From patchwork Thu Feb 18 16:17:49 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1441749
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DhKd2147fz9sCD;
	Fri, 19 Feb 2021 03:18:14 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lCm0H-0000g9-LV; Thu, 18 Feb 2021 16:18:09 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0A-0000dW-W3
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:02 +0000
Received: from mail-wm1-f69.google.com ([209.85.128.69])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0A-0002Kd-OV
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:02 +0000
Received: by mail-wm1-f69.google.com with SMTP id p8so1386030wmq.7
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Feb 2021 08:18:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=OTxdhZMN1PtyU7xmQvt9YKnCHh2BNZG/z7u1EOmXI9E=;
 b=qvkna4dO+8Bt7vqwV6hzqnl+cFzBYUswg8b8yZIya+YQNX4EO3ldv0DIqIx6QvOhJD
 Vyn62UazXMVIQnf9O2ledPu9i2mUcHa3XuCJdvCdW5X4PHu02U4Jf9E4CD6oG3nIAWAY
 4EG39hpgkPZhJeknU6RXKIfS/G346qt7JMwGm+Jrvs+rXaD+QAwNd/TAVlaReAy7im9h
 CKCtJ7DJRPopW3GeQ35MJgsoVHuWwCCW7Ft8ksN2Ak2S28Cx5gB0CV7BQG601mTuljFG
 6S9xy5cmiRXsr0SZ30ARwc+ypMQkW87YFWOyRnlk+hwqInzIXZmvatWIRSKxDoM5wde6
 EP9A==
X-Gm-Message-State: AOAM531rFWg+o3zXleQq3cu5pCWDjhRsQz+C13sErXzQ4Uzw2RmNl5oO
 sUFj6bcG2Y5WA0FkMhnVAhv/KJqzJwUd7vdUlB4Tccv124tpjeZ+xu7aWDyK9aShE7MEJd8/Dbm
 nRS9qGS0Xjls98SiLrvYUpOotD0m7nkeNTPNQ05l9vg==
X-Received: by 2002:adf:e98d:: with SMTP id h13mr5149143wrm.246.1613665082001;
 Thu, 18 Feb 2021 08:18:02 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJw12ECKzQtaYPErReAraasXvunhgS3DY0WNxhVezsgaqoAVN1fNe4dfRZ+JXUrOQX3ks+ms6g==
X-Received: by 2002:adf:e98d:: with SMTP id h13mr5149133wrm.246.1613665081741;
 Thu, 18 Feb 2021 08:18:01 -0800 (PST)
Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619])
 by smtp.gmail.com with ESMTPSA id 36sm9963791wrj.97.2021.02.18.08.18.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Feb 2021 08:18:01 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [focal:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y
Date: Thu, 18 Feb 2021 16:17:49 +0000
Message-Id: <20210218161754.1840146-4-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210218161754.1840146-1-apw@canonical.com>
References: <20210218161754.1840146-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

In order to support the livepatch key we need to ensure we do not allow
that key to load modules which are not for the specific kernel.  From
the documentation on kernel module signing:

  If you use the same private key to sign modules for multiple kernel
  configurations, you must ensure that the module version information is
  sufficient to prevent loading a module into a different kernel.  Either
  set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
  different kernel release string by changing ``EXTRAVERSION`` or
  ``CONFIG_LOCALVERSION``.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          | 4 +++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index bd4777ed7aed..9ab7828ccdd7 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -9625,11 +9625,13 @@ CONFIG_MODULES                                  policy<{'amd64': 'y', 'arm64': '
 CONFIG_MODULE_FORCE_LOAD                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_UNLOAD                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_FORCE_UNLOAD                      policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_MODVERSIONS                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_MODVERSIONS                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_SRCVERSION_ALL                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_COMPRESS                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_UNUSED_SYMBOLS                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+#
+CONFIG_MODVERSIONS                              mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
 
 # Menu: Enable loadable module support >> Compression algorithm
 
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 22664a115f51..0d2f337b2010 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -5821,7 +5821,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 CONFIG_MONREADER=m
 CONFIG_MONWRITER=m
 CONFIG_MOST=m