diff mbox series

[Unstable,v2,2/3] UBUNTU: [Packaging] Strip signatures from untrusted staging modules

Message ID 20220509142504.493925-3-juergh@canonical.com
State New
Headers show
Series linux: Staging modules should be unsigned (LP: #1642368) | expand

Commit Message

Juerg Haefliger May 9, 2022, 2:25 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1642368

'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so strip the signatures from staging modules that are not
listed in debian/signature-inclusion.

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---
 debian/rules.d/2-binary-arch.mk | 11 +++++++++++
 1 file changed, 11 insertions(+)
diff mbox series

Patch

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index c4906036ceb8..6e3456cfce81 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -189,6 +189,17 @@  endif
 		INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=$(pkgdir)/ \
 		INSTALL_FW_PATH=$(pkgdir)/lib/firmware/$(abi_release)-$*
 
+	# Strip signatures from 'untrusted' staging modules.
+	# Use --strip-debug per comments in scripts/Makefile.modinst.
+	if [ -f "$(DROOT)"/signature-inclusion ] ; then \
+		find "$(pkgdir)" -path '*/drivers/staging/*.ko' | while IFS= read -r mod ; do \
+			if ! grep -qFx "$${mod##*/}" "$(DROOT)"/signature-inclusion ; then \
+				echo "UBUNTU: Strip $${mod}" ; \
+				$(CROSS_COMPILE)strip --strip-debug "$${mod}" ; \
+			fi ; \
+		done ; \
+	fi
+
 	#
 	# Build module blacklists:
 	#  - blacklist all watchdog drivers (LP:1432837)