[PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Seth Forshee
BugLink: https://bugs.launchpad.net/bugs/1850234

When adding .gnu_debuglink sections to modules we sign modules
without regard to whether or not they were signed previously. As
a result modules from staging which should not have been signed
are ending up with signature. Change this to check for a module
signature before modifying the binary, then sign the result only
if the original module was signed.

Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 82e4d80e469f..050f867060cb 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)
   -name '*.ko' | while read path_module ; do \
  module="/lib/modules/$${path_module#*/lib/modules/}"; \
  if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
+ signer=$$(/sbin/modinfo -F signer "$$path_module"); \
  $(CROSS_COMPILE)objcopy \
  --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
  $$path_module; \
- if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
+ if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
+   [ -n "$$signer" ]; then \
  $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
  $(MODSECKEY) \
  $(MODPUBKEY) \
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Khaled Elmously
On 2019-10-29 14:25:13 , Seth Forshee wrote:

> BugLink: https://bugs.launchpad.net/bugs/1850234
>
> When adding .gnu_debuglink sections to modules we sign modules
> without regard to whether or not they were signed previously. As
> a result modules from staging which should not have been signed
> are ending up with signature. Change this to check for a module
> signature before modifying the binary, then sign the result only
> if the original module was signed.
>
> Signed-off-by: Seth Forshee <[hidden email]>
> ---
>  debian/rules.d/2-binary-arch.mk | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..050f867060cb 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)
>    -name '*.ko' | while read path_module ; do \
>   module="/lib/modules/$${path_module#*/lib/modules/}"; \
>   if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
> + signer=$$(/sbin/modinfo -F signer "$$path_module"); \
>   $(CROSS_COMPILE)objcopy \
>   --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
>   $$path_module; \
> - if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
> + if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
> +   [ -n "$$signer" ]; then \
>   $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
>   $(MODSECKEY) \
>   $(MODPUBKEY) \

Acked-by: Khalid Elmously <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Ack: [PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Sultan Alsawaf
In reply to this post by Seth Forshee
Acked-by: Sultan Alsawaf <[hidden email]>

On Tue, Oct 29, 2019, 12:25 PM Seth Forshee <[hidden email]> wrote:
BugLink: https://bugs.launchpad.net/bugs/1850234

When adding .gnu_debuglink sections to modules we sign modules
without regard to whether or not they were signed previously. As
a result modules from staging which should not have been signed
are ending up with signature. Change this to check for a module
signature before modifying the binary, then sign the result only
if the original module was signed.

Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 82e4d80e469f..050f867060cb 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)
          -name '*.ko' | while read path_module ; do \
                module="/lib/modules/$${path_module#*/lib/modules/}"; \
                if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
+                       signer=$$(/sbin/modinfo -F signer "$$path_module"); \
                        $(CROSS_COMPILE)objcopy \
                                --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
                                $$path_module; \
-                       if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
+                       if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
+                          [ -n "$$signer" ]; then \
                                $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
                                        $(MODSECKEY) \
                                        $(MODPUBKEY) \
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Unstable]: [PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Seth Forshee
In reply to this post by Seth Forshee
On Tue, Oct 29, 2019 at 02:25:13PM -0500, Seth Forshee wrote:

> BugLink: https://bugs.launchpad.net/bugs/1850234
>
> When adding .gnu_debuglink sections to modules we sign modules
> without regard to whether or not they were signed previously. As
> a result modules from staging which should not have been signed
> are ending up with signature. Change this to check for a module
> signature before modifying the binary, then sign the result only
> if the original module was signed.
>
> Signed-off-by: Seth Forshee <[hidden email]>

Applied to unstable/master.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH v2][SRU][E/Unstable] UBUNTU: [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

Stefan Bader-2
In reply to this post by Seth Forshee
On 29.10.19 20:25, Seth Forshee wrote:

> BugLink: https://bugs.launchpad.net/bugs/1850234
>
> When adding .gnu_debuglink sections to modules we sign modules
> without regard to whether or not they were signed previously. As
> a result modules from staging which should not have been signed
> are ending up with signature. Change this to check for a module
> signature before modifying the binary, then sign the result only
> if the original module was signed.
>
> Signed-off-by: Seth Forshee <[hidden email]>
> ---
This was already applied to Eoan in a re-spin. Sending message for the records.

-Stefan

>  debian/rules.d/2-binary-arch.mk | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..050f867060cb 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)
>    -name '*.ko' | while read path_module ; do \
>   module="/lib/modules/$${path_module#*/lib/modules/}"; \
>   if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \
> + signer=$$(/sbin/modinfo -F signer "$$path_module"); \
>   $(CROSS_COMPILE)objcopy \
>   --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \
>   $$path_module; \
> - if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \
> + if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \
> +   [ -n "$$signer" ]; then \
>   $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \
>   $(MODSECKEY) \
>   $(MODPUBKEY) \
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment