ACK/Cmnt: [Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)

Tim Gardner tim.gardner at canonical.com
Fri May 6 11:31:23 UTC 2022 


On 5/6/22 02:37, Juerg Haefliger wrote:
> On Fri, 6 May 2022 08:13:08 +0200
> Juerg Haefliger <juerg.haefliger at canonical.com> wrote:
> 
>> On Thu, 5 May 2022 08:04:39 -0600
>> Tim Gardner <tim.gardner at canonical.com> wrote:
>>
>>> Acked-by: Tim Gardner <tim.gardner at canonical.com>
>>>
>>> The subject should be "UBUNTU: [Packaging]'. When I was doing the
>>> development kernel I used to use "UBUNTU: SAUCE:" to filter on code
>>> patches that I wanted to possibly drop.
>>
>> Two of the patches modify the upstream source so IMO that warrants/mandates a
>> SAUCE subject. But that's debatable.
>>
>> Maybe 'UBUNTU: SAUCE: [Packaging]'...
> 
> And maybe a cleaner implementation would be to drop the SAUCE patches
> altogether, let the kernel makefile sign everything and then strip the
> signatures from 'untrusted' staging drivers during package build.
> 
> ...Juerg
> 
> 

That is not a bad idea. It is less intrusive on upstream code.

rtg

>> ...Juerg
>>
>>
>>> rtg
>>>
>>> On 5/5/22 06:21, Juerg Haefliger wrote:
>>>> Modules under the drivers/staging hierarchy get little attention when it comes
>>>> to vulnerabilities. It is possible that memory mapping tricks that expose
>>>> kernel internals would go unnoticed. Therefore, do not sign staging modules so
>>>> that they cannot be loaded in a secure boot environment.
>>>>
>>>> [juergh: The above is the original bug that introduced this feature in Xenial.
>>>>    We seem to have lost it in Impish probably because of breaking changes in
>>>>    Makefile.modinst. So bring it back and while at it:
>>>>     - Remove modules that are no longer in the staging area from the list.
>>>>     - Add a check that verifies that only listed staging modules are signed.]
>>>>
>>>> Juerg Haefliger (3):
>>>>     UBUNTU: SAUCE: Add selective signing of staging modules
>>>>     UBUNTU: SAUCE: Update signature inclusion list
>>>>     UBUNTU: [Packaging] Add module-signature-check
>>>>
>>>>    debian/rules.d/4-checks.mk            | 10 +++-
>>>>    debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
>>>>    drivers/staging/signature-inclusion   |  7 ---
>>>>    scripts/Makefile.modinst              |  9 +++-
>>>>    4 files changed, 83 insertions(+), 10 deletions(-)
>>>>    create mode 100755 debian/scripts/module-signature-check
>>>>      
>>>    
>>
> 

-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list