with unknown version %d\n", version);
++ printk("ksign: signature packet with unknown version %d\n",
++ version);
+ return 0;
+ }
+
+ /* store information */
-+ sig = kmalloc(sizeof(*sig), GFP_KERNEL);
++ sig = kzalloc(sizeof(*sig), GFP_KERNEL);
+ if (!sig)
+ return -ENOMEM;
+
-+ memset(sig, 0, sizeof(*sig));
+ sig->version = version;
+
+ if (!is_v4)
@@ -820,15 +688,18 @@
+ }
+
+ rc = -EBADMSG;
-+ if (is_v4) { /* read subpackets */
++ if (is_v4) {
++ /* read subpackets */
+ n = read_16(&datap); /* length of hashed data */
+ if (n > 10000) {
-+ printk("ksign: signature packet: hashed data too long\n");
++ printk("ksign: signature packet:"
++ " hashed data too long\n");
+ goto leave;
+ }
+ if (n) {
+ if ((size_t)(endp - datap) < n) {
-+ printk("ksign: signature packet: available data too short\n");
++ printk("ksign: signature packet:"
++ " available data too short\n");
+ goto leave;
+ }
+ sig->hashed_data = kmalloc(n + 2, GFP_KERNEL);
@@ -844,12 +715,14 @@
+
+ n = read_16(&datap); /* length of unhashed data */
+ if (n > 10000) {
-+ printk("ksign: signature packet: unhashed data too long\n");
++ printk("ksign: signature packet:"
++ " unhashed data too long\n");
+ goto leave;
+ }
+ if (n) {
+ if ((size_t) (endp - datap) < n) {
-+ printk("ksign: signature packet: available data too short\n");
++ printk("ksign: signature packet:"
++ " available data too short\n");
+ goto leave;
+ }
+ sig->unhashed_data = kmalloc(n + 2, GFP_KERNEL);
@@ -878,9 +751,9 @@
+ p = ksign_find_sig_issuer(sig->hashed_data);
+ if (!p)
+ p = ksign_find_sig_issuer(sig->unhashed_data);
-+ if (!p)
++ if (!p) {
+ printk("ksign: signature packet without issuer\n");
-+ else {
++ } else {
+ sig->keyid[0] = buffer_to_u32(p);
+ sig->keyid[1] = buffer_to_u32(p + 4);
+ }
@@ -901,12 +774,11 @@
+ rc = 0;
+ }
+
-+ leave:
++leave:
+ ksign_free_signature(sig);
+ return rc;
-+} /* end ksign_parse_signature() */
++}
+
-+/*****************************************************************************/
+/*
+ * parse the next packet and call appropriate handler function for known types
+ * - returns:
@@ -954,8 +826,7 @@
+
+ if (c < 192) {
+ pktlen = c;
-+ }
-+ else if (c < 224) {
++ } else if (c < 224) {
+ pktlen = (c - 192) * 256;
+ if (*datap >= endp) {
+ printk("ksign: 2nd length uint8_t missing\n");
@@ -964,28 +835,24 @@
+ c = *(*datap)++;
+ hdr[hdrlen++] = c;
+ pktlen += c + 192;
-+ }
-+ else if (c == 255) {
++ } else if (c == 255) {
+ if (*datap + 3 >= endp) {
+ printk("ksign: 4 uint8_t length invalid\n");
+ goto leave;
+ }
-+ pktlen = (hdr[hdrlen++] = *(*datap)++ << 24 );
-+ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 16 );
-+ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 8 );
-+ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 0 );
-+ }
-+ else {
++ pktlen = (hdr[hdrlen++] = *(*datap)++ << 24);
++ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 16);
++ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 8);
++ pktlen |= (hdr[hdrlen++] = *(*datap)++ << 0);
++ } else {
+ pktlen = 0;/* to indicate partial length */
+ }
-+ }
-+ else {
++ } else {
+ pkttype = (ctb >> 2) & 0xf;
+ lenuint8_ts = ((ctb & 3) == 3) ? 0 : (1 << (ctb & 3));
+ if( !lenuint8_ts ) {
+ pktlen = 0; /* don't know the value */
-+ }
-+ else {
++ } else {
+ if (*datap + lenuint8_ts > endp) {
+ printk("ksign: length uint8_ts missing\n");
+ goto leave;
@@ -1005,13 +872,16 @@
+ /* deal with the next packet appropriately */
+ switch (pkttype) {
+ case PKT_PUBLIC_KEY:
-+ rc = ksign_parse_key(*datap, *datap + pktlen, hdr, hdrlen, pkfnx, data);
++ rc = ksign_parse_key(*datap, *datap + pktlen, hdr, hdrlen,
++ pkfnx, data);
+ break;
+ case PKT_SIGNATURE:
-+ rc = ksign_parse_signature(*datap, *datap + pktlen, sigfnx, data);
++ rc = ksign_parse_signature(*datap, *datap + pktlen,
++ sigfnx, data);
+ break;
+ case PKT_USER_ID:
-+ rc = ksign_parse_user_id(*datap, *datap + pktlen, uidfnx, data);
++ rc = ksign_parse_user_id(*datap, *datap + pktlen,
++ uidfnx, data);
+ break;
+ default:
+ rc = 0; /* unknown packet */
@@ -1019,11 +889,10 @@
+ }
+
+ *datap += pktlen;
-+ leave:
++leave:
