From: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de>
To: Alejandro Colomar <alx@kernel.org>
Cc: <linux-man@vger.kernel.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Stephen Boyd <swboyd@chromium.org>
Subject: Re: [PATCH] init_module.2: Document MODULE_INIT_COMPRESS_FILE flag
Date: Tue, 2 Apr 2024 13:07:12 +0200 [thread overview]
Message-ID: <be8b4949-a304-49a4-9b88-6f02b4f556ef@aisec.fraunhofer.de> (raw)
In-Reply-To: <ZgiaxG6RKwWslu7J@debian>
Hi Alex,
On 3/31/24 00:05, Alejandro Colomar wrote:
> Hi Michael,
>
> On Fri, Mar 29, 2024 at 01:41:37PM +0100, Michael Weiß wrote:
>> finit_module() supports the MODULE_INIT_COMPRESS_FILE flag since
>> Linux 5.17. See commit b1ae6dc41eaaa ("module: add in-kernel support
>> for decompressing")
>>
>> During implementation of a secure module loader in GyroidOS, we
>> wanted to filter unsafe module parameters. To verify that only the
>> two documented flags which are disabling sanity checks are unsafe,
>> we had a look in the current kernel implementation.
>>
>> We discovered that this new flag MODULE_INIT_COMPRESS_FILE was added.
>> Having a deeper look at the code, we also discovered that a new error
>> code EOPNOTSUPP is possible within newer kernels.
>>
>> The inital commit only supported gzip and xz compression algorithms.
>> Support for zstd was added in Linux 6.2 by commit 169a58ad824d8
>> ("module/decompress: Support zstd in-kernel decompression")
>>
>> Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
>> ---
>> man2/init_module.2 | 48 +++++++++++++++++++++++++++++++++++++++++++++-
>> 1 file changed, 47 insertions(+), 1 deletion(-)
>>
>> diff --git a/man2/init_module.2 b/man2/init_module.2
>> index 95917a079..8197b0df6 100644
>> --- a/man2/init_module.2
>> +++ b/man2/init_module.2
>> @@ -107,6 +107,10 @@ Ignore symbol version hashes.
>> .TP
>> .B MODULE_INIT_IGNORE_VERMAGIC
>> Ignore kernel version magic.
>> +.TP
>> +.BR MODULE_INIT_COMPRESSED_FILE " (since Linux 5.17)"
>> +.\" commit b1ae6dc41eaaa98bb75671e0f3665bfda248c3e7
>> +Use in-kernel module decompression.
>> .P
>> There are some safety checks built into a module to ensure that
>> it matches the kernel against which it is loaded.
>> @@ -136,6 +140,41 @@ If the kernel is built to permit forced loading (i.e., configured with
>> then loading continues, otherwise it fails with the error
>> .B ENOEXEC
>> as expected for malformed modules.
>> +.P
>> +If the kernel was build with
>> +.BR CONFIG_MODULE_DECOMPRESS ,
>> +the in-kernel decompression feature can be used.
>> +Userspace code can check if the kernel supports decompression by
>> +reading the
>> +.I /sys/module/compression
>> +attribute.
>> +If the kernel supports decompression, the compressed file can directly
>
> Please use semantic newlines. See man-pages(7):
>
> $ MANWIDTH=72 man man-pages | sed -n '/Use semantic newlines/,/^$/p';
> Use semantic newlines
> In the source of a manual page, new sentences should be started
> on new lines, long sentences should be split into lines at clause
> breaks (commas, semicolons, colons, and so on), and long clauses
> should be split at phrase boundaries. This convention, sometimes
> known as "semantic newlines", makes it easier to see the effect
> of patches, which often operate at the level of individual sen‐
> tences, clauses, or phrases.
>
Thanks for the hint. I'll fix that.
>> +be passed to
>> +.BR finit_module ()
>> +using the
>> +.B MODULE_INIT_COMPRESSED_FILE
>> +flag.
>> +The in-kernel module decompressor supports the following compression
>> +algorithms:
>> +.P
>> +.RS 4
>> +.PD 0
>> +.IP \[bu] 3
>> +.I gzip
>> +(since Linux 5.17)
>> +.IP \[bu]
>> +.I xz
>> +(since Linux 5.17)
>> +.IP \[bu]
>> +.I zstd
>> +.\" commit 169a58ad824d896b9e291a27193342616e651b82
>> +(since Linux 6.2)
>> +.PD
>> +.RE
>> +.P
>> +The kernel only implements a single decompression method which is
>> +selected during module generation accordingly to the compression
>> +method selected in the kernel configuration.
>> .SH RETURN VALUE
>> On success, these system calls return 0.
>> On error, \-1 is returned and
>> @@ -221,12 +260,19 @@ is too large.
>> .TP
>> .B EINVAL
>> .I flags
>> -is invalid.
>> +is invalid or the decompressor sanity checks failed while loading
>> +a compressed module with flag
>> +.BR CONFIG_MODULE_DECOMPRESS
>
> This should use B, not BR. (It uses Bold, not Bold/Roman alternating.)
>
I spotted another error here, too. Should be:
.B MODULE_INIT_COMPRESSED_FILE
I'll fix that in v2.
>> +set.
>> .TP
>> .B ENOEXEC
>> .I fd
>> does not refer to an open file.
>> .TP
>> +.BR EOPNOTSUPP " (since Linux 5.17)"
>> +This error is return if the kernel was configured without
>
> The first words seems redundant. I'd use:
>
> The kernel was configured without CONFIG_MODULE_DECOMPRESS.
>
> Which seems incomplete. I guess if the module is not compressed, then
> it won't report this error.
>
> The module is compressed, and the kernel was built without ...
True. But I would write:
The flag
.B MODULE_INIT_COMPRESSED_FILE
is set to load a compressed module,
and the kernel was built without
.BR CONFIG_MODULE_DECOMPRESS .
Since the error directly dependents on a check of the flag.
>
>> +.BR CONFIG_MODULE_DECOMPRESS
>
> This was missing a terminating '.'.
>
>> +.TP
>> .BR ETXTBSY " (since Linux 4.7)"
>> .\" commit 39d637af5aa7577f655c58b9e55587566c63a0af
>> The file referred to by
>> --
>> 2.39.2
>>
>
> Have a lovely night!
> Alex
>
Regards,
Michael
next prev parent reply other threads:[~2024-04-02 11:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 12:41 [PATCH] init_module.2: Document MODULE_INIT_COMPRESS_FILE flag Michael Weiß
2024-03-30 23:05 ` Alejandro Colomar
2024-04-02 11:07 ` Michael Weiß [this message]
2024-04-03 9:07 ` Alejandro Colomar
-- strict thread matches above, loose matches on Subject: below --
2024-04-03 11:42 Michael Weiß
2024-04-04 9:01 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=be8b4949-a304-49a4-9b88-6f02b4f556ef@aisec.fraunhofer.de \
--to=michael.weiss@aisec.fraunhofer.de \
--cc=alx@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-man@vger.kernel.org \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).