APPLIED: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y
Stefan Bader
stefan.bader at canonical.com
Mon Mar 1 08:15:39 UTC 2021
On 26.02.21 16:57, Tim Gardner wrote:
>
>
> On 2/26/21 1:23 AM, Stefan Bader wrote:
>> On 18.02.21 17:17, Andy Whitcroft wrote:
>>> In order to support the livepatch key we need to ensure we do not allow
>>> that key to load modules which are not for the specific kernel. From
>>> the documentation on kernel module signing:
>>>
>>> If you use the same private key to sign modules for multiple kernel
>>> configurations, you must ensure that the module version information is
>>> sufficient to prevent loading a module into a different kernel. Either
>>> set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
>>> different kernel release string by changing ``EXTRAVERSION`` or
>>> ``CONFIG_LOCALVERSION``.
>>>
>>> BugLink: https://bugs.launchpad.net/bugs/1898716
>>> Signed-off-by: Andy Whitcroft <apw at canonical.com>
>>> ---
>>
>> Now (Tim, please don't change task status without double checking) applied to
>> bionic:linux/master-next. While doing so, I fixed up the annotation for
>> CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks.
>>
>
> verify-release-ready complained that the bug had no entry for the package.
> Admittedly, my LP foo is a little stale and I managed to bork the original
> 'Affects' package. I guess I didn't get it restored to its previous state.
>
> Did I do the right thing when adding linux-gcp and linux-kvm as also being
> affected ? I see no other kernels there when pretty much all of the derivative
> kernels have this same patch.
Not quite but also nothing that really hurts. In general I would only mark a
derivative kernel as affected in those cases where the fix _only_ goes there.
Anything else where the change goes into the primary kernel, we doe not mark up
all of its derivatives individually.
Now I wonder why verify-release-ready complained. I thought it was changed to
take this into effect. But its hard to remember what has been done or just being
talked about doing.
-Stefan
>
> rtg
>
>> -Stefan
>>
>>> debian.master/config/annotations | 4 +++-
>>> debian.master/config/config.common.ubuntu | 2 +-
>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
>>> index 52fa132d2063..4f2972daee7e 100644
>>> --- a/debian.master/config/annotations
>>> +++ b/debian.master/config/annotations
>>> @@ -8612,9 +8612,11 @@ CONFIG_MODULES
>>> policy<{'amd64': 'y', 'arm64': '
>>> CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n',
>>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>>> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y',
>>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>>> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n',
>>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>>> -CONFIG_MODVERSIONS policy<{'amd64': 'n',
>>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>>> +CONFIG_MODVERSIONS policy<{'amd64': 'y',
>>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>>> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y',
>>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>>> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n',
>>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>>> +#
>>> +CONFIG_MODVERSIONS mark<ENFORCED>
>>> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
>>> # Menu: Enable loadable module support >> Compression algorithm
>>> diff --git a/debian.master/config/config.common.ubuntu
>>> b/debian.master/config/config.common.ubuntu
>>> index 3ef3d8d6a2d8..f2a8b2e49b53 100644
>>> --- a/debian.master/config/config.common.ubuntu
>>> +++ b/debian.master/config/config.common.ubuntu
>>> @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>>> CONFIG_MODULE_SIG_SHA512=y
>>> CONFIG_MODULE_SRCVERSION_ALL=y
>>> CONFIG_MODULE_UNLOAD=y
>>> -# CONFIG_MODVERSIONS is not set
>>> +CONFIG_MODVERSIONS=y
>>> CONFIG_MONREADER=m
>>> CONFIG_MONWRITER=m
>>> CONFIG_MOST=m
>>>
>>
>
More information about the kernel-team
mailing list