+ return rc;
-+} /* end ksign_parse_one_packet() */
++}
+
-+/*****************************************************************************/
+/*
+ * parse the contents of a packet buffer, passing the signature, public key and
+ * user ID to the caller's callback functions
@@ -1046,13 +915,14 @@
+ } while (rc == 0 && datap < endp);
+
+ return rc;
-+} /* end ksign_parse_packets() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/ksign-publickey.c linux-902/crypto/signature/ksign-publickey.c
---- linux-901/crypto/signature/ksign-publickey.c
-+++ linux-902/crypto/signature/ksign-publickey.c
-@@ -0,0 +1,19 @@
++}
+diff --git a/crypto/signature/ksign-publickey.c b/crypto/signature/ksign-publickey.c
+new file mode 100644
+index 0000000..832a419
+--- /dev/null
++++ b/crypto/signature/ksign-publickey.c
+@@ -0,0 +1,18 @@
+#include "local.h"
-+
+#include "key.h"
+
+static int __init ksign_init(void)
@@ -1070,10 +940,198 @@
+}
+
+module_init(ksign_init)
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/local.h linux-902/crypto/signature/local.h
---- linux-901/crypto/signature/local.h
-+++ linux-902/crypto/signature/local.h
-@@ -0,0 +1,163 @@
+diff --git a/crypto/signature/ksign.c b/crypto/signature/ksign.c
+new file mode 100644
+index 0000000..b62eb38
+--- /dev/null
++++ b/crypto/signature/ksign.c
+@@ -0,0 +1,180 @@
++/* ksign.c: signature checker
++ *
++ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells at redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ */
++
++#include <linux/kernel.h>
++#include <asm/errno.h>
++#include "local.h"
++
++#if 0
++#define _debug(FMT, ...) printk(KERN_DEBUG FMT, ##__VA_ARGS__)
++#else
++#define _debug(FMT, ...) do { ; } while (0)
++#endif
++
++/*
++ * check the signature which is contained in SIG.
++ */
++static int ksign_signature_check(const struct ksign_signature *sig,
++ struct crypto_hash *sha1_tfm)
++{
++ struct ksign_public_key *pk;
++ struct hash_desc sha1_d;
++ uint8_t sha1[SHA1_DIGEST_SIZE];
++ MPI result = NULL;
++ int rc = 0;
++
++ pk = ksign_get_public_key(sig->keyid);
++ if (!pk) {
++ printk("ksign: module signed with unknown public key\n");
++ printk("- signature keyid: %08x%08x ver=%u\n",
++ sig->keyid[0], sig->keyid[1], sig->version);
++ return -ENOKEY;
++ }
++
++ if (pk->timestamp > sig->timestamp)
++ printk("ksign:"
++ " public key is %lu seconds newer than the signature\n",
++ pk->timestamp - sig->timestamp);
++
++ sha1_d.tfm = sha1_tfm;
++ sha1_d.flags = 0;
++
++ /* complete the digest */
++ if (sig->version >= 4)
++ SHA1_putc(&sha1_d, sig->version);
++ SHA1_putc(&sha1_d, sig->sig_class);
++
++ if (sig->version < 4) {
++ u32 a = sig->timestamp;
++ SHA1_putc(&sha1_d, (a >> 24) & 0xff);
++ SHA1_putc(&sha1_d, (a >> 16) & 0xff);
++ SHA1_putc(&sha1_d, (a >> 8) & 0xff);
++ SHA1_putc(&sha1_d, (a >> 0) & 0xff);
++ }
++ else {
++ uint8_t buf[6];
++ size_t n;
++ SHA1_putc(&sha1_d, PUBKEY_ALGO_DSA);
++ SHA1_putc(&sha1_d, DIGEST_ALGO_SHA1);
++ if (sig->hashed_data) {
++ n = (sig->hashed_data[0] << 8) | sig->hashed_data[1];
++ SHA1_write(&sha1_d, sig->hashed_data, n + 2);
++ n += 6;
++ }
++ else {
++ n = 6;
++ }
++
++ /* add some magic */
++ buf[0] = sig->version;
++ buf[1] = 0xff;
++ buf[2] = n >> 24;
++ buf[3] = n >> 16;
++ buf[4] = n >> 8;
++ buf[5] = n;
++ SHA1_write(&sha1_d, buf, 6);
++ }
++
++ crypto_hash_final(&sha1_d, sha1);
++ crypto_free_hash(sha1_tfm);
++
++ rc = -ENOMEM;
++ result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) /
++ BYTES_PER_MPI_LIMB);
++ if (!result)
++ goto cleanup;
++
++ rc = mpi_set_buffer(result, sha1, SHA1_DIGEST_SIZE, 0);
++ if (rc < 0)
++ goto cleanup;
++
++ rc = DSA_verify(result, sig->data, pk->pkey);
++
++ cleanup:
++ mpi_free(result);
++ ksign_put_public_key(pk);
++
++ return rc;
++}
++
++/*
++ * examine the signatures that are parsed out of the signature data - we keep
++ * the first one that's appropriate and ignore the rest
++ * - return 0 if signature of interest (sig not freed by caller)
++ * - return 1 if no interest (caller frees)
++ */
++static int ksign_grab_signature(struct ksign_signature *sig, void *fnxdata)
