ACK: [SRU][J][PATCH 0/6] linux: Staging modules should be unsigned (LP: #1642368)

[Luke Nowakowski-Krijger]

A little bit of a late review but..

Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger at canonical.com>

On Wed, Dec 14, 2022 at 11:28 PM Juerg Haefliger <
juerg.haefliger at canonical.com> wrote:

> Modules under the drivers/staging hierarchy get little attention when it
> comes to vulnerabilities. It is possible that memory mapping tricks that
> expose kernel internals would go unnoticed. Therefore, do not sign staging
> modules so that they cannot be loaded in a secure boot environment.
>
> [juergh: This functionality has been disable accidentially in impish and
>  subsequently fixed (and enhanced) in kintetic. Bring that back to jammy.]
>
> Juerg Haefliger (6):
>   UBUNTU: [Packaging] Move and update signature inclusion list
>   UBUNTU: SAUCE: Add selective signing of staging modules
>   UBUNTU: [Packaging] Add module-signature-check
>   UBUNTU: [Packaging] module-signature-check: Check
>     debian.<foo>/signature-inclusion
>   UBUNTU: [Packaging] Introduce debian/scripts/sign-module
>   UBUNTU: SAUCE: Switch to using debian/scripts/sign-module
>
>  debian/rules.d/4-checks.mk                    |  9 ++-
>  debian/scripts/module-signature-check         | 76 +++++++++++++++++++
>  debian/scripts/sign-module                    | 40 ++++++++++
>  .../staging => debian}/signature-inclusion    |  7 --
>  scripts/Makefile.modinst                      |  8 +-
>  5 files changed, 129 insertions(+), 11 deletions(-)
>  create mode 100755 debian/scripts/module-signature-check
>  create mode 100755 debian/scripts/sign-module
>  rename {drivers/staging => debian}/signature-inclusion (73%)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230309/744084d8/attachment-0001.html>