From patchwork Thu Feb 18 15:08:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441691 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5P48PJz9sVF; Fri, 19 Feb 2021 02:09:13 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvV-0004FT-V9; Thu, 18 Feb 2021 15:09:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvS-0004D4-Ra for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:06 +0000 Received: from mail-wm1-f70.google.com ([209.85.128.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvS-000541-JX for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:06 +0000 Received: by mail-wm1-f70.google.com with SMTP id t128so787630wmg.4 for ; Thu, 18 Feb 2021 07:09:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2v6Rwr+0IK6xfyYzUnrFAyeAdbZeOeC9tQ02Fw0vf7E=; b=cT5fsBLyyjzTr+eV5cNrKmGM7Z/Dzo02lyxFtz8FWq15n6XFn68XSeIhJb4eey9TNE Mosv4zhUemffY37oQFEE4WgLlxiT80jdegu41llhsGP+TsYa9+sDwkGcAPme5fPy86hI GeXbxd/pvT9ywu2q2KYcnPEyS1hL6CKltC2Gse1+BY0qegcfPjZHaRgr88Ew2+UKdVFx oxXwTeWUMozPlVh+zwwzNR9sBg8G13/xfdcwOsC3LNotLgLVfNsJiVjQN2jASnrJSYCN u3QU+Gi2BYLGd4yK7f/owhzosn77md0UkYZ2zhM+ChhPMxc3BXa7DyXcXiER6r8A+MsJ yn0A== X-Gm-Message-State: AOAM533DuwF/daB/y+3El0Qx0fr+N/BXUZ/NTNK9RsGpiInxg2bqzjhD XGXL5/rg865XbFldYFztDdctkTG38WSmL7BuFUh4nc/ds8bPJyePF1/RVM40yXxyf+FMSON1oLT onCWfg6GINyibkubw2Yf2kGl10riVajzWWVupRnOlpA== X-Received: by 2002:a5d:6b47:: with SMTP id x7mr4873291wrw.170.1613660945965; Thu, 18 Feb 2021 07:09:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxiI/CDyXWdHW3NmX3PYaitHrZGqpnz2l7D20UhV51STqegSiwHwN8j0ydbQRxMtL3IQHmpKg== X-Received: by 2002:a5d:6b47:: with SMTP id x7mr4873271wrw.170.1613660945725; Thu, 18 Feb 2021 07:09:05 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id j40sm7487783wmp.47.2021.02.18.07.09.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:09:04 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [groovy:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y Date: Thu, 18 Feb 2021 15:08:53 +0000 Message-Id: <20210218150856.1807354-6-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 4 +++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index e12c9a0f7a15..f025f78dfb11 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -9898,11 +9898,13 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_UNUSED_SYMBOLS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +# +CONFIG_MODVERSIONS mark note # Menu: Enable loadable module support >> Compression algorithm diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 74c4764fd6b4..80ed0bdb1f15 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -6006,7 +6006,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SRCVERSION_ALL=y CONFIG_MODULE_UNLOAD=y -# CONFIG_MODVERSIONS is not set +CONFIG_MODVERSIONS=y CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_MOST_CDEV=m