ACK/Cmnt: [Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)
Juerg Haefliger
juerg.haefliger at canonical.com
Fri May 6 08:37:39 UTC 2022
On Fri, 6 May 2022 08:13:08 +0200
Juerg Haefliger <juerg.haefliger at canonical.com> wrote:
> On Thu, 5 May 2022 08:04:39 -0600
> Tim Gardner <tim.gardner at canonical.com> wrote:
>
> > Acked-by: Tim Gardner <tim.gardner at canonical.com>
> >
> > The subject should be "UBUNTU: [Packaging]'. When I was doing the
> > development kernel I used to use "UBUNTU: SAUCE:" to filter on code
> > patches that I wanted to possibly drop.
>
> Two of the patches modify the upstream source so IMO that warrants/mandates a
> SAUCE subject. But that's debatable.
>
> Maybe 'UBUNTU: SAUCE: [Packaging]'...
And maybe a cleaner implementation would be to drop the SAUCE patches
altogether, let the kernel makefile sign everything and then strip the
signatures from 'untrusted' staging drivers during package build.
...Juerg
> ...Juerg
>
>
> > rtg
> >
> > On 5/5/22 06:21, Juerg Haefliger wrote:
> > > Modules under the drivers/staging hierarchy get little attention when it comes
> > > to vulnerabilities. It is possible that memory mapping tricks that expose
> > > kernel internals would go unnoticed. Therefore, do not sign staging modules so
> > > that they cannot be loaded in a secure boot environment.
> > >
> > > [juergh: The above is the original bug that introduced this feature in Xenial.
> > > We seem to have lost it in Impish probably because of breaking changes in
> > > Makefile.modinst. So bring it back and while at it:
> > > - Remove modules that are no longer in the staging area from the list.
> > > - Add a check that verifies that only listed staging modules are signed.]
> > >
> > > Juerg Haefliger (3):
> > > UBUNTU: SAUCE: Add selective signing of staging modules
> > > UBUNTU: SAUCE: Update signature inclusion list
> > > UBUNTU: [Packaging] Add module-signature-check
> > >
> > > debian/rules.d/4-checks.mk | 10 +++-
> > > debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
> > > drivers/staging/signature-inclusion | 7 ---
> > > scripts/Makefile.modinst | 9 +++-
> > > 4 files changed, 83 insertions(+), 10 deletions(-)
> > > create mode 100755 debian/scripts/module-signature-check
> > >
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220506/75381d8a/attachment.sig>
More information about the kernel-team
mailing list