APPLIED: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y
Stefan Bader
stefan.bader at canonical.com
Fri Feb 26 08:23:50 UTC 2021
On 18.02.21 17:17, Andy Whitcroft wrote:
> In order to support the livepatch key we need to ensure we do not allow
> that key to load modules which are not for the specific kernel. From
> the documentation on kernel module signing:
>
> If you use the same private key to sign modules for multiple kernel
> configurations, you must ensure that the module version information is
> sufficient to prevent loading a module into a different kernel. Either
> set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
> different kernel release string by changing ``EXTRAVERSION`` or
> ``CONFIG_LOCALVERSION``.
>
> BugLink: https://bugs.launchpad.net/bugs/1898716
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
Now (Tim, please don't change task status without double checking) applied to
bionic:linux/master-next. While doing so, I fixed up the annotation for
CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks.
-Stefan
> debian.master/config/annotations | 4 +++-
> debian.master/config/config.common.ubuntu | 2 +-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index 52fa132d2063..4f2972daee7e 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': '
> CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +#
> +CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
>
> # Menu: Enable loadable module support >> Compression algorithm
>
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index 3ef3d8d6a2d8..f2a8b2e49b53 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> CONFIG_MODULE_SIG_SHA512=y
> CONFIG_MODULE_SRCVERSION_ALL=y
> CONFIG_MODULE_UNLOAD=y
> -# CONFIG_MODVERSIONS is not set
> +CONFIG_MODVERSIONS=y
> CONFIG_MONREADER=m
> CONFIG_MONWRITER=m
> CONFIG_MOST=m
>
More information about the kernel-team
mailing list