From patchwork Thu Feb 18 16:17:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441747 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhKcy4Kvjz9sRN; Fri, 19 Feb 2021 03:18:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCm0D-0000e2-Nl; Thu, 18 Feb 2021 16:18:05 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm07-0000ck-EM for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:17:59 +0000 Received: from mail-wr1-f69.google.com ([209.85.221.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCm07-0002Jv-6z for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:17:59 +0000 Received: by mail-wr1-f69.google.com with SMTP id w11so1202354wrp.6 for ; Thu, 18 Feb 2021 08:17:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ShmHWiVvucA3z6SDChOYpFY5y0cEqBpA+DJdaXEbsQE=; b=WyhT9o+GB2dNMaoCnHyAVt5+ImLEeSNhAGgi975GHrxEdoJH2JBkT+pnjSM+3uIF94 AKFV/5kSM1lwkbjCd7lC4Ljnatj3mjkWrNhGxbnq90xsEoZPvossmVoJyu9akrWyzszX jeVGms0r2HuHZyoJAHyAQYIbIA92RERsdHcnE4qB9Ahj5AoOGQG06U9XZc231AjV81Bi etshmYuu8QlcF69U642o1c2ldIh/4Q5hFKLZoqbxdln7OjemDhwynsVKlrwTHrZlvhLc ReVMdSjFI7znrWFNemFyKOTHyAZKpuehXC+jh6l6WcAJ6FDmGf5m6UMiArxbQ+Hx3Si2 NDew== X-Gm-Message-State: AOAM530afpoWiZn6JmyhLiPiN6mVEImVbB+ocs/yS39fM6klcldBSB1Y WJDiu/AssB7Js4VVyDf65ijXm3IcrxBXSZc+7lOwOHSIK88rtL6mWIy/mkS80ZvAZvEY0GZPqDh tD3BvFHZ15DmY7eQlkM49IX1SThGGpISSlEd7oLaRmw== X-Received: by 2002:a05:600c:20f:: with SMTP id 15mr4351084wmi.148.1613665078426; Thu, 18 Feb 2021 08:17:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJz4338qeLyaC65Lc5MDb4BrJOKVELO6NOVcsoN22kDNw/W7hfYmxfPzJZrQaEAXtpVj4xXZeQ== X-Received: by 2002:a05:600c:20f:: with SMTP id 15mr4351067wmi.148.1613665078135; Thu, 18 Feb 2021 08:17:58 -0800 (PST) Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619]) by smtp.gmail.com with ESMTPSA id b2sm9456679wrv.73.2021.02.18.08.17.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 08:17:57 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y Date: Thu, 18 Feb 2021 16:17:47 +0000 Message-Id: <20210218161754.1840146-2-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218161754.1840146-1-apw@canonical.com> References: <20210218161754.1840146-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 4 +++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 52fa132d2063..4f2972daee7e 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +# +CONFIG_MODVERSIONS mark note # Menu: Enable loadable module support >> Compression algorithm diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 3ef3d8d6a2d8..f2a8b2e49b53 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SRCVERSION_ALL=y CONFIG_MODULE_UNLOAD=y -# CONFIG_MODVERSIONS is not set +CONFIG_MODVERSIONS=y CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_MOST=m