Public bug reported:
The exclusion to module signing is broken in xenial, zesty, and artful.
In xenial the mechanism will never sign any staging modules, not even
those in the signature-inclusion whitelist. In zesty and artful all
staging drivers are signed.
There are two problems, both related to the signature-inclusion
whitelist handling. First, the path to the file is relative to where
make was invoked, which only works when the source and build directories
are the same (which is not the case for package builds). In xenial this
means that the condition to signing always evaluates such that staging
modules are not signed. However zesty and artful contain an additional
check for the existence of that file which results in signing staging
modules when it is not found.
The second problem is that signature-inclusion contains only the module
name for staging drivers which should be signed. However the grep
statement which matches against that file uses the full path to the
install location of the module, which will never match.
** Affects: linux (Ubuntu)
Importance: High
Assignee: Seth Forshee (sforshee)
Status: Fix Committed
** Affects: linux (Ubuntu Xenial)
Importance: High
Assignee: Seth Forshee (sforshee)
Status: In Progress
** Affects: linux (Ubuntu Zesty)
Importance: High
Assignee: Seth Forshee (sforshee)
Status: In Progress
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: linux (Ubuntu Xenial)
Status: New => In Progress
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => Seth Forshee (sforshee)
** Changed in: linux (Ubuntu Zesty)
Importance: Undecided => High
** Changed in: linux (Ubuntu Zesty)
Status: New => In Progress
** Changed in: linux (Ubuntu Zesty)
Assignee: (unassigned) => Seth Forshee (sforshee)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1690908
Title:
Module signing exclusion for staging drivers does not work properly
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Xenial:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
The exclusion to module signing is broken in xenial, zesty, and
artful. In xenial the mechanism will never sign any staging modules,
not even those in the signature-inclusion whitelist. In zesty and
artful all staging drivers are signed.
There are two problems, both related to the signature-inclusion
whitelist handling. First, the path to the file is relative to where
make was invoked, which only works when the source and build
directories are the same (which is not the case for package builds).
In xenial this means that the condition to signing always evaluates
such that staging modules are not signed. However zesty and artful
contain an additional check for the existence of that file which
results in signing staging modules when it is not found.
The second problem is that signature-inclusion contains only the
module name for staging drivers which should be signed. However the
grep statement which matches against that file uses the full path to
the install location of the module, which will never match.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1690908/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
