[PATCH 13/17] crypto/algapi.c: skip crypto_check_module_sig() for the standalone crypto module
Jay Wang
wanjay at amazon.com
Wed Feb 11 18:42:17 PST 2026
From: Vegard Nossum <vegard.nossum at oracle.com>
The signature check in regular module verification process
`crypto_check_module_sig()` is skipped for this standalone crypto module
because its signature has already been checked during load (as described
in later patch).
Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
[Revise commit message]
Signed-off-by: Jay Wang <wanjay at amazon.com>
---
crypto/algapi.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 37de377719ae..663698e0cd65 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -24,7 +24,19 @@ static LIST_HEAD(crypto_template_list);
static inline void crypto_check_module_sig(struct module *mod)
{
- if (fips_enabled && mod && !module_sig_ok(mod))
+#ifdef FIPS_MODULE
+ /*
+ * The FIPS module should ignore its own signature check, as it was
+ * already been verified elsewhere during loading.
+ */
+ if (mod == THIS_MODULE)
+ return;
+#else
+ if (!fips_enabled)
+ return;
+#endif
+
+ if (mod && !module_sig_ok(mod))
panic("Module %s signature verification failed in FIPS mode\n",
module_name(mod));
}
--
2.47.3
More information about the linux-arm-kernel
mailing list