APPLIED: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y
Tim Gardner
tim.gardner at canonical.com
Fri Feb 26 15:57:05 UTC 2021
On 2/26/21 1:23 AM, Stefan Bader wrote:
> On 18.02.21 17:17, Andy Whitcroft wrote:
>> In order to support the livepatch key we need to ensure we do not allow
>> that key to load modules which are not for the specific kernel. From
>> the documentation on kernel module signing:
>>
>> If you use the same private key to sign modules for multiple kernel
>> configurations, you must ensure that the module version information is
>> sufficient to prevent loading a module into a different kernel. Either
>> set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
>> different kernel release string by changing ``EXTRAVERSION`` or
>> ``CONFIG_LOCALVERSION``.
>>
>> BugLink: https://bugs.launchpad.net/bugs/1898716
>> Signed-off-by: Andy Whitcroft <apw at canonical.com>
>> ---
>
> Now (Tim, please don't change task status without double checking) applied to
> bionic:linux/master-next. While doing so, I fixed up the annotation for
> CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks.
>
verify-release-ready complained that the bug had no entry for the
package. Admittedly, my LP foo is a little stale and I managed to bork
the original 'Affects' package. I guess I didn't get it restored to its
previous state.
Did I do the right thing when adding linux-gcp and linux-kvm as also
being affected ? I see no other kernels there when pretty much all of
the derivative kernels have this same patch.
rtg
> -Stefan
>
>> debian.master/config/annotations | 4 +++-
>> debian.master/config/config.common.ubuntu | 2 +-
>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
>> index 52fa132d2063..4f2972daee7e 100644
>> --- a/debian.master/config/annotations
>> +++ b/debian.master/config/annotations
>> @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': '
>> CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>> +#
>> +CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
>>
>> # Menu: Enable loadable module support >> Compression algorithm
>>
>> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
>> index 3ef3d8d6a2d8..f2a8b2e49b53 100644
>> --- a/debian.master/config/config.common.ubuntu
>> +++ b/debian.master/config/config.common.ubuntu
>> @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>> CONFIG_MODULE_SIG_SHA512=y
>> CONFIG_MODULE_SRCVERSION_ALL=y
>> CONFIG_MODULE_UNLOAD=y
>> -# CONFIG_MODVERSIONS is not set
>> +CONFIG_MODVERSIONS=y
>> CONFIG_MONREADER=m
>> CONFIG_MONWRITER=m
>> CONFIG_MOST=m
>>
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list