[PATCH 1/2] UBUNTU: [Debian] Suppress module signing for staging drivers

Seth Forshee seth.forshee at canonical.com
Wed Dec 14 13:49:13 UTC 2016


On Tue, Dec 13, 2016 at 12:51:11PM -0700, Tim Gardner wrote:
> On 12/13/2016 11:20 AM, Seth Forshee wrote:
> > On Tue, Dec 13, 2016 at 11:09:51AM -0700, Tim Gardner wrote:
> >> On 12/02/2016 07:34 AM, Seth Forshee wrote:
> >>> On Wed, Nov 30, 2016 at 01:33:10PM -0700, Tim Gardner wrote:
> >>>> BugLink: http://bugs.launchpad.net/bugs/1642368
> >>>>
> >>>> Prevent staging drivers from being loadable in a secure boot environment.
> >>>>
> >>>> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> >>>> ---
> >>>>  drivers/staging/signature-inclusion | 5 +++++
> >>>>  scripts/Makefile.modinst            | 7 +++++--
> >>>>  2 files changed, 10 insertions(+), 2 deletions(-)
> >>>>  create mode 100644 drivers/staging/signature-inclusion
> >>>>
> >>>> diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
> >>>> new file mode 100644
> >>>> index 0000000..c34f191
> >>>> --- /dev/null
> >>>> +++ b/drivers/staging/signature-inclusion
> >>>> @@ -0,0 +1,5 @@
> >>>> +#
> >>>> +# This file lists the staging drivers that are safe for signing
> >>>> +# and loading in a secure boot environment with signed module enforcement.
> >>>> +#
> >>>> +
> >>>> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> >>>> index 07650ee..0f7b7cb 100644
> >>>> --- a/scripts/Makefile.modinst
> >>>> +++ b/scripts/Makefile.modinst
> >>>> @@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
> >>>>      mkdir -p $(2) ; \
> >>>>      cp $@ $(2) ; \
> >>>>      $(mod_strip_cmd) $(2)/$(notdir $@) ; \
> >>>> -    $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
> >>>> -    $(mod_compress_cmd) $(2)/$(notdir $@)
> >>>> +    if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
> >>>> +	(! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
> >>>> +	then echo Not signing "$(2)/$(notdir $@)"; \
> >>>> +	else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
> >>>> +		$(mod_compress_cmd) $(2)/$(notdir $@); fi
> >>>
> >>> The change here skips both module signing and compression. Shouldn't it
> >>> skip only signing?
> >>>
> >>> Although none of our configs has module compression enabled ...
> >>>
> >>
> >> Is it a show stopper ?
> > 
> > Not for us, like I said we aren't compressing modules anyway.
> > 
> 
> So that is an ACK ?

I guess so.

Acked-by: Seth Forshee <seth.forshee at canonical.com>




More information about the kernel-team mailing list