UBUNTU: [Packaging] Add module-signature-check

BugLink: https://bugs.launchpad.net/bugs/1642368

Check the signature of staging modules during package build.

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

debian/rules.d/4-checks.mk

@@ -10,13 +10,21 @@ module-check-%: $(stampdir)/stamp-install-%
 	$(DROOT)/scripts/module-check "$*" \
 		"$(prev_abidir)" "$(abidir)" $(skipmodule)
 
+# Check the signature of staging modules
+module-signature-check-%: $(stampdir)/stamp-install-%
+	@echo Debug: $@
+	$(DROOT)/scripts/module-signature-check "$*" \
+		"$(DROOT)/$(mods_pkg_name)-$*" \
+		"$(DROOT)/$(mods_extra_pkg_name)-$*" \
+		"$(DROOT)/signature-inclusion"
+
 # Check the reptoline jmp/call functions against the last release.
 retpoline-check-%: $(stampdir)/stamp-install-%
 	@echo Debug: $@
 	$(SHELL) $(DROOT)/scripts/retpoline-check "$*" \
 		"$(prev_abidir)" "$(abidir)" "$(skipretpoline)" "$(builddir)/build-$*"
 
-checks-%: module-check-% abi-check-% retpoline-check-%
+checks-%: module-check-% module-signature-check-% abi-check-% retpoline-check-%
 	@echo Debug: $@
 
 # Check the config against the known options list.

debian/scripts/module-signature-check

@@ -0,0 +1,67 @@
+#!/bin/bash -eu
+
+flavor="${1}"
+mods_dir="${2}"
+mods_extra_dir="${3}"
+sig_inc="${4}"
+
+echo "II: Checking signature of staging modules for ${flavor}..."
+
+if [ -f "${sig_inc}" ] ; then
+	echo "II: Use signature inclusion file:"
+	echo "    ${sig_inc}"
+	sig_all=0
+else
+	echo "WW: Signature inclusion file missing:"
+	echo "    ${sig_inc}"
+	echo "II: All modules must be signed"
+	sig_all=1
+fi
+
+if ! [ -d "${mods_dir}" ] ; then
+	echo "EE: Modules directory missing:"
+	echo "    ${mods_dir}"
+	exit 1
+fi
+
+echo "II: Checking modules directory:"
+echo "    ${mods_dir}"
+mods_dirs=("${mods_dir}")
+
+if [ -d "${mods_extra_dir}" ] ; then
+	echo "    ${mods_extra_dir}"
+	mods_dirs+=("${mods_extra_dir}")
+fi
+
+pass=0
+fail=0
+while IFS= read -r mod ; do
+	is=0
+	if /sbin/modinfo "${mod}" | grep -q "^signature:" ; then
+		# Module is signed
+		is=1
+	fi
+
+	must=0
+	if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_inc}" ; then
+		# Module must be signed
+		must=1
+	fi
+
+	case "${is}${must}" in
+		00) echo "    PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;;
+		01) echo "    FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;;
+		10) echo "    FAIL (signed)   : ${mod##*/}" ; fail=$((fail + 1)) ;;
+		11) echo "    PASS (signed)   : ${mod##*/}" ; pass=$((pass + 1)) ;;
+	esac
+done < <(find "${mods_dirs[@]}" -path '*/drivers/staging/*.ko' | sort)
+
+echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL"
+
+if [ ${fail} -eq 0 ] ; then
+	echo "II: Done"
+	exit 0
+else
+	echo "EE: Modules signature failures"
+	exit 1
+fi