| Message ID | 20220509142504.493925-1-juergh@canonical.com |
|---|---|
| Headers | show |
| Series | linux: Staging modules should be unsigned (LP: #1642368) | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 5/9/22 08:25, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. > > Juerg Haefliger (3): > UBUNTU: [Packaging] Move and update signature inclusion list > UBUNTU: [Packaging] Strip signatures from untrusted staging modules > UBUNTU: [Packaging] Add module-signature-check > > debian/rules.d/2-binary-arch.mk | 11 +++ > debian/rules.d/4-checks.mk | 10 ++- > debian/scripts/module-signature-check | 67 +++++++++++++++++++ > .../staging => debian}/signature-inclusion | 7 -- > 4 files changed, 87 insertions(+), 8 deletions(-) > create mode 100755 debian/scripts/module-signature-check > rename {drivers/staging => debian}/signature-inclusion (73%) >
On Mon, May 09, 2022 at 04:25:01PM +0200, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. Makes sense to me, I haven't checked if all the scripts and packaging is 100% correct, but I think we can apply it to unstable / kinetic and see how things are looking during the next rebuild. Therefore: Acked-by: Andrea Righi <andrea.righi@canonical.com>
On Mon, May 09, 2022 at 04:25:01PM +0200, Juerg Haefliger wrote: > Modules under the drivers/staging hierarchy get little attention when it comes > to vulnerabilities. It is possible that memory mapping tricks that expose > kernel internals would go unnoticed. Therefore, do not sign staging modules so > that they cannot be loaded in a secure boot environment. > > [juergh: The above is the original bug that introduced this feature in Xenial. > We seem to have lost it in Impish probably because of breaking changes in > Makefile.modinst. So bring it back and while at it: > - Remove modules that are no longer in the staging area from the list. > - Add a check that verifies that only listed staging modules are signed.] > > v2: > - Move signature-inclusion file to the debian/ directory to keep the source > tree clean. > - Strip signatures from unlisted staging drivers in a build rule rather than > modifying the upstream Makefile to not sign them. Applied to kinetic/linux. Thanks, -Andrea
with these patches applied, the ddebs (debug package) staging modules are still signed From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb I don't think there is currently a tool that has ability to find & strip digital signature only, whilst keeping the rest of the module intact. I wonder if we need to extend sign-file or kmodsign to support stripping the signature alone. Or do some hackish script in awk to achieve that. $ modinfo ./pi433/pi433.ko filename: /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko alias: spi:pi433 license: GPL description: Driver for Pi433 author: Marcus Wolf, <linux@wolf-entwicklungen.de> srcversion: E6314D95D9F61FF16D934B4 alias: of:N*T*CSmarthome-Wolf,pi433C* alias: of:N*T*CSmarthome-Wolf,pi433 depends: staging: Y retpoline: Y intree: Y name: pi433 vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions sig_id: PKCS#7 signer: Build time autogenerated kernel key sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 sig_hashalgo: sha512 signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7
On Tue, 31 May 2022 16:49:51 +0100 Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > with these patches applied, the ddebs (debug package) staging modules > are still signed Rats. > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > I don't think there is currently a tool that has ability to find & > strip digital signature only, whilst keeping the rest of the module > intact. I wonder if we need to extend sign-file or kmodsign to support > stripping the signature alone. Or do some hackish script in awk to > achieve that. Probably best to go back to the original approach of modifying the upstream Makefile snippet and only sign explicitly listed modules. But I don't like