diff mbox series

[groovy:linux,1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y

Message ID 20210218161754.1840146-6-apw@canonical.com
State New
Headers show
Series [groovy:linux,1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y | expand

Commit Message

Andy Whitcroft Feb. 18, 2021, 4:17 p.m. UTC 
In order to support the livepatch key we need to ensure we do not allow
that key to load modules which are not for the specific kernel.  From
the documentation on kernel module signing:

  If you use the same private key to sign modules for multiple kernel
  configurations, you must ensure that the module version information is
  sufficient to prevent loading a module into a different kernel.  Either
  set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
  different kernel release string by changing ``EXTRAVERSION`` or
  ``CONFIG_LOCALVERSION``.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          | 4 +++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

Comments

Stefan Bader Feb. 19, 2021, 9:26 a.m. UTC | #1 
Applied series (1-4) to groovy:linux/master-next. Thanks.

-Stefan
diff mbox series

Patch

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index e12c9a0f7a15..f025f78dfb11 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -9898,11 +9898,13 @@  CONFIG_MODULES                                  policy<{'amd64': 'y', 'arm64': '
 CONFIG_MODULE_FORCE_LOAD                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_UNLOAD                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_FORCE_UNLOAD                      policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_MODVERSIONS                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_MODVERSIONS                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_SRCVERSION_ALL                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_COMPRESS                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_UNUSED_SYMBOLS                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+#
+CONFIG_MODVERSIONS                              mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
 
 # Menu: Enable loadable module support >> Compression algorithm
 
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 74c4764fd6b4..80ed0bdb1f15 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -6006,7 +6006,7 @@  CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 CONFIG_MONREADER=m
 CONFIG_MONWRITER=m
 CONFIG_MOST_CDEV=m