UBUNTU: [Debian] Suppress module signing for staging drivers

BugLink: http://bugs.launchpad.net/bugs/1642368 Prevent staging drivers from being loadable in a secure boot environment. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Robert Hooker <robert.hooker@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

UBUNTU: [Debian] Suppress module signing for staging drivers
BugLink: http://bugs.launchpad.net/bugs/1642368 Prevent staging drivers from being loadable in a secure boot environment. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Robert Hooker <robert.hooker@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
597461fb · Tim Gardner · Luis Henriques · a74d7290 · 597461fb · 597461fb
Commit 597461fb authored Nov 30, 2016 by Tim Gardner Committed by Luis Henriques Dec 14, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

drivers/staging/signature-inclusion drivers/staging/signature-inclusion +5 -0

scripts/Makefile.modinst scripts/Makefile.modinst +5 -2

No files found.
--- a/drivers/staging/signature-inclusion
+++ b/drivers/staging/signature-inclusion
+#
+# This file lists the staging drivers that are safe for signing
+# and loading in a secure boot environment with signed module enforcement.
+#
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
    mkdir -p $(2) ; \
    cp $@ $(2) ; \
    $(mod_strip_cmd) $(2)/$(notdir $@) ; \
-    $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
+    if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
-    $(mod_compress_cmd) $(2)/$(notdir $@)
+	(! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
+	then echo Not signing "$(2)/$(notdir $@)"; \
+	else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
+		$(mod_compress_cmd) $(2)/$(notdir $@); fi
 # Modules built outside the kernel source tree go into extra by default
 INSTALL_MOD_DIR ?= extra