ACK/Cmnt: [Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Tim Gardner
tim.gardner at canonical.com
Thu May 5 14:04:39 UTC 2022
Acked-by: Tim Gardner <tim.gardner at canonical.com>
The subject should be "UBUNTU: [Packaging]'. When I was doing the
development kernel I used to use "UBUNTU: SAUCE:" to filter on code
patches that I wanted to possibly drop.
rtg
On 5/5/22 06:21, Juerg Haefliger wrote:
> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
>
> [juergh: The above is the original bug that introduced this feature in Xenial.
> We seem to have lost it in Impish probably because of breaking changes in
> Makefile.modinst. So bring it back and while at it:
> - Remove modules that are no longer in the staging area from the list.
> - Add a check that verifies that only listed staging modules are signed.]
>
> Juerg Haefliger (3):
> UBUNTU: SAUCE: Add selective signing of staging modules
> UBUNTU: SAUCE: Update signature inclusion list
> UBUNTU: [Packaging] Add module-signature-check
>
> debian/rules.d/4-checks.mk | 10 +++-
> debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
> drivers/staging/signature-inclusion | 7 ---
> scripts/Makefile.modinst | 9 +++-
> 4 files changed, 83 insertions(+), 10 deletions(-)
> create mode 100755 debian/scripts/module-signature-check
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list