ACK: [PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink
Khaled Elmously
khalid.elmously at canonical.com
Tue Oct 29 20:25:43 UTC 2019
On 2019-10-29 14:25:13 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1850234
>
> When adding .gnu_debuglink sections to modules we sign modules
> without regard to whether or not they were signed previously. As
> a result modules from staging which should not have been signed
> are ending up with signature. Change this to check for a module
> signature before modifying the binary, then sign the result only
> if the original module was signed.
>
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
> ---
> debian/rules.d/2-binary-arch.mk | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..050f867060cb 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)
> -name '*.ko' | while read path_module ; do \
> module="/lib/modules/$${path_module#*/lib/modules/}"; \
> if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
> + signer=$$(/sbin/modinfo -F signer "$$path_module"); \
> $(CROSS_COMPILE)objcopy \
> --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
> $$path_module; \
> - if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
> + if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
> + [ -n "$$signer" ]; then \
> $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
> $(MODSECKEY) \
> $(MODPUBKEY) \
Acked-by: Khalid Elmously <khalid.elmously at canonical.com>
More information about the kernel-team
mailing list