++{
++ struct ksign_signature **_sig = fnxdata;
++
++ if (sig->sig_class != 0x00) {
++ _debug("ksign: standalone signature of class 0x%02x\n",
++ sig->sig_class);
++ return 1;
++ }
++
++ if (*_sig)
++ return 1;
++
++ *_sig = sig;
++ return 0;
++}
++
++/*
++ * verify the signature of some data with one of the kernel's known public keys
++ * - the SHA1 context should be currently open with the signed data digested
++ * into it so that more data can be appended
++ * - the SHA1 context is finalised and freed before returning
++ */
++int ksign_verify_signature(const char *sigdata, unsigned sig_size,
++ struct crypto_hash *sha1)
++{
++ struct ksign_signature *sig = NULL;
++ int retval;
++
++ /* parse the signature data to get the actual signature */
++ retval = ksign_parse_packets(sigdata, sig_size,
++ &ksign_grab_signature, NULL, NULL,
++ &sig);
++ if (retval < 0)
++ goto cleanup;
++
++ if (!sig) {
++ printk(KERN_NOTICE
++ "Couldn't find valid DSA signature in module\n");
++ return -ENOENT;
++ }
++
++ _debug("signature keyid: %08x%08x ver=%u\n",
++ sig->keyid[0], sig->keyid[1], sig->version);
++
++ /* check the data SHA1 transformation against the public key */
++ retval = ksign_signature_check(sig, sha1);
++ switch (retval) {
++ case 0:
++ _debug("ksign: Signature check succeeded\n");
++ break;
++ case -ENOMEM:
++ _debug("ksign: Signature check ENOMEM\n");
++ break;
++ default:
++ _debug("ksign: Signature check failed\n");
++ if (retval != -ENOKEY)
++ retval = -EKEYREJECTED;
++ break;
++ }
++
++ cleanup:
++ if (sig)
++ ksign_free_signature(sig);
++
++ return retval;
++}
+diff --git a/crypto/signature/local.h b/crypto/signature/local.h
+new file mode 100644
+index 0000000..aa18cc4
+--- /dev/null
++++ b/crypto/signature/local.h
+@@ -0,0 +1,160 @@
+/* local.h: kernel signature checker internal defs
+ *
+ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
@@ -1152,8 +1210,7 @@
+/*
+ * signature record
+ */
-+struct ksign_signature
-+{
++struct ksign_signature {
+ uint32_t keyid[2]; /* 64 bit keyid */
+ time_t timestamp; /* signature made */
+ uint8_t version;
@@ -1169,8 +1226,7 @@
+/*
+ * public key record
+ */
-+struct ksign_public_key
-+{
++struct ksign_public_key {
+ struct list_head link;
+ atomic_t count; /* ref count */
+ time_t timestamp; /* key made */
@@ -1199,8 +1255,7 @@
+/*
+ * user ID record
+ */
-+struct ksign_user_id
-+{
++struct ksign_user_id {
+ int len; /* length of the name */
+ char name[0];
+};
@@ -1228,32 +1283,20 @@
+ * - we _know_ the data is locked into kernel memory, so we don't want to have
+ * to kmap() it
+ */
-+static inline void SHA1_putc(struct crypto_tfm *sha1, uint8_t ch)
++static inline void SHA1_putc(struct hash_desc *sha1, uint8_t ch)
+{
-+ crypto_digest_update_kernel(sha1, &ch, 1);
++ crypto_hash_update_kernel(sha1, &ch, 1);
+}
+
-+static inline void SHA1_write(struct crypto_tfm *sha1, const void *s, size_t n)
++static inline void SHA1_write(struct hash_desc *sha1, const void *s, size_t n)
+{
-+ crypto_digest_update_kernel(sha1, s, n);
++ crypto_hash_update_kernel(sha1, s, n);
+}
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/crypto/signature/Makefile linux-902/crypto/signature/Makefile
---- linux-901/crypto/signature/Makefile
-+++ linux-902/crypto/signature/Makefile
-@@ -0,0 +1,10 @@
-+#
-+# Makefile for the signature checker
-+#
-+
-+obj-y := \
-+ ksign.o \
-+ ksign-parse.o \
-+ ksign-keyring.o \
-+ ksign-publickey.o \
-+ dsa.o
-diff -urNp --exclude-from=/home/davej/.exclude linux-901/include/linux/crypto/ksign.h linux-902/include/linux/crypto/ksign.h
---- linux-901/include/linux/crypto/ksign.h
-+++ linux-902/include/linux/crypto/ksign.h
+diff --git a/include/linux/crypto/ksign.h b/include/linux/crypto/ksign.h
+new file mode 100644
+index 0000000..27c9e4a
+--- /dev/null
++++ b/include/linux/crypto/ksign.h
@@ -0,0 +1,22 @@
+/* ksign.h: in-kernel signature checker
+ *
@@ -1273,43 +1316,7 @@
+
+#ifdef CONFIG_CRYPTO_SIGNATURE
+extern int ksign_verify_signature(const char *sig, unsigned sig_size,
-+ struct crypto_tfm *sha1);
++ struct crypto_hash *sha1);
