| Message ID | 20221215072708.466941-2-juerg.haefliger@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | linux: Staging modules should be unsigned (LP: #1642368) | expand |
On 15.12.22 08:27, Juerg Haefliger wrote: > BugLink: https://bugs.launchpad.net/bugs/1642368 > > Move the signature inclusion list from the source tree to the debian/ > directory to keep the upstream source clean. While at it, remove modules > that are no longer in the staging area. > > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > Acked-by: Tim Gardner <tim.gardner@canonical.com> > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > > (cherry picked from commit 4ec3305301067590bd5502ae09512883924d3d3f kinetic:linux) > Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> > --- I am a bit ambivalent with this set. On one side I understand that allowing all staging drivers can be a security problem. On the other hand Jammy was released that way and retracting signing means a regression for people under secure boot. So this needs to be considered very carefully. I stumbled over this change which modifies the list of modules to sign. It comes directly from Kinetic (v5.19) and drops drivers, claiming those are out of staging. But is this really true for Jammy (v5.15)? -Stefan > {drivers/staging => debian}/signature-inclusion | 7 ------- > 1 file changed, 7 deletions(-) > rename {drivers/staging => debian}/signature-inclusion (73%) > > diff --git a/drivers/staging/signature-inclusion b/debian/signature-inclusion > similarity index 73% > rename from drivers/staging/signature-inclusion > rename to debian/signature-inclusion > index 7e937c7fc0e3..f919d4dfddfa 100644 > --- a/drivers/staging/signature-inclusion > +++ b/debian/signature-inclusion > @@ -2,13 +2,6 @@ > # This file lists the staging drivers that are safe for signing > # and loading in a secure boot environment with signed module enforcement. > # > -exfat.ko > -rtl8192c-common.ko > -rtl8192ce.ko > -rtl8192cu.ko > -rtl8192de.ko > -rtl8192ee.ko > -rtl8192se.ko > r8188eu.ko > r8192e_pci.ko > r8192u_usb.ko
Sorry for the late reply. Just stumbled over your reply :-( > On 15.12.22 08:27, Juerg Haefliger wrote: > > BugLink: https://bugs.launchpad.net/bugs/1642368 > > > > Move the signature inclusion list from the source tree to the debian/ > > directory to keep the upstream source clean. While at it, remove modules > > that are no longer in the staging area. > > > > Signed-off-by: Juerg Haefliger <juergh@canonical.com> > > Acked-by: Tim Gardner <tim.gardner@canonical.com> > > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > > > > (cherry picked from commit 4ec3305301067590bd5502ae09512883924d3d3f kinetic:linux) > > Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> > > --- > > I am a bit ambivalent with this set. On one side I understand that allowing all > staging drivers can be a security problem. On the other hand Jammy was released > that way and retracting signing means a regression for people under secure boot. The current state can also be considered a security regression. So it's a security vs a functional regression. I think the security regression is more severe given that more people are affected by it. > So this needs to be considered very carefully. Well, if we keep jammy as-is people who are affected will just notice when they upgrade from jammy since all later releases only sign the selected staging drivers again. > I stumbled over this change which > modifies the list of modules to sign. It comes directly from Kinetic (v5.19) and > drops drivers, claiming those are out of staging. But is this really true for > Jammy (v5.15)? Yes, I do try to do my job properly ;-) Jammy 5.15: ./fs/exfat ./drivers/net/wireless/realtek/rtlwifi/rtl8192c ./drivers/net/wireless/realtek/rtlwifi/rtl8192ce ./drivers/net/wireless/realtek/rtlwifi/rtl8192cu ./drivers/net/wireless/realtek/rtlwifi/rtl8192de ./drivers/net/wireless/realtek/rtlwifi/rtl8192ee ./drivers/net/wireless/realtek/rtlwifi/rtl8192se ...Juerg > -Stefan > > > {drivers/staging => debian}/signature-inclusion | 7 ------- > > 1 file changed, 7 deletions(-) > > rename {drivers/staging => debian}/signature-inclusion (73%) > > > > diff --git a/drivers/staging/signature-inclusion b/debian/signature-inclusion > > similarity index 73% > > rename from drivers/staging/signature-inclusion > > rename to debian/signature-inclusion > > index 7e937c7fc0e3..f919d4dfddfa 100644 > > --- a/drivers/staging/signature-inclusion > > +++ b/debian/signature-inclusion > > @@ -2,13 +2,6 @@ > > # This file lists the staging drivers that are safe for signing > > # and loading in a secure boot environment with signed module enforcement. > > # > > -exfat.ko > > -rtl8192c-common.ko > > -rtl8192ce.ko > > -rtl8192cu.ko > > -rtl8192de.ko > > -rtl8192ee.ko > > -rtl8192se.ko > > r8188eu.ko > > r8192e_pci.ko > > r8192u_usb.ko >
diff --git a/drivers/staging/signature-inclusion b/debian/signature-inclusion similarity index 73% rename from drivers/staging/signature-inclusion rename to debian/signature-inclusion index 7e937c7fc0e3..f919d4dfddfa 100644 --- a/drivers/staging/signature-inclusion +++ b/debian/signature-inclusion @@ -2,13 +2,6 @@ # This file lists the staging drivers that are safe for signing # and loading in a secure boot environment with signed module enforcement. # -exfat.ko -rtl8192c-common.ko -rtl8192ce.ko -rtl8192cu.ko -rtl8192de.ko -rtl8192ee.ko -rtl8192se.ko r8188eu.ko r8192e_pci.ko r8192u_usb.ko