| Message ID | 1479326685-18582-1-git-send-email-tim.gardner@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 16.11.2016 21:04, Tim Gardner wrote: > BugLink: http://bugs.launchpad.net/bugs/1642368 > > Prevent staging drivers from being loadable in a secure boot environment. Hm, while I can see the reasoning from a security point of view, there are several network/wireless drivers under staging which might be required for laptops which in turn are most likely to have secure boot turned on. Isn't the risk of regression just too high for SRU? -Stefan > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > scripts/Makefile.modinst | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst > index 07650ee..c03a32b 100644 > --- a/scripts/Makefile.modinst > +++ b/scripts/Makefile.modinst > @@ -22,8 +22,10 @@ quiet_cmd_modules_install = INSTALL $@ > mkdir -p $(2) ; \ > cp $@ $(2) ; \ > $(mod_strip_cmd) $(2)/$(notdir $@) ; \ > - $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ > - $(mod_compress_cmd) $(2)/$(notdir $@) > + if echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/" ; \ > + then echo Not signing "$(2)/$(notdir $@)"; \ > + else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ > + $(mod_compress_cmd) $(2)/$(notdir $@); fi > > # Modules built outside the kernel source tree go into extra by default > INSTALL_MOD_DIR ?= extra >
On Mon, Nov 21, 2016 at 5:23 AM, Stefan Bader <stefan.bader@canonical.com> wrote: > On 16.11.2016 21:04, Tim Gardner wrote: >> BugLink: http://bugs.launchpad.net/bugs/1642368 >> >> Prevent staging drivers from being loadable in a secure boot environment. > > Hm, while I can see the reasoning from a security point of view, there are > several network/wireless drivers under staging which might be required for > laptops which in turn are most likely to have secure boot turned on. Isn't the > risk of regression just too high for SRU? > > -Stefan > >> >> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> >> --- >> scripts/Makefile.modinst | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst >> index 07650ee..c03a32b 100644 >> --- a/scripts/Makefile.modinst >> +++ b/scripts/Makefile.modinst >> @@ -22,8 +22,10 @@ quiet_cmd_modules_install = INSTALL $@ >> mkdir -p $(2) ; \ >> cp $@ $(2) ; \ >> $(mod_strip_cmd) $(2)/$(notdir $@) ; \ >> - $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ >> - $(mod_compress_cmd) $(2)/$(notdir $@) >> + if echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/" ; \ >> + then echo Not signing "$(2)/$(notdir $@)"; \ >> + else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ >> + $(mod_compress_cmd) $(2)/$(notdir $@); fi >> >> # Modules built outside the kernel source tree go into extra by default >> INSTALL_MOD_DIR ?= extra >> > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team > This seems crazy to me, especially for a SRU. It will disable using the majority of the usb wifi dongles out there and confuse people when they stop working on their laptops. Just my opinion, take it as you will.
v2 - Added a signature inclusion list to selectively sign staging modules that have been examined and deemed trustworthy. [PATCH 1/2] UBUNTU: [Debian] Suppress module signing for staging drivers [PATCH 2/2] UBUNTU: SAUCE: Add rtl drivers to signature inclusion list rtg
Applied to xenial master-next branch. Cheers, -- Luís
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 07650ee..c03a32b 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -22,8 +22,10 @@ quiet_cmd_modules_install = INSTALL $@ mkdir -p $(2) ; \ cp $@ $(2) ; \ $(mod_strip_cmd) $(2)/$(notdir $@) ; \ - $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ - $(mod_compress_cmd) $(2)/$(notdir $@) + if echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/" ; \ + then echo Not signing "$(2)/$(notdir $@)"; \ + else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \ + $(mod_compress_cmd) $(2)/$(notdir $@); fi # Modules built outside the kernel source tree go into extra by default INSTALL_MOD_DIR ?= extra
BugLink: http://bugs.launchpad.net/bugs/1642368 Prevent staging drivers from being loadable in a secure boot environment. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- scripts/Makefile.modinst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)