From c54957a3f42b24bc9213f8e12d669dc8997f8cd7 Mon Sep 17 00:00:00 2001 From: Juerg Haefliger Date: Mon, 9 May 2022 16:25:04 +0200 Subject: [PATCH] UBUNTU: [Packaging] Add module-signature-check BugLink: https://bugs.launchpad.net/bugs/1642368 Check the signature of staging modules during package build. Signed-off-by: Juerg Haefliger Acked-by: Tim Gardner Signed-off-by: Andrea Righi --- debian/rules.d/4-checks.mk | 10 +++- debian/scripts/module-signature-check | 67 +++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100755 debian/scripts/module-signature-check diff --git a/debian/rules.d/4-checks.mk b/debian/rules.d/4-checks.mk index d85de43adffc..ecc6b82aeab5 100644 --- a/debian/rules.d/4-checks.mk +++ b/debian/rules.d/4-checks.mk @@ -10,13 +10,21 @@ module-check-%: $(stampdir)/stamp-install-% $(DROOT)/scripts/module-check "$*" \ "$(prev_abidir)" "$(abidir)" $(skipmodule) +# Check the signature of staging modules +module-signature-check-%: $(stampdir)/stamp-install-% + @echo Debug: $@ + $(DROOT)/scripts/module-signature-check "$*" \ + "$(DROOT)/$(mods_pkg_name)-$*" \ + "$(DROOT)/$(mods_extra_pkg_name)-$*" \ + "$(DROOT)/signature-inclusion" + # Check the reptoline jmp/call functions against the last release. retpoline-check-%: $(stampdir)/stamp-install-% @echo Debug: $@ $(SHELL) $(DROOT)/scripts/retpoline-check "$*" \ "$(prev_abidir)" "$(abidir)" "$(skipretpoline)" "$(builddir)/build-$*" -checks-%: module-check-% abi-check-% retpoline-check-% +checks-%: module-check-% module-signature-check-% abi-check-% retpoline-check-% @echo Debug: $@ # Check the config against the known options list. diff --git a/debian/scripts/module-signature-check b/debian/scripts/module-signature-check new file mode 100755 index 000000000000..f28f4a89c913 --- /dev/null +++ b/debian/scripts/module-signature-check @@ -0,0 +1,67 @@ +#!/bin/bash -eu + +flavor="${1}" +mods_dir="${2}" +mods_extra_dir="${3}" +sig_inc="${4}" + +echo "II: Checking signature of staging modules for ${flavor}..." + +if [ -f "${sig_inc}" ] ; then + echo "II: Use signature inclusion file:" + echo " ${sig_inc}" + sig_all=0 +else + echo "WW: Signature inclusion file missing:" + echo " ${sig_inc}" + echo "II: All modules must be signed" + sig_all=1 +fi + +if ! [ -d "${mods_dir}" ] ; then + echo "EE: Modules directory missing:" + echo " ${mods_dir}" + exit 1 +fi + +echo "II: Checking modules directory:" +echo " ${mods_dir}" +mods_dirs=("${mods_dir}") + +if [ -d "${mods_extra_dir}" ] ; then + echo " ${mods_extra_dir}" + mods_dirs+=("${mods_extra_dir}") +fi + +pass=0 +fail=0 +while IFS= read -r mod ; do + is=0 + if /sbin/modinfo "${mod}" | grep -q "^signature:" ; then + # Module is signed + is=1 + fi + + must=0 + if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_inc}" ; then + # Module must be signed + must=1 + fi + + case "${is}${must}" in + 00) echo " PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;; + 01) echo " FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;; + 10) echo " FAIL (signed) : ${mod##*/}" ; fail=$((fail + 1)) ;; + 11) echo " PASS (signed) : ${mod##*/}" ; pass=$((pass + 1)) ;; + esac +done < <(find "${mods_dirs[@]}" -path '*/drivers/staging/*.ko' | sort) + +echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL" + +if [ ${fail} -eq 0 ] ; then + echo "II: Done" + exit 0 +else + echo "EE: Modules signature failures" + exit 1 +fi