+#endif
+
+#endif /* _LINUX_CRYPTO_KSIGN_H */
---- linux-2.6.18.noarch/include/linux/crypto.h~ 2006-10-14 18:55:16.000000000 -0400
-+++ linux-2.6.18.noarch/include/linux/crypto.h 2006-10-14 18:56:59.000000000 -0400
-@@ -305,6 +305,8 @@ struct hash_tfm {
- int (*init)(struct hash_desc *desc);
- int (*update)(struct hash_desc *desc,
- struct scatterlist *sg, unsigned int nsg);
-+ void (*dit_update_kernel)(struct crypto_tfm *tfm,
-+ const void *data, size_t count);
- int (*final)(struct hash_desc *desc, u8 *out);
- int (*digest)(struct hash_desc *desc, struct scatterlist *sg,
- unsigned int nsg, u8 *out);
-@@ -713,6 +715,13 @@ void crypto_digest_init(struct crypto_tf
- void crypto_digest_update(struct crypto_tfm *tfm,
- struct scatterlist *sg, unsigned int nsg)
- __deprecated_for_modules;
-+static inline void crypto_digest_update_kernel(struct crypto_tfm *tfm,
-+ const void *data,
-+ size_t count)
-+{
-+ BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_DIGEST);
-+ tfm->crt_digest.dit_update_kernel(tfm, data, count);
-+}
- void crypto_digest_final(struct crypto_tfm *tfm, u8 *out)
- __deprecated_for_modules;
- void crypto_digest_digest(struct crypto_tfm *tfm,
---- linux-2.6.14/crypto/signature/ksign-keyring.c~ 2005-11-22 14:11:25.000000000 -0500
-+++ linux-2.6.14/crypto/signature/ksign-keyring.c 2005-11-22 14:11:38.000000000 -0500
-@@ -85,6 +85,8 @@ struct ksign_public_key *ksign_get_publi
- }
- }
-
-+ pk = NULL;
-+
- found:
- up_read(&keyring_sem);
-
linux-2.6-modsign-mpilib.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.2 -r 1.2.12.1 linux-2.6-modsign-mpilib.patch
Index: linux-2.6-modsign-mpilib.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-modsign-mpilib.patch,v
retrieving revision 1.2
retrieving revision 1.2.12.1
diff -u -r1.2 -r1.2.12.1
--- linux-2.6-modsign-mpilib.patch 22 Mar 2007 15:40:59 -0000 1.2
+++ linux-2.6-modsign-mpilib.patch 23 Jul 2007 21:23:44 -0000 1.2.12.1
@@ -1,6 +1,119 @@
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpi-asm-defs.h linux-903/crypto/mpi/generic_mpi-asm-defs.h
---- linux-902/crypto/mpi/generic_mpi-asm-defs.h
-+++ linux-903/crypto/mpi/generic_mpi-asm-defs.h
+MODSIGN: Multiprecision maths library
+
+From: David Howells <dhowells at redhat.com>
+
+Add a multiprecision maths library (MPILIB) required for doing cryptographic
+operations based on very large prime numbers.
+
+This is derived from GPG, reduced to the minimum necessary bits for doing DSA
+signature verification with error handling added. This is used to do kernel
+module signing.
+
+Signed-Off-By: David Howells <dhowells at redhat.com>
+---
+
+ crypto/Kconfig | 6
+ crypto/Makefile | 2
+ crypto/mpi/Makefile | 30 +
+ crypto/mpi/generic_mpi-asm-defs.h | 10
+ crypto/mpi/generic_mpih-add1.c | 62 ++
+ crypto/mpi/generic_mpih-lshift.c | 66 ++
+ crypto/mpi/generic_mpih-mul1.c | 58 +
+ crypto/mpi/generic_mpih-mul2.c | 63 ++
+ crypto/mpi/generic_mpih-mul3.c | 64 ++
+ crypto/mpi/generic_mpih-rshift.c | 65 ++
+ crypto/mpi/generic_mpih-sub1.c | 62 ++
+ crypto/mpi/generic_udiv-w-sdiv.c | 130 +++
+ crypto/mpi/longlong.h | 1502 +++++++++++++++++++++++++++++++++++++
+ crypto/mpi/mpi-add.c | 258 ++++++
+ crypto/mpi/mpi-bit.c | 245 ++++++
+ crypto/mpi/mpi-cmp.c | 71 ++
+ crypto/mpi/mpi-div.c | 345 ++++++++
+ crypto/mpi/mpi-gcd.c | 60 +
+ crypto/mpi/mpi-inline.c | 33 +
+ crypto/mpi/mpi-inline.h | 128 +++
+ crypto/mpi/mpi-internal.h | 265 +++++++
+ crypto/mpi/mpi-inv.c | 148 ++++
+ crypto/mpi/mpi-mpow.c | 113 +++
+ crypto/mpi/mpi-mul.c | 202 +++++
+ crypto/mpi/mpi-pow.c | 312 ++++++++
+ crypto/mpi/mpi-scan.c | 129 +++
+ crypto/mpi/mpicoder.c | 359 +++++++++
+ crypto/mpi/mpih-cmp.c | 58 +
+ crypto/mpi/mpih-div.c | 534 +++++++++++++
+ crypto/mpi/mpih-mul.c | 546 +++++++++++++
+ crypto/mpi/mpiutil.c | 213 +++++
+ include/linux/crypto/mpi.h | 147 ++++
+ 32 files changed, 6286 insertions(+), 0 deletions(-)
+
+diff --git a/crypto/Kconfig b/crypto/Kconfig
+index 92ba249..d768c46 100644
+--- a/crypto/Kconfig
++++ b/crypto/Kconfig
+@@ -465,6 +465,12 @@ config CRYPTO_TEST
+ help
+ Quick & dirty crypto test module.
