[Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Juerg Haefliger
juerg.haefliger at canonical.com
Thu May 5 12:21:06 UTC 2022
Modules under the drivers/staging hierarchy get little attention when it comes
to vulnerabilities. It is possible that memory mapping tricks that expose
kernel internals would go unnoticed. Therefore, do not sign staging modules so
that they cannot be loaded in a secure boot environment.
[juergh: The above is the original bug that introduced this feature in Xenial.
We seem to have lost it in Impish probably because of breaking changes in
Makefile.modinst. So bring it back and while at it:
- Remove modules that are no longer in the staging area from the list.
- Add a check that verifies that only listed staging modules are signed.]
Juerg Haefliger (3):
UBUNTU: SAUCE: Add selective signing of staging modules
UBUNTU: SAUCE: Update signature inclusion list
UBUNTU: [Packaging] Add module-signature-check
debian/rules.d/4-checks.mk | 10 +++-
debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
drivers/staging/signature-inclusion | 7 ---
scripts/Makefile.modinst | 9 +++-
4 files changed, 83 insertions(+), 10 deletions(-)
create mode 100755 debian/scripts/module-signature-check
--
2.32.0
More information about the kernel-team
mailing list