the inclusion file in the source tree. How about keeping that in the debian/ directory? ...Juerg > $ modinfo ./pi433/pi433.ko > filename: > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > alias: spi:pi433 > license: GPL > description: Driver for Pi433 > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > srcversion: E6314D95D9F61FF16D934B4 > alias: of:N*T*CSmarthome-Wolf,pi433C* > alias: of:N*T*CSmarthome-Wolf,pi433 > depends: > staging: Y > retpoline: Y > intree: Y > name: pi433 > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > sig_id: PKCS#7 > signer: Build time autogenerated kernel key > sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > sig_hashalgo: sha512 > signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 >
On Thu, 2 Jun 2022 08:51:50 +0200 Juerg Haefliger <juerg.haefliger@canonical.com> wrote: > On Tue, 31 May 2022 16:49:51 +0100 > Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > > > with these patches applied, the ddebs (debug package) staging modules > > are still signed > > Rats. > > > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > > > I don't think there is currently a tool that has ability to find & > > strip digital signature only, whilst keeping the rest of the module > > intact. I wonder if we need to extend sign-file or kmodsign to support > > stripping the signature alone. Or do some hackish script in awk to > > achieve that. > > Probably best to go back to the original approach of modifying the upstream > Makefile snippet and only sign explicitly listed modules. But I don't like the > inclusion file in the source tree. How about keeping that in the debian/ > directory? Oh maybe not possible since the source (without debian/) gets rsynced someplace else for the build? > ...Juerg > > > > $ modinfo ./pi433/pi433.ko > > filename: > > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > > alias: spi:pi433 > > license: GPL > > description: Driver for Pi433 > > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > > srcversion: E6314D95D9F61FF16D934B4 > > alias: of:N*T*CSmarthome-Wolf,pi433C* > > alias: of:N*T*CSmarthome-Wolf,pi433 > > depends: > > staging: Y > > retpoline: Y > > intree: Y > > name: pi433 > > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > > sig_id: PKCS#7 > > signer: Build time autogenerated kernel key > > sig_key: 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > > sig_hashalgo: sha512 > > signature: 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 > > >
Everything should still know where the root of the source tree is, even during out of tree builds. And although it is a layering violation, it does seem appropriate to keep the list in Debian/ dir. Separately I will try to work on a sign-file / kmodsign tool to strip signatures from kernel modules. On Thu, 2 Jun 2022, 07:55 Juerg Haefliger, <juerg.haefliger@canonical.com> wrote: > On Thu, 2 Jun 2022 08:51:50 +0200 > Juerg Haefliger <juerg.haefliger@canonical.com> wrote: > > > On Tue, 31 May 2022 16:49:51 +0100 > > Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote: > > > > > with these patches applied, the ddebs (debug package) staging modules > > > are still signed > > > > Rats. > > > > > From linux-image-unsigned-5.18.0-6-generic-dbgsym_5.18.0-6.6_amd64.ddeb > > > > > > I don't think there is currently a tool that has ability to find & > > > strip digital signature only, whilst keeping the rest of the module > > > intact. I wonder if we need to extend sign-file or kmodsign to support > > > stripping the signature alone. Or do some hackish script in awk to > > > achieve that. > > > > Probably best to go back to the original approach of modifying the > upstream > > Makefile snippet and only sign explicitly listed modules. But I don't > like the > > inclusion file in the source tree. How about keeping that in the debian/ > > directory? > > Oh maybe not possible since the source (without debian/) gets rsynced > someplace else for the build? > > > ...Juerg > > > > > > > $ modinfo ./pi433/pi433.ko > > > filename: > > > > /home/xnox/canonical/kernel/ubuntu/kinetic/linux/debug/usr/lib/debug/lib/modules/5.18.0-6-generic/kernel/drivers/staging/./pi433/pi433.ko > > > alias: spi:pi433 > > > license: GPL > > > description: Driver for Pi433 > > > author: Marcus Wolf, <linux@wolf-entwicklungen.de> > > > srcversion: E6314D95D9F61FF16D934B4 > > > alias: of:N*T*CSmarthome-Wolf,pi433C* > > > alias: of:N*T*CSmarthome-Wolf,pi433 > > > depends: > > > staging: Y > > > retpoline: Y > > > intree: Y > > > name: pi433 > > > vermagic: 5.18.0-6-generic SMP preempt mod_unload modversions > > > sig_id: PKCS#7 > > > signer: Build time autogenerated kernel key > > > sig_key: > 66:F4:E2:73:8C:11:CC:12:55:18:45:E1:94:92:BC:C0:DF:37:E5:40 > > > sig_hashalgo: sha512 > > > signature: > 30:C0:65:A9:FE:45:5C:B1:5A:A0:18:DF:A2:C5:A5:89:29:B2:C4:A2: > > > 96:43:4B:F0:4D:1E:36:83:1D:C4:65:14:C1:14:A6:11:15:10:A5:9C: > > > A1:6B:D3:AC:49:93:BD:65:81:E9:98:12:DF:AE:EC:76:97:32:26:58: > > > F6:0C:3A:5C:39:C9:01:58:0F:57:E3:05:D4:FC:35:BB:64:B1:1F:E4: > > > AF:66:8D:29:7A:85:48:AF:15:A4:C4:E4:B5:3D:FE:83:2A:C5:31:B3: > > > 71:50:C4:37:FF:52:F1:4A:59:B8:F5:6B:80:DA:48:4C:42:25:A2:3F: > > > 31:F1:BC:E0:99:E2:7A:86:03:2A:55:0F:49:04:D6:52:BC:2A:8F:48: > > > 41:CB:55:07:DC:F4:93:B6:26:47:3E:10:25:50:8C:7A:85:C5:5B:BC: > > > F8:D1:8D:73:A3:A3:B4:12:90:36:2F:02:48:0D:FA:E7:6E:88:57:37: > > > 8E:6E:E0:45:CA:73:C0:EA:27:59:11:D2:AE:A8:EC:38:FF:65:2D:42: > > > 54:3E:0B:BE:00:06:DA:77:D0:E9:B1:B0:BD:01:BA:1B:49:95:E0:85: > > > 9F:F5:53:4E:D9:54:7C:9C:C0:A5:A1:E2:B5:EA:29:11:7D:7B:37:1C: > > > 92:F6:7D:4B:81:CA:83:FA:B4:8C:F9:CC:68:8B:B7:B7:D0:A2:5B:8D: > > > 3A:D5:88:66:B6:DB:D9:FE:16:4E:E7:B9:00:7D:8F:72:61:8B:E7:1F: > > > 00:D3:1C:25:D8:F7:E0:0A:C8:A2:F5:18:03:2B:8E:76:33:3E:7E:4B: > > > 28:A0:4C:36:2B:E2:8F:66:48:FE:3D:0F:59:46:21:AC:DA:EF:7A:FD: > > > C7:C6:4C:89:EC:28:F2:BB:4B:8A:96:CA:FF:73:C7:48:8A:3E:20:D4: > > > C8:A2:5D:94:A1:14:D7:93:02:3A:6F:45:88:9B:DF:FD:33:1A:AB:CF: > > > DB:9D:3A:B7:08:89:A5:29:5A:BC:63:1A:5B:1D:1D:7A:0E:C0:38:78: > > > 02:F1:D0:0B:8D:21:19:31:6F:72:E2:71:49:D3:41:5B:8A:10:C1:90: > > > 09:48:41:3B:3F:F5:08:DB:87:CD:5C:48:80:DE:39:B6:FB:26:17:AE: > > > 57:6F:22:EE:3F:27:28:AE:BB:9B:7B:CC:C7:B5:EB:68:13:3B:51:DD: > > > 3A:9F:7F:A0:8D:4E:DF:A4:5F:AE:B6:84:B9:E6:D1:DF:D8:75:94:01: > > > EA:AE:37:20:6B:F6:C6:51:AD:C4:32:68:2E:D1:99:F8:6C:0D:FB:7D: > > > A8:A0:06:5C:84:F9:DA:91:DF:2F:AF:88:CA:5A:C1:32:D7:A3:20:6B: > > > 72:D7:CC:E5:17:F9:52:EF:42:50:38:F7 > > > > > > >
Modules under the drivers/staging hierarchy get little attention when it comes to vulnerabilities. It is possible that memory mapping tricks that expose kernel internals would go unnoticed. Therefore, do not sign staging modules so that they cannot be loaded in a secure boot environment. [juergh: The above is the original bug that introduced this feature in Xenial. We seem to have lost it in Impish probably because of breaking changes in Makefile.modinst. So bring it back and while at it: - Remove modules that are no longer in the staging area from the list. - Add a check that verifies that only listed staging modules are signed.] v2: - Move signature-inclusion file to the debian/ directory to keep the source tree clean. - Strip signatures from unlisted staging drivers in a build rule rather than modifying the upstream Makefile to not sign them. Juerg Haefliger (3): UBUNTU: [Packaging] Move and update signature inclusion list UBUNTU: [Packaging] Strip signatures from untrusted staging modules UBUNTU: [Packaging] Add module-signature-check debian/rules.d/2-binary-arch.mk | 11 +++ debian/rules.d/4-checks.mk | 10 ++- debian/scripts/module-signature-check | 67 +++++++++++++++++++ .../staging => debian}/signature-inclusion | 7 -- 4 files changed, 87 insertions(+), 8 deletions(-) create mode 100755 debian/scripts/module-signature-check rename {drivers/staging => debian}/signature-inclusion (73%)