[PATCH 1/2] UBUNTU: [Debian] Suppress module signing for staging drivers
Tim Gardner
tim.gardner at canonical.com
Wed Nov 30 20:33:10 UTC 2016
BugLink: http://bugs.launchpad.net/bugs/1642368
Prevent staging drivers from being loadable in a secure boot environment.
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
drivers/staging/signature-inclusion | 5 +++++
scripts/Makefile.modinst | 7 +++++--
2 files changed, 10 insertions(+), 2 deletions(-)
create mode 100644 drivers/staging/signature-inclusion
diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
new file mode 100644
index 0000000..c34f191
--- /dev/null
+++ b/drivers/staging/signature-inclusion
@@ -0,0 +1,5 @@
+#
+# This file lists the staging drivers that are safe for signing
+# and loading in a secure boot environment with signed module enforcement.
+#
+
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 07650ee..0f7b7cb 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
mkdir -p $(2) ; \
cp $@ $(2) ; \
$(mod_strip_cmd) $(2)/$(notdir $@) ; \
- $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
- $(mod_compress_cmd) $(2)/$(notdir $@)
+ if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
+ (! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
+ then echo Not signing "$(2)/$(notdir $@)"; \
+ else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
+ $(mod_compress_cmd) $(2)/$(notdir $@); fi
# Modules built outside the kernel source tree go into extra by default
INSTALL_MOD_DIR ?= extra
--
2.7.4
More information about the kernel-team
mailing list