[SRU] [B/C/D/Unstable] [PATCH 0/1] Make r8822be usable under kernel lockdown

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU] [B/C/D/Unstable] [PATCH 0/1] Make r8822be usable under kernel lockdown

Kai-Heng Feng
BugLink: http://bugs.launchpad.net/bugs/1806472

[Impact]
Realtek 8822be doesn't work under kernel lockdown.

[Fix]
Add r8822be.ko to signature-inclusion, so it can be signed and be loaded
when lockdown is enabled.

[Test]
Since I can't signed the kernel so it's not tested.

[Regression Potential]
Low. The driver is maintained by a Realtek guy, so bugs are actually
getting fixed.

Kai-Heng Feng (1):
  UBUNTU: SAUCE: Add r8822be to signature inclusion list

 drivers/staging/signature-inclusion | 1 +
 1 file changed, 1 insertion(+)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: Add r8822be to signature inclusion list

Kai-Heng Feng
BugLink: http://bugs.launchpad.net/bugs/1806472

r8822be is sent and maintained by [hidden email], so it's in a good
shape. Let's add it to signature inclusion list.

Signed-off-by: Kai-Heng Feng <[hidden email]>
---
 drivers/staging/signature-inclusion | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
index e9f5bb53c5c7..f7f19616a9fc 100644
--- a/drivers/staging/signature-inclusion
+++ b/drivers/staging/signature-inclusion
@@ -12,6 +12,7 @@ r8188eu.ko
 r8192e_pci.ko
 r8192u_usb.ko
 r8712u.ko
+r8822be.ko
 rtllib_crypt_ccmp.ko
 rtllib_crypt_tkip.ko
 rtllib_crypt_wep.ko
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU] [B/C/D/Unstable] [PATCH 0/1] Make r8822be usable under kernel lockdown

Seth Forshee
In reply to this post by Kai-Heng Feng
On Thu, Dec 06, 2018 at 03:00:40PM +0800, Kai-Heng Feng wrote:

> BugLink: http://bugs.launchpad.net/bugs/1806472
>
> [Impact]
> Realtek 8822be doesn't work under kernel lockdown.
>
> [Fix]
> Add r8822be.ko to signature-inclusion, so it can be signed and be loaded
> when lockdown is enabled.
>
> [Test]
> Since I can't signed the kernel so it's not tested.
>
> [Regression Potential]
> Low. The driver is maintained by a Realtek guy, so bugs are actually
> getting fixed.

I don't see any indication whether you've inspected the driver to see if
any interfaces are exported to userspace which are unsafe under kernel
lockdown. We're going to need to know that this has been done before
allowing the driver to be signed.

Thanks,
Seth

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU] [B/C/D/Unstable] [PATCH 0/1] Make r8822be usable under kernel lockdown

Kai-Heng Feng


> On Dec 11, 2018, at 04:51, Seth Forshee <[hidden email]> wrote:
>
> On Thu, Dec 06, 2018 at 03:00:40PM +0800, Kai-Heng Feng wrote:
>> BugLink: http://bugs.launchpad.net/bugs/1806472
>>
>> [Impact]
>> Realtek 8822be doesn't work under kernel lockdown.
>>
>> [Fix]
>> Add r8822be.ko to signature-inclusion, so it can be signed and be loaded
>> when lockdown is enabled.
>>
>> [Test]
>> Since I can't signed the kernel so it's not tested.
>>
>> [Regression Potential]
>> Low. The driver is maintained by a Realtek guy, so bugs are actually
>> getting fixed.
>
> I don't see any indication whether you've inspected the driver to see if
> any interfaces are exported to userspace which are unsafe under kernel
> lockdown. We're going to need to know that this has been done before
> allowing the driver to be signed.

I’ve checked the source, the driver uses mac80211 API to talk to userspace (nl80211), which should be safe

Other than that it exposes a debugfs with write permission. All of them have input validations, so overall it’s in good shape.

Kai-Heng

>
> Thanks,
> Seth


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team