ACK: [Unstable][PATCH v2 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Tim Gardner
tim.gardner at canonical.com
Mon May 9 17:32:33 UTC 2022
Acked-by: Tim Gardner <tim.gardner at canonical.com>
On 5/9/22 08:25, Juerg Haefliger wrote:
> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
>
> [juergh: The above is the original bug that introduced this feature in Xenial.
> We seem to have lost it in Impish probably because of breaking changes in
> Makefile.modinst. So bring it back and while at it:
> - Remove modules that are no longer in the staging area from the list.
> - Add a check that verifies that only listed staging modules are signed.]
>
> v2:
> - Move signature-inclusion file to the debian/ directory to keep the source
> tree clean.
> - Strip signatures from unlisted staging drivers in a build rule rather than
> modifying the upstream Makefile to not sign them.
>
> Juerg Haefliger (3):
> UBUNTU: [Packaging] Move and update signature inclusion list
> UBUNTU: [Packaging] Strip signatures from untrusted staging modules
> UBUNTU: [Packaging] Add module-signature-check
>
> debian/rules.d/2-binary-arch.mk | 11 +++
> debian/rules.d/4-checks.mk | 10 ++-
> debian/scripts/module-signature-check | 67 +++++++++++++++++++
> .../staging => debian}/signature-inclusion | 7 --
> 4 files changed, 87 insertions(+), 8 deletions(-)
> create mode 100755 debian/scripts/module-signature-check
> rename {drivers/staging => debian}/signature-inclusion (73%)
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list