+
++config CRYPTO_MPILIB
++ bool "Multiprecision maths library (EXPERIMENTAL)"
++ depends on CRYPTO
++ help
++ Multiprecision maths library from GnuPG
++
+ source "drivers/crypto/Kconfig"
+
+ endif # if CRYPTO
+diff --git a/crypto/Makefile b/crypto/Makefile
+index 60e3d24..36a6211 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -45,3 +45,5 @@ obj-$(CONFIG_CRYPTO_MICHAEL_MIC) += mich
+ obj-$(CONFIG_CRYPTO_CRC32C) += crc32c.o
+
+ obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o
++
++obj-$(CONFIG_CRYPTO_MPILIB) += mpi/
+diff --git a/crypto/mpi/Makefile b/crypto/mpi/Makefile
+new file mode 100644
+index 0000000..e96597d
+--- /dev/null
++++ b/crypto/mpi/Makefile
+@@ -0,0 +1,30 @@
++#
++# MPI multiprecision maths library (from gpg)
++#
++
++obj-$(CONFIG_CRYPTO_MPILIB) = \
++ generic_mpih-lshift.o \
++ generic_mpih-mul1.o \
++ generic_mpih-mul2.o \
++ generic_mpih-mul3.o \
++ generic_mpih-rshift.o \
++ generic_mpih-sub1.o \
++ generic_mpih-add1.o \
++ generic_udiv-w-sdiv.o \
++ mpicoder.o \
++ mpi-add.o \
++ mpi-bit.o \
++ mpi-div.o \
++ mpi-cmp.o \
++ mpi-gcd.o \
++ mpih-cmp.o \
++ mpih-div.o \
++ mpih-mul.o \
++ mpi-inline.o \
++ mpi-inv.o \
++ mpi-mpow.o \
++ mpi-mul.o \
++ mpi-pow.o \
++ mpi-scan.o \
++ mpiutil.o
++
+diff --git a/crypto/mpi/generic_mpi-asm-defs.h b/crypto/mpi/generic_mpi-asm-defs.h
+new file mode 100644
+index 0000000..13424e2
+--- /dev/null
++++ b/crypto/mpi/generic_mpi-asm-defs.h
@@ -0,0 +1,10 @@
+/* This file defines some basic constants for the MPI machinery. We
+ * need to define the types on a per-CPU basis, so it is done with
@@ -12,9 +125,11 @@
+
+
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpih-add1.c linux-903/crypto/mpi/generic_mpih-add1.c
---- linux-902/crypto/mpi/generic_mpih-add1.c
-+++ linux-903/crypto/mpi/generic_mpih-add1.c
+diff --git a/crypto/mpi/generic_mpih-add1.c b/crypto/mpi/generic_mpih-add1.c
+new file mode 100644
+index 0000000..891fef0
+--- /dev/null
++++ b/crypto/mpi/generic_mpih-add1.c
@@ -0,0 +1,62 @@
+/* mpihelp-add_1.c - MPI helper functions
+ * Copyright (C) 1994, 1996, 1997, 1998,
@@ -78,9 +193,11 @@
+ return cy;
+}
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpih-lshift.c linux-903/crypto/mpi/generic_mpih-lshift.c
---- linux-902/crypto/mpi/generic_mpih-lshift.c
-+++ linux-903/crypto/mpi/generic_mpih-lshift.c
+diff --git a/crypto/mpi/generic_mpih-lshift.c b/crypto/mpi/generic_mpih-lshift.c
+new file mode 100644
+index 0000000..9e159b5
+--- /dev/null
++++ b/crypto/mpi/generic_mpih-lshift.c
@@ -0,0 +1,66 @@
+/* mpihelp-lshift.c - MPI helper functions
+ * Copyright (C) 1994, 1996, 1998, 2001 Free Software Foundation, Inc.
@@ -148,9 +265,11 @@
+}
+
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpih-mul1.c linux-903/crypto/mpi/generic_mpih-mul1.c
---- linux-902/crypto/mpi/generic_mpih-mul1.c
-+++ linux-903/crypto/mpi/generic_mpih-mul1.c
+diff --git a/crypto/mpi/generic_mpih-mul1.c b/crypto/mpi/generic_mpih-mul1.c
+new file mode 100644
+index 0000000..4e34d46
+--- /dev/null
++++ b/crypto/mpi/generic_mpih-mul1.c
@@ -0,0 +1,58 @@
+/* mpihelp-mul_1.c - MPI helper functions
+ * Copyright (C) 1994, 1996, 1997, 1998, 2001 Free Software Foundation, Inc.
@@ -210,9 +329,11 @@
+ return cy_limb;
+}
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpih-mul2.c linux-903/crypto/mpi/generic_mpih-mul2.c
---- linux-902/crypto/mpi/generic_mpih-mul2.c
-+++ linux-903/crypto/mpi/generic_mpih-mul2.c
+diff --git a/crypto/mpi/generic_mpih-mul2.c b/crypto/mpi/generic_mpih-mul2.c
+new file mode 100644
+index 0000000..c1f41f3
+--- /dev/null
++++ b/crypto/mpi/generic_mpih-mul2.c
@@ -0,0 +1,63 @@
+/* mpihelp-mul_2.c - MPI helper functions
+ * Copyright (C) 1994, 1996, 1997, 1998, 2001 Free Software Foundation, Inc.
