| Message ID | 20210218161754.1840146-2-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [bionic:linux,1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y | expand |
On 18.02.21 17:17, Andy Whitcroft wrote: > In order to support the livepatch key we need to ensure we do not allow > that key to load modules which are not for the specific kernel. From > the documentation on kernel module signing: > > If you use the same private key to sign modules for multiple kernel > configurations, you must ensure that the module version information is > sufficient to prevent loading a module into a different kernel. Either > set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a > different kernel release string by changing ``EXTRAVERSION`` or > ``CONFIG_LOCALVERSION``. > > BugLink: https://bugs.launchpad.net/bugs/1898716 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- Now (Tim, please don't change task status without double checking) applied to bionic:linux/master-next. While doing so, I fixed up the annotation for CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks. -Stefan > debian.master/config/annotations | 4 +++- > debian.master/config/config.common.ubuntu | 2 +- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index 52fa132d2063..4f2972daee7e 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' > CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > +# > +CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key> > > # Menu: Enable loadable module support >> Compression algorithm > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index 3ef3d8d6a2d8..f2a8b2e49b53 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" > CONFIG_MODULE_SIG_SHA512=y > CONFIG_MODULE_SRCVERSION_ALL=y > CONFIG_MODULE_UNLOAD=y > -# CONFIG_MODVERSIONS is not set > +CONFIG_MODVERSIONS=y > CONFIG_MONREADER=m > CONFIG_MONWRITER=m > CONFIG_MOST=m >
On 2/26/21 1:23 AM, Stefan Bader wrote: > On 18.02.21 17:17, Andy Whitcroft wrote: >> In order to support the livepatch key we need to ensure we do not allow >> that key to load modules which are not for the specific kernel. From >> the documentation on kernel module signing: >> >> If you use the same private key to sign modules for multiple kernel >> configurations, you must ensure that the module version information is >> sufficient to prevent loading a module into a different kernel. Either >> set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a >> different kernel release string by changing ``EXTRAVERSION`` or >> ``CONFIG_LOCALVERSION``. >> >> BugLink: https://bugs.launchpad.net/bugs/1898716 >> Signed-off-by: Andy Whitcroft <apw@canonical.com> >> --- > > Now (Tim, please don't change task status without double checking) applied to > bionic:linux/master-next. While doing so, I fixed up the annotation for > CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks. > verify-release-ready complained that the bug had no entry for the package. Admittedly, my LP foo is a little stale and I managed to bork the original 'Affects' package. I guess I didn't get it restored to its previous state. Did I do the right thing when adding linux-gcp and linux-kvm as also being affected ? I see no other kernels there when pretty much all of the derivative kernels have this same patch. rtg > -Stefan > >> debian.master/config/annotations | 4 +++- >> debian.master/config/config.common.ubuntu | 2 +- >> 2 files changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/debian.master/config/annotations b/debian.master/config/annotations >> index 52fa132d2063..4f2972daee7e 100644 >> --- a/debian.master/config/annotations >> +++ b/debian.master/config/annotations >> @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' >> CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >> +# >> +CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key> >> >> # Menu: Enable loadable module support >> Compression algorithm >> >> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu >> index 3ef3d8d6a2d8..f2a8b2e49b53 100644 >> --- a/debian.master/config/config.common.ubuntu >> +++ b/debian.master/config/config.common.ubuntu >> @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" >> CONFIG_MODULE_SIG_SHA512=y >> CONFIG_MODULE_SRCVERSION_ALL=y >> CONFIG_MODULE_UNLOAD=y >> -# CONFIG_MODVERSIONS is not set >> +CONFIG_MODVERSIONS=y >> CONFIG_MONREADER=m >> CONFIG_MONWRITER=m >> CONFIG_MOST=m >> >
