[SRU][J][PATCH 0/6] linux: Staging modules should be unsigned (LP: #1642368)
Juerg Haefliger
juerg.haefliger at canonical.com
Thu Dec 15 07:27:02 UTC 2022
Modules under the drivers/staging hierarchy get little attention when it comes to vulnerabilities. It is possible that memory mapping tricks that expose kernel internals would go unnoticed. Therefore, do not sign staging modules so that they cannot be loaded in a secure boot environment.
[juergh: This functionality has been disable accidentially in impish and
subsequently fixed (and enhanced) in kintetic. Bring that back to jammy.]
Juerg Haefliger (6):
UBUNTU: [Packaging] Move and update signature inclusion list
UBUNTU: SAUCE: Add selective signing of staging modules
UBUNTU: [Packaging] Add module-signature-check
UBUNTU: [Packaging] module-signature-check: Check
debian.<foo>/signature-inclusion
UBUNTU: [Packaging] Introduce debian/scripts/sign-module
UBUNTU: SAUCE: Switch to using debian/scripts/sign-module
debian/rules.d/4-checks.mk | 9 ++-
debian/scripts/module-signature-check | 76 +++++++++++++++++++
debian/scripts/sign-module | 40 ++++++++++
.../staging => debian}/signature-inclusion | 7 --
scripts/Makefile.modinst | 8 +-
5 files changed, 129 insertions(+), 11 deletions(-)
create mode 100755 debian/scripts/module-signature-check
create mode 100755 debian/scripts/sign-module
rename {drivers/staging => debian}/signature-inclusion (73%)
--
2.34.1
More information about the kernel-team
mailing list