[Unstable][PATCH 1/3] UBUNTU: SAUCE: Add selective signing of staging modules

[Juerg Haefliger]

BugLink: https://bugs.launchpad.net/bugs/1642368

'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in
drivers/staging/signature-inclusion.

Signed-off-by: Juerg Haefliger <juergh at canonical.com>
---
 scripts/Makefile.modinst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index c2c43a0ecfe0..f206a2d8ac1d 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -68,8 +68,13 @@ endif
 ifeq ($(CONFIG_MODULE_SIG_ALL),y)
 sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
 quiet_cmd_sign = SIGN    $@
-      cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
-                 $(if $(KBUILD_EXTMOD),|| true)
+      cmd_sign = if echo "$@" | grep -qF "/drivers/staging/" && \
+                    test -f $(srctree)/drivers/staging/signature-inclusion && \
+                    ! grep -qFx "$(notdir $@)" $(srctree)/drivers/staging/signature-inclusion ; \
+                 then echo "UBUNTU: Not signing $@" ; \
+                 else scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
+                      $(if $(KBUILD_EXTMOD),|| true) ; \
+                 fi
 else
 quiet_cmd_sign :=
       cmd_sign := :
-- 
2.32.0