[PATCH 1/2] UBUNTU: [Debian] Suppress module signing for staging drivers

Tim Gardner tim.gardner at canonical.com
Tue Dec 13 18:09:51 UTC 2016


On 12/02/2016 07:34 AM, Seth Forshee wrote:
> On Wed, Nov 30, 2016 at 01:33:10PM -0700, Tim Gardner wrote:
>> BugLink: http://bugs.launchpad.net/bugs/1642368
>>
>> Prevent staging drivers from being loadable in a secure boot environment.
>>
>> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
>> ---
>>  drivers/staging/signature-inclusion | 5 +++++
>>  scripts/Makefile.modinst            | 7 +++++--
>>  2 files changed, 10 insertions(+), 2 deletions(-)
>>  create mode 100644 drivers/staging/signature-inclusion
>>
>> diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
>> new file mode 100644
>> index 0000000..c34f191
>> --- /dev/null
>> +++ b/drivers/staging/signature-inclusion
>> @@ -0,0 +1,5 @@
>> +#
>> +# This file lists the staging drivers that are safe for signing
>> +# and loading in a secure boot environment with signed module enforcement.
>> +#
>> +
>> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
>> index 07650ee..0f7b7cb 100644
>> --- a/scripts/Makefile.modinst
>> +++ b/scripts/Makefile.modinst
>> @@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
>>      mkdir -p $(2) ; \
>>      cp $@ $(2) ; \
>>      $(mod_strip_cmd) $(2)/$(notdir $@) ; \
>> -    $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
>> -    $(mod_compress_cmd) $(2)/$(notdir $@)
>> +    if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
>> +	(! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
>> +	then echo Not signing "$(2)/$(notdir $@)"; \
>> +	else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
>> +		$(mod_compress_cmd) $(2)/$(notdir $@); fi
> 
> The change here skips both module signing and compression. Shouldn't it
> skip only signing?
> 
> Although none of our configs has module compression enabled ...
> 

Is it a show stopper ?

-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list