[Unstable/K][PATCH 2/2] UBUNTU: SAUCE: Add selective signing of staging modules
Juerg Haefliger
juerg.haefliger at canonical.com
Tue Jun 21 13:18:22 UTC 2022
BugLink: https://bugs.launchpad.net/bugs/1642368
'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in debian/signature-inclusion.
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
scripts/Makefile.modinst | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index c2c43a0ecfe0..3cf4c9210fbf 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -68,8 +68,13 @@ endif
ifeq ($(CONFIG_MODULE_SIG_ALL),y)
sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
quiet_cmd_sign = SIGN $@
- cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
- $(if $(KBUILD_EXTMOD),|| true)
+ cmd_sign = if echo "$@" | grep -qF "/drivers/staging/" && \
+ test -f $(srctree)/debian/signature-inclusion && \
+ ! grep -qFx "$(notdir $@)" $(srctree)/debian/signature-inclusion ; \
+ then echo "UBUNTU: Not signing $@" ; \
+ else scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
+ $(if $(KBUILD_EXTMOD),|| true) ; \
+ fi
else
quiet_cmd_sign :=
cmd_sign := :
--
2.32.0
More information about the kernel-team
mailing list