From d61de07c2189401a003f3fcf8ef45760b4d55f82 Mon Sep 17 00:00:00 2001
From: Rifat Azad <rifat.44.azad.rifs@gmail.com>
Date: Sat, 19 Jul 2025 23:10:48 +0600
Subject: [PATCH] kernel: implement  v2_signature size/hash override from
 userspace through kernel module parameter

- /sys/module/kernelsu/parameters/expected_manager_*
---
 kernel/Makefile   | 16 ++++++------
 kernel/apk_sign.c | 62 ++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 67 insertions(+), 11 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index 6da2b6f0..ac6d5b9e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -49,12 +49,12 @@ ifeq ($(shell grep "ssize_t kernel_write" $(srctree)/fs/read_write.c | grep -q "
 ccflags-y += -DKSU_KERNEL_WRITE
 endif
 
-ifndef KSU_NEXT_EXPECTED_SIZE
-KSU_NEXT_EXPECTED_SIZE := 0x3e6
+ifndef KSU_NEXT_MANAGER_SIZE
+KSU_NEXT_MANAGER_SIZE := 0x3e6
 endif
 
-ifndef KSU_NEXT_EXPECTED_HASH
-KSU_NEXT_EXPECTED_HASH := 79e590113c4c4c0c222978e413a5faa801666957b1212a328e46c00c69821bf7
+ifndef KSU_NEXT_MANAGER_HASH
+KSU_NEXT_MANAGER_HASH := 79e590113c4c4c0c222978e413a5faa801666957b1212a328e46c00c69821bf7
 endif
 
 ifdef KSU_MANAGER_PACKAGE
@@ -62,11 +62,11 @@ ccflags-y += -DKSU_MANAGER_PACKAGE=\"$(KSU_MANAGER_PACKAGE)\"
 $(info -- KernelSU-Next Manager package name: $(KSU_MANAGER_PACKAGE))
 endif
 
-$(info -- KernelSU-Next Manager signature size: $(KSU_NEXT_EXPECTED_SIZE))
-$(info -- KernelSU-Next Manager signature hash: $(KSU_NEXT_EXPECTED_HASH))
+$(info -- KernelSU-Next Manager signature size: $(KSU_NEXT_MANAGER_SIZE))
+$(info -- KernelSU-Next Manager signature hash: $(KSU_NEXT_MANAGER_HASH))
 
-ccflags-y += -DEXPECTED_NEXT_SIZE=$(KSU_NEXT_EXPECTED_SIZE)
-ccflags-y += -DEXPECTED_NEXT_HASH=\"$(KSU_NEXT_EXPECTED_HASH)\"
+ccflags-y += -DEXPECTED_MANAGER_SIZE=$(KSU_NEXT_MANAGER_SIZE)
+ccflags-y += -DEXPECTED_MANAGER_HASH=\"$(KSU_NEXT_MANAGER_HASH)\"
 
 ccflags-y += -DKSU_UMOUNT
 
diff --git a/kernel/apk_sign.c b/kernel/apk_sign.c
index c1e803d7..51cdf097 100644
--- a/kernel/apk_sign.c
+++ b/kernel/apk_sign.c
@@ -3,10 +3,9 @@
 #include <linux/gfp.h>
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <linux/string.h>
 #include <linux/version.h>
-#ifdef CONFIG_KSU_DEBUG
 #include <linux/moduleparam.h>
-#endif
 #include <crypto/hash.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
 #include <crypto/sha2.h>
@@ -19,6 +18,8 @@
 #include "kernel_compat.h"
 #include "throne_tracker.h"
 
+static unsigned int expected_manager_size = EXPECTED_MANAGER_SIZE;
+static char expected_manager_hash[SHA256_DIGEST_SIZE * 2 + 1] = EXPECTED_MANAGER_HASH;
 
 struct sdesc {
 	struct shash_desc shash;
@@ -313,6 +314,53 @@ static struct kernel_param_ops expected_size_ops = {
 module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
 		&ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
 
+#else
+
+static int set_expected_size(const char *val, const struct kernel_param *kp)
+{
+    int rv = param_set_uint(val, kp);
+    pr_info("expected_manager_size set to %u\n", expected_manager_size);
+    return rv;
+}
+
+static int get_expected_size(char *buf, const struct kernel_param *kp)
+{
+    return snprintf(buf, PAGE_SIZE, "%u\n", expected_manager_size);
+}
+
+static int set_expected_hash(const char *val, const struct kernel_param *kp)
+{
+    if (strlen(val) != SHA256_DIGEST_SIZE * 2) {
+        pr_err("Invalid hash length: %s\n", val);
+        return -EINVAL;
+    }
+
+    strncpy(expected_manager_hash, val, SHA256_DIGEST_SIZE * 2);
+    expected_manager_hash[SHA256_DIGEST_SIZE * 2] = '\0';
+
+    pr_info("expected_manager_hash set to %s\n", expected_manager_hash);
+    return 0;
+}
+
+static int get_expected_hash(char *buf, const struct kernel_param *kp)
+{
+    return snprintf(buf, PAGE_SIZE, "%s\n", expected_manager_hash);
+}
+
+static struct kernel_param_ops expected_size_ops = {
+    .set = set_expected_size,
+    .get = get_expected_size,
+};
+
+static struct kernel_param_ops expected_hash_ops = {
+    .set = set_expected_hash,
+    .get = get_expected_hash,
+};
+
+module_param_cb(expected_manager_size, &expected_size_ops, &expected_manager_size, 0644);
+
+module_param_cb(expected_manager_hash, &expected_hash_ops, &expected_manager_hash, 0644);
+
 #endif
 
 bool is_manager_apk(char *path)
@@ -333,5 +381,13 @@ bool is_manager_apk(char *path)
 		return false;
 	}
 
-	return check_v2_signature(path, EXPECTED_NEXT_SIZE, EXPECTED_NEXT_HASH);
+	// set debug info to print size and hash to kernel log
+	pr_info("%s: expected size: %u, expected hash: %s\n",
+		path, expected_manager_size, expected_manager_hash);
+
+#ifdef CONFIG_KSU_DEBUG
+	return check_v2_signature(path, EXPECTED_MANAGER_SIZE, EXPECTED_MANAGER_HASH);
+#else
+	return check_v2_signature(path, expected_manager_size, expected_manager_hash);
+#endif
 }