ACK/Cmnt: [SRU][J][PATCH 0/6] linux: Staging modules should be unsigned (LP: #1642368)
Stefan Bader
stefan.bader at canonical.com
Thu Feb 2 09:03:18 UTC 2023
On 15.12.22 08:27, Juerg Haefliger wrote:
> Modules under the drivers/staging hierarchy get little attention when it comes to vulnerabilities. It is possible that memory mapping tricks that expose kernel internals would go unnoticed. Therefore, do not sign staging modules so that they cannot be loaded in a secure boot environment.
>
> [juergh: This functionality has been disable accidentially in impish and
> subsequently fixed (and enhanced) in kintetic. Bring that back to jammy.]
>
> Juerg Haefliger (6):
> UBUNTU: [Packaging] Move and update signature inclusion list
> UBUNTU: SAUCE: Add selective signing of staging modules
> UBUNTU: [Packaging] Add module-signature-check
> UBUNTU: [Packaging] module-signature-check: Check
> debian.<foo>/signature-inclusion
> UBUNTU: [Packaging] Introduce debian/scripts/sign-module
> UBUNTU: SAUCE: Switch to using debian/scripts/sign-module
>
> debian/rules.d/4-checks.mk | 9 ++-
> debian/scripts/module-signature-check | 76 +++++++++++++++++++
> debian/scripts/sign-module | 40 ++++++++++
> .../staging => debian}/signature-inclusion | 7 --
> scripts/Makefile.modinst | 8 +-
> 5 files changed, 129 insertions(+), 11 deletions(-)
> create mode 100755 debian/scripts/module-signature-check
> create mode 100755 debian/scripts/sign-module
> rename {drivers/staging => debian}/signature-inclusion (73%)
>
Sorry, too much other noise. So with confirmation that what gets dropped was
reviewed and that we should be past 22.04.2 when this would be applied first
time (to give some time to shake out the issues).
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230202/3df1b006/attachment.sig>
More information about the kernel-team
mailing list