@@ -277,9 +398,11 @@
+}
+
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/generic_mpih-mul3.c linux-903/crypto/mpi/generic_mpih-mul3.c
---- linux-902/crypto/mpi/generic_mpih-mul3.c
-+++ linux-903/crypto/mpi/generic_mpih-mul3.c
+diff --git a/crypto/mpi/generic_mpih-mul3.c b/crypto/mpi/generic_mpih-mul3.c
+new file mode 100644
[...5398 lines suppressed...]
+ */
+
-+#include "mpi-internal.h"
-+#include "longlong.h"
-+
-+/****************
-+ * Scan through an mpi and return byte for byte. a -1 is returned to indicate
-+ * the end of the mpi. Scanning is done from the lsb to the msb, returned
-+ * values are in the range of 0 .. 255.
-+ *
-+ * FIXME: This code is VERY ugly!
-+ */
+int
-+mpi_getbyte( const MPI a, unsigned idx )
++mpihelp_mul( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t usize,
++ mpi_ptr_t vp, mpi_size_t vsize,
++ mpi_limb_t *_result)
+{
-+ int i, j;
-+ unsigned n;
-+ mpi_ptr_t ap;
-+ mpi_limb_t limb;
-+
-+ ap = a->d;
-+ for(n=0,i=0; i < a->nlimbs; i++ ) {
-+ limb = ap[i];
-+ for( j=0; j < BYTES_PER_MPI_LIMB; j++, n++ )
-+ if( n == idx )
-+ return (limb >> j*8) & 0xff;
-+ }
-+ return -1;
-+}
-+
++ mpi_ptr_t prod_endp = prodp + usize + vsize - 1;
++ mpi_limb_t cy;
++ struct karatsuba_ctx ctx;
+
-+/****************
-+ * Put a value at position IDX into A. idx counts from lsb to msb
-+ */
-+void
-+mpi_putbyte( MPI a, unsigned idx, int xc )
-+{
-+ int i, j;
-+ unsigned n;
-+ mpi_ptr_t ap;
-+ mpi_limb_t limb, c;
++ if( vsize < KARATSUBA_THRESHOLD ) {
++ mpi_size_t i;
++ mpi_limb_t v_limb;
+
-+ c = xc & 0xff;
-+ ap = a->d;
-+ for(n=0,i=0; i < a->alloced; i++ ) {
-+ limb = ap[i];
-+ for( j=0; j < BYTES_PER_MPI_LIMB; j++, n++ )
-+ if( n == idx ) {
-+ #if BYTES_PER_MPI_LIMB == 4
-+ if( j == 0 )
-+ limb = (limb & 0xffffff00) | c;
-+ else if( j == 1 )
-+ limb = (limb & 0xffff00ff) | (c<<8);
-+ else if( j == 2 )
-+ limb = (limb & 0xff00ffff) | (c<<16);
-+ else
-+ limb = (limb & 0x00ffffff) | (c<<24);
-+ #elif BYTES_PER_MPI_LIMB == 8
-+ if( j == 0 )
-+ limb = (limb & 0xffffffffffffff00) | c;
-+ else if( j == 1 )
-+ limb = (limb & 0xffffffffffff00ff) | (c<<8);
-+ else if( j == 2 )
-+ limb = (limb & 0xffffffffff00ffff) | (c<<16);
-+ else if( j == 3 )
-+ limb = (limb & 0xffffffff00ffffff) | (c<<24);
-+ else if( j == 4 )
-+ limb = (limb & 0xffffff00ffffffff) | (c<<32);
-+ else if( j == 5 )
-+ limb = (limb & 0xffff00ffffffffff) | (c<<40);
-+ else if( j == 6 )
-+ limb = (limb & 0xff00ffffffffffff) | (c<<48);
-+ else
-+ limb = (limb & 0x00ffffffffffffff) | (c<<56);
-+ #else
-+ #error please enhance this function, its ugly - i know.
