[PATCH 1/2] UBUNTU: [Debian] Suppress module signing for staging drivers
Tim Gardner
tim.gardner at canonical.com
Tue Dec 13 19:51:11 UTC 2016
On 12/13/2016 11:20 AM, Seth Forshee wrote:
> On Tue, Dec 13, 2016 at 11:09:51AM -0700, Tim Gardner wrote:
>> On 12/02/2016 07:34 AM, Seth Forshee wrote:
>>> On Wed, Nov 30, 2016 at 01:33:10PM -0700, Tim Gardner wrote:
>>>> BugLink: http://bugs.launchpad.net/bugs/1642368
>>>>
>>>> Prevent staging drivers from being loadable in a secure boot environment.
>>>>
>>>> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
>>>> ---
>>>> drivers/staging/signature-inclusion | 5 +++++
>>>> scripts/Makefile.modinst | 7 +++++--
>>>> 2 files changed, 10 insertions(+), 2 deletions(-)
>>>> create mode 100644 drivers/staging/signature-inclusion
>>>>
>>>> diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
>>>> new file mode 100644
>>>> index 0000000..c34f191
>>>> --- /dev/null
>>>> +++ b/drivers/staging/signature-inclusion
>>>> @@ -0,0 +1,5 @@
>>>> +#
>>>> +# This file lists the staging drivers that are safe for signing
>>>> +# and loading in a secure boot environment with signed module enforcement.
>>>> +#
>>>> +
>>>> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
>>>> index 07650ee..0f7b7cb 100644
>>>> --- a/scripts/Makefile.modinst
>>>> +++ b/scripts/Makefile.modinst
>>>> @@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
>>>> mkdir -p $(2) ; \
>>>> cp $@ $(2) ; \
>>>> $(mod_strip_cmd) $(2)/$(notdir $@) ; \
>>>> - $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
>>>> - $(mod_compress_cmd) $(2)/$(notdir $@)
>>>> + if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
>>>> + (! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
>>>> + then echo Not signing "$(2)/$(notdir $@)"; \
>>>> + else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
>>>> + $(mod_compress_cmd) $(2)/$(notdir $@); fi
>>>
>>> The change here skips both module signing and compression. Shouldn't it
>>> skip only signing?
>>>
>>> Although none of our configs has module compression enabled ...
>>>
>>
>> Is it a show stopper ?
>
> Not for us, like I said we aren't compressing modules anyway.
>
So that is an ACK ?
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list