APPLIED[K]: [Unstable][PATCH v2 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Andrea Righi
andrea.righi at canonical.com
Tue May 31 14:00:17 UTC 2022
On Mon, May 09, 2022 at 04:25:01PM +0200, Juerg Haefliger wrote:
> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
>
> [juergh: The above is the original bug that introduced this feature in Xenial.
> We seem to have lost it in Impish probably because of breaking changes in
> Makefile.modinst. So bring it back and while at it:
> - Remove modules that are no longer in the staging area from the list.
> - Add a check that verifies that only listed staging modules are signed.]
>
> v2:
> - Move signature-inclusion file to the debian/ directory to keep the source
> tree clean.
> - Strip signatures from unlisted staging drivers in a build rule rather than
> modifying the upstream Makefile to not sign them.
Applied to kinetic/linux.
Thanks,
-Andrea
More information about the kernel-team
mailing list