From 54bfd8db38e94b660e2cb2d9da7cdeba0ded554c Mon Sep 17 00:00:00 2001 From: Sid Nayyar Date: Thu, 30 Jan 2025 11:22:26 -0800 Subject: [PATCH] ANDROID: add MODULE_SIG_PROTECT and MODULE_SIG_PROTECT_LIST options MODULE_SIG_PROTECT_LIST - list of modules whose exports to protect MODULE_SIG_PROTECT - readonly, set automatically based on the value of MODULE_SIG_PROTECT_LIST; used for determining whether symbol exportion is enabled in scripts, Makefiles and preprocessor directives Bug: 393366754 Change-Id: I70bb82c24dcd18de5bb3db4924acca5799539fc9 Signed-off-by: Sid Nayyar --- kernel/module/Kconfig | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index fbdfb6f5a6ae..616cfea358bc 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -297,6 +297,24 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL +config MODULE_SIG_PROTECT_LIST + string "File with signed module names whose exports are to be protected" + default "" + depends on MODULE_SIG && !MODULE_SIG_FORCE + help + Enables symbol export protection support for the listed signed + modules. This option prevents unsigned modules from exporting symbols + which are exported by the listed modules. Any unsigned module which + tries to export such a symbol will fail to load. + + The value to set here is the path to a text file in the source + directory containing the list of module names, one per line. The path + can be absolute, or relative to the kernel source or obj tree. + +config MODULE_SIG_PROTECT + def_bool y + depends on MODULE_SIG_PROTECT_LIST != "" + choice prompt "Hash algorithm to sign modules" depends on MODULE_SIG || IMA_APPRAISE_MODSIG