diff mbox series

[Unstable/K,2/2] UBUNTU: SAUCE: Add selective signing of staging modules

Message ID 20220621131822.1583383-3-juerg.haefliger@canonical.com
State New
Headers show
Series linux: Staging modules should be unsigned (LP: #1642368) | expand

Commit Message

Juerg Haefliger June 21, 2022, 1:18 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1642368

'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in debian/signature-inclusion.

Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
---
 scripts/Makefile.modinst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index c2c43a0ecfe0..3cf4c9210fbf 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -68,8 +68,13 @@  endif
 ifeq ($(CONFIG_MODULE_SIG_ALL),y)
 sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
 quiet_cmd_sign = SIGN    $@
-      cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
-                 $(if $(KBUILD_EXTMOD),|| true)
+      cmd_sign = if echo "$@" | grep -qF "/drivers/staging/" && \
+                    test -f $(srctree)/debian/signature-inclusion && \
+                    ! grep -qFx "$(notdir $@)" $(srctree)/debian/signature-inclusion ; \
+                 then echo "UBUNTU: Not signing $@" ; \
+                 else scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
+                      $(if $(KBUILD_EXTMOD),|| true) ; \
+                 fi
 else
 quiet_cmd_sign :=
       cmd_sign := :