ACK: [Unstable][PATCH v2 0/3] linux: Staging modules should be unsigned (LP: #1642368)

[Tim Gardner]

Acked-by: Tim Gardner <tim.gardner at canonical.com>

On 5/9/22 08:25, Juerg Haefliger wrote:
> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
> 
> [juergh: The above is the original bug that introduced this feature in Xenial.
>   We seem to have lost it in Impish probably because of breaking changes in
>   Makefile.modinst. So bring it back and while at it:
>    - Remove modules that are no longer in the staging area from the list.
>    - Add a check that verifies that only listed staging modules are signed.]
> 
> v2:
>    - Move signature-inclusion file to the debian/ directory to keep the source
>      tree clean.
>    - Strip signatures from unlisted staging drivers in a build rule rather than
>      modifying the upstream Makefile to not sign them.
> 
> Juerg Haefliger (3):
>    UBUNTU: [Packaging] Move and update signature inclusion list
>    UBUNTU: [Packaging] Strip signatures from untrusted staging modules
>    UBUNTU: [Packaging] Add module-signature-check
> 
>   debian/rules.d/2-binary-arch.mk               | 11 +++
>   debian/rules.d/4-checks.mk                    | 10 ++-
>   debian/scripts/module-signature-check         | 67 +++++++++++++++++++
>   .../staging => debian}/signature-inclusion    |  7 --
>   4 files changed, 87 insertions(+), 8 deletions(-)
>   create mode 100755 debian/scripts/module-signature-check
>   rename {drivers/staging => debian}/signature-inclusion (73%)
> 

-- 
-----------
Tim Gardner
Canonical, Inc