Signed module enforcement patches for

Tim Gardner tim.gardner at canonical.com
Fri Jun 17 05:37:33 UTC 2016 

On 06/16/2016 05:34 PM, Mathieu Trudel-Lapierre wrote:
> On Thu, Jun 16, 2016 at 4:49 PM, Tim Gardner <tim.gardner at canonical.com
> <mailto:tim.gardner at canonical.com>> wrote:
> 
>     These patches in support of
>     (https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot)
>     have languished on this list since late April. All of the kernels have
>     been built and tested by myself and Mathieu Trudel-Lapierre. Andy
>     Whitcroft has asserted to me in private that they are difficult to
>     review and can only really be tested for functionality. Furthermore,
>     this patch set has been released in Xenial in a substantially
>     similar form.
> 
>     Therefore I propose to apply them for this SRU cycle with the
>     enforcement config option disabled. This at least exercises some of the
>     more complex code that accesses the UEFI firmware.
> 
>     git://kernel.ubuntu.com/rtg/ubuntu-trusty.git
>     <http://kernel.ubuntu.com/rtg/ubuntu-trusty.git>
>     lts-backport-utopic-enforce-signed-modules
>     git://kernel.ubuntu.com/rtg/ubuntu-wily.git
>     <http://kernel.ubuntu.com/rtg/ubuntu-wily.git> enforce-signed-modules
>     git://kernel.ubuntu.com/rtg/ubuntu-vivid.git
>     <http://kernel.ubuntu.com/rtg/ubuntu-vivid.git> enforce-signed-modules
> 
>     All opposed say Aye.
> 
> 
> Aye, provisionally.
> 
> I've tested xenial and trusty to some level of confidence; both seem to
> work correctly at least with the latest lts-* kernels where appropriate.
> I have yet to test wily and precise -- trusty and xenial did take time
> to carefully make sure you could upgrade packages within the release
> (either installing dkms packages after the SRU applied, or installing
> DKMS and then the SRU) and then upgrading to a newer release
> (trusty->xenial and xenial->yakkety). All of these are upgrade paths
> that need to continue to work.
> 
> I'm not opposed to doing the SRU for these two releases, but it does
> need to land *along* with the useland packages that allow using the
> functionality.
> 

I did mention that I was going to merge these patches with signed module
enforcement _disabled_ to begin with, didn't I ?

rtg
-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list