[PATCH][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Juerg Haefliger juerg.haefliger at canonical.com
Tue Oct 29 16:10:25 UTC 2019 

On Tue, 29 Oct 2019 08:15:25 -0500
Seth Forshee <seth.forshee at canonical.com> wrote:

> BugLink: https://bugs.launchpad.net/bugs/1850234
> 
> When adding .gnu_debuglink sections to modules we sign modules
> without regard to whether or not they were signed previously. As
> a result modules from staging which should not have been signed
> are ending up with signature. Change this to check for a module
> signature before modifying the binary, then sign the result only
> if the original module was signed.
> 
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
> ---
>  debian/rules.d/2-binary-arch.mk | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..2aea5e857f79 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -413,10 +413,14 @@ ifneq ($(skipdbg),true)
>  	  -name '*.ko' | while read path_module ; do \
>  		module="/lib/modules/$${path_module#*/lib/modules/}"; \
>  		if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
> +			while IFS= read -r -d '' signature < <(tail -c 28 "$$path_module"); do \
> +				break; \
> +			done; \

I'm not a big fan of this since I don't understand why the while..do is
necessary. Also, can't we simply do 'signature=$(tail -c 28 "$$path_module")?
Yes, that drops the trailing newline but imho if we get the '~Module signature
appended~' string back then we can be fairly certain that the module is signed.

Or just let modinfo do the parsing then we don't have to read a magic number of
bytes from the end of the module:
signer=$(modinfo -F signer '$$path_module'). If the string is non-empty, the
module is signed.

>  			$(CROSS_COMPILE)objcopy \
>  				--add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
>  				$$path_module; \
> -			if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
> +			if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
> +			   [ "$$signature" = $$'~Module signature appended~\n' ]; then \

and then
[ -n "$$signer" ]; then \

>  				$(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
>  					$(MODSECKEY) \
>  					$(MODPUBKEY) \

...Juerg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20191029/68166ccb/attachment.sig>

More information about the kernel-team mailing list