[SRU][J][PATCH 2/6] UBUNTU: SAUCE: Add selective signing of staging modules

[Juerg Haefliger]

BugLink: https://bugs.launchpad.net/bugs/1642368

'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in debian/signature-inclusion.

Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
Signed-off-by: Andrea Righi <andrea.righi at canonical.com>

(backported from commit 8a710945c14997b8298882972fb47827441a3231 kinetic:linux)
[juergh: Adjust for missing $(sig-key) variable.]
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
 scripts/Makefile.modinst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index ff9b09e4cfca..be46537e4cc8 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -68,8 +68,13 @@ endif
 ifeq ($(CONFIG_MODULE_SIG_ALL),y)
 quiet_cmd_sign = SIGN    $@
 $(eval $(call config_filename,MODULE_SIG_KEY))
-      cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509 $@ \
-                 $(if $(KBUILD_EXTMOD),|| true)
+      cmd_sign = if echo "$@" | grep -qF "/drivers/staging/" && \
+                    test -f $(srctree)/debian/signature-inclusion && \
+                    ! grep -qFx "$(notdir $@)" $(srctree)/debian/signature-inclusion ; \
+                 then echo "UBUNTU: Not signing $@" ; \
+                 else scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY) certs/signing_key.x509 $@ \
+                      $(if $(KBUILD_EXTMOD),|| true) ; \
+                 fi
 else
 quiet_cmd_sign :=
       cmd_sign := :
-- 
2.34.1