[Unstable][PATCH v2 0/3] linux: Staging modules should be unsigned (LP: #1642368)

Dimitri John Ledkov dimitri.ledkov at canonical.com
Tue May 31 15:49:51 UTC 2022 

with these patches applied, the ddebs (debug package) staging modules
are still signed

>From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb

I don't think there is currently a tool that has ability to find &
strip digital signature only, whilst keeping the rest of the module
intact. I wonder if we need to extend sign-file or kmodsign to support
stripping the signature alone. Or do some hackish script in awk to
achieve that.

$ modinfo ./pi433/pi433.ko
filename:
/home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko
alias:          spi:pi433
license:        GPL
description:    Driver for Pi433
author:         Marcus Wolf, <linux at wolf-entwicklungen.de>
srcversion:     E6314D95D9F61FF16D934B4
alias:          of:N*T*CSmarthome-Wolf,pi433C*
alias:          of:N*T*CSmarthome-Wolf,pi433
depends:
staging:        Y
retpoline:      Y
intree:         Y
name:           pi433
vermagic:       5.18.0-6-generic SMP preempt mod_unload modversions
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40
sig_hashalgo:   sha512
signature:      30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2:
96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C:
A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58:
F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4:
AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3:
71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F:
31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48:
41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC:
F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37:
8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42:
54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85:
9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C:
92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D:
3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F:
00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B:
28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD:
C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4:
C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF:
DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78:
02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90:
09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE:
57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD:
3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01:
EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D:
A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B:
72:D7:CC:E5:17:F9:52:EF:42:50:38:F7

-- 
okurrr,

Dimitri

On Mon, 9 May 2022 at 15:25, Juerg Haefliger
<juerg.haefliger at canonical.com> wrote:
>
> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
>
> [juergh: The above is the original bug that introduced this feature in Xenial.
>  We seem to have lost it in Impish probably because of breaking changes in
>  Makefile.modinst. So bring it back and while at it:
>   - Remove modules that are no longer in the staging area from the list.
>   - Add a check that verifies that only listed staging modules are signed.]
>
> v2:
>   - Move signature-inclusion file to the debian/ directory to keep the source
>     tree clean.
>   - Strip signatures from unlisted staging drivers in a build rule rather than
>     modifying the upstream Makefile to not sign them.
>
> Juerg Haefliger (3):
>   UBUNTU: [Packaging] Move and update signature inclusion list
>   UBUNTU: [Packaging] Strip signatures from untrusted staging modules
>   UBUNTU: [Packaging] Add module-signature-check
>
>  debian/rules.d/2-binary-arch.mk               | 11 +++
>  debian/rules.d/4-checks.mk                    | 10 ++-
>  debian/scripts/module-signature-check         | 67 +++++++++++++++++++
>  .../staging => debian}/signature-inclusion    |  7 --
>  4 files changed, 87 insertions(+), 8 deletions(-)
>  create mode 100755 debian/scripts/module-signature-check
>  rename {drivers/staging => debian}/signature-inclusion (73%)
>
> --
> 2.32.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list