NACK: [Unstable][PATCH 0/3] linux: Staging modules should be unsigned (LP: #1642368)

[Juerg Haefliger]

Will send a v2 without SAUCE patches.

...Juerg


> Modules under the drivers/staging hierarchy get little attention when it comes
> to vulnerabilities. It is possible that memory mapping tricks that expose
> kernel internals would go unnoticed. Therefore, do not sign staging modules so
> that they cannot be loaded in a secure boot environment.
> 
> [juergh: The above is the original bug that introduced this feature in Xenial.
>  We seem to have lost it in Impish probably because of breaking changes in
>  Makefile.modinst. So bring it back and while at it:
>   - Remove modules that are no longer in the staging area from the list.
>   - Add a check that verifies that only listed staging modules are signed.]
> 
> Juerg Haefliger (3):
>   UBUNTU: SAUCE: Add selective signing of staging modules
>   UBUNTU: SAUCE: Update signature inclusion list
>   UBUNTU: [Packaging] Add module-signature-check
> 
>  debian/rules.d/4-checks.mk            | 10 +++-
>  debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++
>  drivers/staging/signature-inclusion   |  7 ---
>  scripts/Makefile.modinst              |  9 +++-
>  4 files changed, 83 insertions(+), 10 deletions(-)
>  create mode 100755 debian/scripts/module-signature-check
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220509/843852b0/attachment-0001.sig>