module-signing.rst - OpenGrok cross reference for /linux-6.1.9/Documentation/admin-guide/module-signing.rst

Lines Matching refs:modules
10 .. - Manually signing modules.
11 .. - Signed modules and stripping.
12 .. - Loading signed modules.
13 .. - Non-valid signatures and unsigned modules.
21 The kernel module signing facility cryptographically signs modules during
23 allows increased kernel security by disallowing the loading of unsigned modules
24 or modules signed with an invalid key.  Module signing increases security by
49  (1) :menuselection:`Require modules to be validly signed`
55      If this is off (ie. "permissive"), then modules for which the key is not
56      available and modules that are unsigned are permitted, but the kernel will
57      be marked as being tainted, and the concerned modules will be marked as
60      If this is on (ie. "restrictive"), only modules that have a valid
62      will be loaded.  All other modules will generate an error.
68  (2) :menuselection:`Automatically sign all modules`
71      If this is on then modules will be automatically signed during the
72      modules_install phase of a build.  If this is off, then the modules must
78  (3) :menuselection:`Which hash algorithm should modules be signed with?`
81      sign the modules with:
84 	``CONFIG_MODULE_SIG_SHA1``	:menuselection:`Sign modules with SHA-1`
85 	``CONFIG_MODULE_SIG_SHA224``	:menuselection:`Sign modules with SHA-224`
86 	``CONFIG_MODULE_SIG_SHA256``	:menuselection:`Sign modules with SHA-256`
87 	``CONFIG_MODULE_SIG_SHA384``	:menuselection:`Sign modules with SHA-384`
88 	``CONFIG_MODULE_SIG_SHA512``	:menuselection:`Sign modules with SHA-512`
92      than being a module) so that modules signed with that algorithm can have
101      and allow the kernel modules to be signed with a key of your choosing.
132 kernel so that it can be used to check the signatures as the modules are
212 Manually signing modules
237 Signed modules and stripping
244 Signed modules are BRITTLE as the signature is outside of the defined ELF
251 Loading signed modules
255 ``finit_module()``, exactly as for unsigned modules as no processing is
260 Non-valid signatures and unsigned modules
264 the kernel command line, the kernel will only load validly signed modules
265 for which it has a public key.   Otherwise, it will also load modules that are
276 Since the private key is used to sign modules, viruses and malware could use
277 the private key to sign modules and compromise the operating system.  The
281 If you use the same private key to sign modules for multiple kernel