ACK/Cmnt: [Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Juerg Haefliger
juerg.haefliger at canonical.com
Fri May 6 06:13:08 UTC 2022
On Thu, 5 May 2022 08:04:39 -0600
Tim Gardner <tim.gardner at canonical.com> wrote:
> Acked-by: Tim Gardner <tim.gardner at canonical.com>
>
> The subject should be "UBUNTU: [Packaging]'. When I was doing the
> development kernel I used to use "UBUNTU: SAUCE:" to filter on code
> patches that I wanted to possibly drop.
Two of the patches modify the upstream source so IMO that warrants/mandates a
SAUCE subject. But that's debatable.
Maybe 'UBUNTU: SAUCE: [Packaging]'...
...Juerg
> rtg
>
> On 5/5/22 06:21, Juerg Haefliger wrote:
> > Modules under the drivers/staging hierarchy get little attention when it comes
> > to vulnerabilities. It is possible that memory mapping tricks that expose
> > kernel internals would go unnoticed. Therefore, do not sign staging modules so
> > that they cannot be loaded in a secure boot environment.
> >
> > [juergh: The above is the original bug that introduced this feature in Xenial.
> > We seem to have lost it in Impish probably because of breaking changes in
> > Makefile.modinst. So bring it back and while at it:
> > - Remove modules that are no longer in the staging area from the list.
> > - Add a check that verifies that only listed staging modules are signed.]
> >
> > Juerg Haefliger (3):
> > UBUNTU: SAUCE: Add selective signing of staging modules
> > UBUNTU: SAUCE: Update signature inclusion list
> > UBUNTU: [Packaging] Add module-signature-check
> >
> > debian/rules.d/4-checks.mk | 10 +++-
> > debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
> > drivers/staging/signature-inclusion | 7 ---
> > scripts/Makefile.modinst | 9 +++-
> > 4 files changed, 83 insertions(+), 10 deletions(-)
> > create mode 100755 debian/scripts/module-signature-check
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220506/7c917e55/attachment.sig>
More information about the kernel-team
mailing list