[Unstable][PATCH v2 2/3] UBUNTU: [Packaging] Strip signatures from untrusted staging modules
Juerg Haefliger
juerg.haefliger at canonical.com
Mon May 9 14:25:03 UTC 2022
BugLink: https://bugs.launchpad.net/bugs/1642368
'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so strip the signatures from staging modules that are not
listed in debian/signature-inclusion.
Signed-off-by: Juerg Haefliger <juergh at canonical.com>
---
debian/rules.d/2-binary-arch.mk | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index c4906036ceb8..6e3456cfce81 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -189,6 +189,17 @@ endif
INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=$(pkgdir)/ \
INSTALL_FW_PATH=$(pkgdir)/lib/firmware/$(abi_release)-$*
+ # Strip signatures from 'untrusted' staging modules.
+ # Use --strip-debug per comments in scripts/Makefile.modinst.
+ if [ -f "$(DROOT)"/signature-inclusion ] ; then \
+ find "$(pkgdir)" -path '*/drivers/staging/*.ko' | while IFS= read -r mod ; do \
+ if ! grep -qFx "$${mod##*/}" "$(DROOT)"/signature-inclusion ; then \
+ echo "UBUNTU: Strip $${mod}" ; \
+ $(CROSS_COMPILE)strip --strip-debug "$${mod}" ; \
+ fi ; \
+ done ; \
+ fi
+
#
# Build module blacklists:
# - blacklist all watchdog drivers (LP:1432837)
--
2.32.0
More information about the kernel-team
mailing list