On 26.02.21 16:57, Tim Gardner wrote: > > > On 2/26/21 1:23 AM, Stefan Bader wrote: >> On 18.02.21 17:17, Andy Whitcroft wrote: >>> In order to support the livepatch key we need to ensure we do not allow >>> that key to load modules which are not for the specific kernel. From >>> the documentation on kernel module signing: >>> >>> If you use the same private key to sign modules for multiple kernel >>> configurations, you must ensure that the module version information is >>> sufficient to prevent loading a module into a different kernel. Either >>> set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a >>> different kernel release string by changing ``EXTRAVERSION`` or >>> ``CONFIG_LOCALVERSION``. >>> >>> BugLink: https://bugs.launchpad.net/bugs/1898716 >>> Signed-off-by: Andy Whitcroft <apw@canonical.com> >>> --- >> >> Now (Tim, please don't change task status without double checking) applied to >> bionic:linux/master-next. While doing so, I fixed up the annotation for >> CONFIG_SYSTEM_TRUSTED_KEYS for i386. Thanks. >> > > verify-release-ready complained that the bug had no entry for the package. > Admittedly, my LP foo is a little stale and I managed to bork the original > 'Affects' package. I guess I didn't get it restored to its previous state. > > Did I do the right thing when adding linux-gcp and linux-kvm as also being > affected ? I see no other kernels there when pretty much all of the derivative > kernels have this same patch. Not quite but also nothing that really hurts. In general I would only mark a derivative kernel as affected in those cases where the fix _only_ goes there. Anything else where the change goes into the primary kernel, we doe not mark up all of its derivatives individually. Now I wonder why verify-release-ready complained. I thought it was changed to take this into effect. But its hard to remember what has been done or just being talked about doing. -Stefan > > rtg > >> -Stefan >> >>> debian.master/config/annotations | 4 +++- >>> debian.master/config/config.common.ubuntu | 2 +- >>> 2 files changed, 4 insertions(+), 2 deletions(-) >>> >>> diff --git a/debian.master/config/annotations b/debian.master/config/annotations >>> index 52fa132d2063..4f2972daee7e 100644 >>> --- a/debian.master/config/annotations >>> +++ b/debian.master/config/annotations >>> @@ -8612,9 +8612,11 @@ CONFIG_MODULES >>> policy<{'amd64': 'y', 'arm64': ' >>> CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', >>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >>> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', >>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >>> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', >>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >>> -CONFIG_MODVERSIONS policy<{'amd64': 'n', >>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >>> +CONFIG_MODVERSIONS policy<{'amd64': 'y', >>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >>> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', >>> 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> >>> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', >>> 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> >>> +# >>> +CONFIG_MODVERSIONS mark<ENFORCED> >>> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key> >>> # Menu: Enable loadable module support >> Compression algorithm >>> diff --git a/debian.master/config/config.common.ubuntu >>> b/debian.master/config/config.common.ubuntu >>> index 3ef3d8d6a2d8..f2a8b2e49b53 100644 >>> --- a/debian.master/config/config.common.ubuntu >>> +++ b/debian.master/config/config.common.ubuntu >>> @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" >>> CONFIG_MODULE_SIG_SHA512=y >>> CONFIG_MODULE_SRCVERSION_ALL=y >>> CONFIG_MODULE_UNLOAD=y >>> -# CONFIG_MODVERSIONS is not set >>> +CONFIG_MODVERSIONS=y >>> CONFIG_MONREADER=m >>> CONFIG_MONWRITER=m >>> CONFIG_MOST=m >>> >> >
diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 52fa132d2063..4f2972daee7e 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': ' CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> -CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +# +CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key> # Menu: Enable loadable module support >> Compression algorithm diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 3ef3d8d6a2d8..f2a8b2e49b53 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SRCVERSION_ALL=y CONFIG_MODULE_UNLOAD=y -# CONFIG_MODVERSIONS is not set +CONFIG_MODVERSIONS=y CONFIG_MONREADER=m CONFIG_MONWRITER=m CONFIG_MOST=m
In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft <apw@canonical.com> --- debian.master/config/annotations | 4 +++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-)