-+ #endif
-+ if( a->nlimbs <= i )
-+ a->nlimbs = i+1;
-+ ap[i] = limb;
-+ return;
-+ }
-+ }
-+ log_bug("index out of range\n");
-+}
++ if( !vsize ) {
++ *_result = 0;
++ return 0;
++ }
+
++ /* Multiply by the first limb in V separately, as the result can be
++ * stored (not added) to PROD. We also avoid a loop for zeroing. */
++ v_limb = vp[0];
++ if( v_limb <= 1 ) {
++ if( v_limb == 1 )
++ MPN_COPY( prodp, up, usize );
++ else
++ MPN_ZERO( prodp, usize );
++ cy = 0;
++ }
++ else
++ cy = mpihelp_mul_1( prodp, up, usize, v_limb );
+
-+/****************
-+ * Count the number of zerobits at the low end of A
-+ */
-+unsigned
-+mpi_trailing_zeros( const MPI a )
-+{
-+ unsigned n, count = 0;
++ prodp[usize] = cy;
++ prodp++;
+
-+ for(n=0; n < a->nlimbs; n++ ) {
-+ if( a->d[n] ) {
-+ unsigned nn;
-+ mpi_limb_t alimb = a->d[n];
++ /* For each iteration in the outer loop, multiply one limb from
++ * U with one limb from V, and add it to PROD. */
++ for( i = 1; i < vsize; i++ ) {
++ v_limb = vp[i];
++ if( v_limb <= 1 ) {
++ cy = 0;
++ if( v_limb == 1 )
++ cy = mpihelp_add_n(prodp, prodp, up, usize);
++ }
++ else
++ cy = mpihelp_addmul_1(prodp, up, usize, v_limb);
+
-+ count_trailing_zeros( nn, alimb );
-+ count += nn;
-+ break;
++ prodp[usize] = cy;
++ prodp++;
+ }
-+ count += BITS_PER_MPI_LIMB;
++
++ *_result = cy;
++ return 0;
+ }
-+ return count;
+
++ memset( &ctx, 0, sizeof ctx );
++ if (mpihelp_mul_karatsuba_case( prodp, up, usize, vp, vsize, &ctx ) < 0)
++ return -ENOMEM;
++ mpihelp_release_karatsuba_ctx( &ctx );
++ *_result = *prod_endp;
++ return 0;
+}
+
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/crypto/mpi/mpiutil.c linux-903/crypto/mpi/mpiutil.c
---- linux-902/crypto/mpi/mpiutil.c
-+++ linux-903/crypto/mpi/mpiutil.c
-@@ -0,0 +1,214 @@
+diff --git a/crypto/mpi/mpiutil.c b/crypto/mpi/mpiutil.c
+new file mode 100644
+index 0000000..26157e9
+--- /dev/null
++++ b/crypto/mpi/mpiutil.c
+@@ -0,0 +1,213 @@
+/* mpiutil.ac - Utility functions for MPI
+ * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
+ *
@@ -6132,10 +6264,9 @@
+ kfree(a->d);
+ a->d = p;
+ } else {
-+ a->d = kmalloc( nlimbs * sizeof(mpi_limb_t), GFP_KERNEL);
++ a->d = kzalloc( nlimbs * sizeof(mpi_limb_t), GFP_KERNEL);
+ if (!a->d)
+ return -ENOMEM;
-+ memset(a->d, 0, nlimbs * sizeof(mpi_limb_t) );
+ }
+ a->alloced = nlimbs;
+ return 0;
@@ -6247,9 +6378,11 @@
+ tmp = *a; *a = *b; *b = tmp;
+}
+
-diff -urNp --exclude-from=/home/davej/.exclude linux-902/include/linux/crypto/mpi.h linux-903/include/linux/crypto/mpi.h
---- linux-902/include/linux/crypto/mpi.h
-+++ linux-903/include/linux/crypto/mpi.h
+diff --git a/include/linux/crypto/mpi.h b/include/linux/crypto/mpi.h
+new file mode 100644
+index 0000000..4de3ba0
+--- /dev/null
++++ b/include/linux/crypto/mpi.h
@@ -0,0 +1,147 @@
+/* mpi.h - Multi Precision Integers
+ * Copyright (C) 1994, 1996, 1998, 1999,
linux-2.6-modsign-script.patch:
Index: linux-2.6-modsign-script.patch
===================================================================
RCS file: /cvs/pkgs/rpms/kernel-xen-2.6/devel/linux-2.6-modsign-script.patch,v
retrieving revision 1.2
retrieving revision 1.2.12.1
diff -u -r1.2 -r1.2.12.1
--- linux-2.6-modsign-script.patch 22 Mar 2007 15:40:59 -0000 1.2
+++ linux-2.6-modsign-script.patch 23 Jul 2007 21:23:44 -0000 1.2.12.1
@@ -1,6 +1,36 @@
-diff -urNp --exclude-from=/home/davej/.exclude linux-903/scripts/modsign/Makefile linux-904/scripts/modsign/Makefile
---- linux-903/scripts/modsign/Makefile
-+++ linux-904/scripts/modsign/Makefile
+MODSIGN: Stuff for signing modules
+
+From: David Howells <dhowells at redhat.com>
+
+Add scripts and programs for signing module files (.ko files).
+
+With the kernel key files (kernel.sec and kernel.pub) in the parent directory
+of the kernel source file, any particular module can be signed by doing:
+
+ sh scripts/modsign/modsign.sh <module>
+
+For example, the RxRPC module can be signed:
+
+ sh scripts/modsign/modsign.sh net/rxrpc/rxrpc.ko
+
+This will leave a file called <module>.signed (eg: net/rxrpc/rxrpc.ko.signed)
+that is the signed module binary. This file can then be stripped if desired to
+remove debugging information without invalidating the signature. It would be
+loaded with insmod as normal.
+
+Signed-Off-By: David Howells <dhowells at redhat.com>
+---
+
+ scripts/modsign/Makefile | 27 +
+ scripts/modsign/mod-extract.c | 890 +++++++++++++++++++++++++++++++++++++++++
+ scripts/modsign/modsign.sh | 58 +++
+ 3 files changed, 975 insertions(+), 0 deletions(-)
+
+diff --git a/scripts/modsign/Makefile b/scripts/modsign/Makefile
+new file mode 100644
+index 0000000..9cf4fd9
+--- /dev/null
++++ b/scripts/modsign/Makefile
@@ -0,0 +1,27 @@
+# Set the following to `true' to make a debuggable build.
