ANDROID: add MODULE_SIG_PROTECT and MODULE_SIG_PROTECT_LIST options

MODULE_SIG_PROTECT_LIST - list of modules whose exports to protect MODULE_SIG_PROTECT - readonly, set automatically based on the value of MODULE_SIG_PROTECT_LIST; used for determining whether symbol exportion is enabled in scripts, Makefiles and preprocessor directives Bug: 393366754 Change-Id: I70bb82c24dcd18de5bb3db4924acca5799539fc9 Signed-off-by: Sid Nayyar <sidnayyar@google.com>
2025-01-30 11:22:26 -08:00
parent 255e2003ee
commit 54bfd8db38
1 changed files with 18 additions and 0 deletions
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -297,6 +297,24 @@ config MODULE_SIG_ALL
 comment "Do not forget to sign required modules with scripts/sign-file"
 	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL

+config MODULE_SIG_PROTECT_LIST
+	string "File with signed module names whose exports are to be protected"
+	default ""
+	depends on MODULE_SIG && !MODULE_SIG_FORCE
+	help
+	  Enables symbol export protection support for the listed signed
+	  modules. This option prevents unsigned modules from exporting symbols
+	  which are exported by the listed modules. Any unsigned module which
+	  tries to export such a symbol will fail to load.
+
+	  The value to set here is the path to a text file in the source
+	  directory containing the list of module names, one per line. The path
+	  can be absolute, or relative to the kernel source or obj tree.
+
+config MODULE_SIG_PROTECT
+	def_bool y
+	depends on MODULE_SIG_PROTECT_LIST != ""
+
 choice
 	prompt "Hash algorithm to sign modules"
 	depends on MODULE_SIG || IMA_APPRAISE_MODSIG