tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: SAUCE: Add selective signing of staging modules

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/1642368

'Untrusted' staging modules shouldn't be loadable in a secure boot
environment so only sign modules listed in debian/signature-inclusion.

Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
This commit is contained in:
Juerg Haefliger
2022-06-21 15:18:22 +02:00
committed by Paolo Pisati
parent a6ecb4e674
commit 47f076fe3a
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/Makefile.modinst
+7 -2
View File
@@ -101,8 +101,13 @@ else
sig-key := $(CONFIG_MODULE_SIG_KEY)
endif
quiet_cmd_sign = SIGN $@
cmd_sign = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ \
$(if $(KBUILD_EXTMOD),|| true)
cmd_sign = if echo "$@" | grep -qF "/drivers/staging/" && \
test -f $(srctree)/debian/signature-inclusion && \
! grep -qFx "$(notdir $@)" $(srctree)/debian/signature-inclusion ; \
then echo "UBUNTU: Not signing $@" ; \
else scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(sig-key) certs/signing_key.x509 $@ \
$(if $(KBUILD_EXTMOD),|| true) ; \
fi
ifeq ($(sign-only),)