+# Leave this set to `false' for production use.
@@ -14,7 +44,7 @@
+
+CC = gcc
+
-+INCLUDES =
++INCLUDES =
+CFLAGS = -g -O -Wall
+
+OBJS = mod-extract.o
@@ -29,10 +59,12 @@
+
+clean:
+ -rm $(OBJS) $(ROOT)
-diff -urNp --exclude-from=/home/davej/.exclude linux-903/scripts/modsign/mod-extract.c linux-904/scripts/modsign/mod-extract.c
---- linux-903/scripts/modsign/mod-extract.c
-+++ linux-904/scripts/modsign/mod-extract.c
-@@ -0,0 +1,900 @@
+diff --git a/scripts/modsign/mod-extract.c b/scripts/modsign/mod-extract.c
+new file mode 100644
+index 0000000..b7b5dd1
+--- /dev/null
++++ b/scripts/modsign/mod-extract.c
+@@ -0,0 +1,890 @@
+/* mod-extract.c: module extractor for signing
+ *
+ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
@@ -141,7 +173,6 @@
+ exit(2);
+}
+
-+/*****************************************************************************/
+/*
+ *
+ */
@@ -230,10 +261,8 @@
+ }
+
+ return 0;
++}
+
-+} /* end main() */
-+
-+/*****************************************************************************/
+/*
+ * extract a RELA table
+ * - need to canonicalise the entries in case section addition/removal has
@@ -301,10 +330,8 @@
+ }
+
+ verbose("%02x %4d %s [canon]\n", csum, secix, sh_name);
++}
+
-+} /* end extract_elf64_rela() */
-+
-+/*****************************************************************************/
+/*
+ * extract a REL table
+ * - need to canonicalise the entries in case section addition/removal has
@@ -370,10 +397,8 @@
+ }
+
+ verbose("%02x %4d %s [canon]\n", csum, secix, sh_name);
++}
+
-+} /* end extract_elf64_rel() */
-+
-+/*****************************************************************************/
+/*
+ * extract the data from a 64-bit module
+ */
@@ -403,6 +428,8 @@
+
+ symbols = NULL;
+ strings = NULL;
++ nstrings = 0;
++ nsyms = 0;
+
+ for (loop = 1; loop < shnum; loop++) {
+ const char *sh_name = secstrings + get32(§ions[loop].sh_name);
@@ -578,10 +605,8 @@
+
+ verbose("%08lx (%lu bytes csum 0x%02x)\n",
+ ftell(outfd), ftell(outfd), xcsum);
++}
+
-+} /* end extract_elf64() */
-+
-+/*****************************************************************************/
+/*
+ * extract a RELA table
+ * - need to canonicalise the entries in case section addition/removal has
@@ -649,10 +674,8 @@
+ }
+
+ verbose("%02x %4d %s [canon]\n", csum, secix, sh_name);
++}
+
-+} /* end extract_elf32_rela() */
-+
-+/*****************************************************************************/
+/*
+ * extract a REL table
+ * - need to canonicalise the entries in case section addition/removal has
@@ -707,7 +730,7 @@
+ /* canonicalise the section used by the symbol */
+ if (st_shndx > SHN_UNDEF && st_shndx < nsects)
+ set16(&relocation.st_shndx, canonmap[st_shndx]);
-+
++
+ write_out_val(relocation);
+
+ /* undefined symbols must be named if referenced */
@@ -718,10 +741,8 @@
+ }
+
+ verbose("%02x %4d %s [canon]\n", csum, secix, sh_name);
++}
+
-+} /* end extract_elf32_rel() */
-+
-+/*****************************************************************************/
+/*
+ * extract the data from a 32-bit module
+ */
@@ -751,6 +772,8 @@
+
+ symbols = NULL;
+ strings = NULL;
++ nstrings = 0;
++ nsyms = 0;
+
+ for (loop = 1; loop < shnum; loop++) {
+ const char *sh_name = secstrings + get32(§ions[loop].sh_name);
@@ -931,12 +954,13 @@
+
+ verbose("%08lx (%lu bytes csum 0x%02x)\n",
+ ftell(outfd), ftell(outfd), xcsum);
-+
-+} /* end extract_elf32() */
-diff -urNp --exclude-from=/home/davej/.exclude linux-903/scripts/modsign/modsign.sh linux-904/scripts/modsign/modsign.sh
---- linux-903/scripts/modsign/modsign.sh
-+++ linux-904/scripts/modsign/modsign.sh
-@@ -0,0 +1,57 @@
++}
+diff --git a/scripts/modsign/modsign.sh b/scripts/modsign/modsign.sh
+new file mode 100644
+index 0000000..5615f92
+--- /dev/null
++++ b/scripts/modsign/modsign.sh
+@@ -0,0 +1,58 @@
+#!/bin/bash
+###############################################################################
+#
@@ -980,6 +1004,7 @@
+
+# strip out only the sections that we care about
+scripts/modsign/mod-extract $verbose $module $module.out || exit $?
++# dd if=/dev/zero of=$module.out bs=1 count=1 # inject fault
+
+# sign the sections
+gpg --no-greeting $KEYFLAGS -b $module.out || exit $?
More information about the scm-commits
mailing list