** Description changed: + SRU Justification + + Impact: The exclusion of staging drivers from module signing and + associated whitelisting are broken in xenial and zesty. In xenial even + whitelisted modules aren't signed; in zesty all staging modules are + signed. + + Fix: Fix two implementation bugs, the first of which looks for the + signature-inclusion file in the wrong location, and the second of which + uses the full path to match against modules in signature-inclusion + rather than just the module name. + + Regression Potential: The fix is simple and trivially tested, so no + regressions are expected. + + --- + The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed. There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found. The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match.
** Description changed: SRU Justification Impact: The exclusion of staging drivers from module signing and associated whitelisting are broken in xenial and zesty. In xenial even whitelisted modules aren't signed; in zesty all staging modules are signed. Fix: Fix two implementation bugs, the first of which looks for the signature-inclusion file in the wrong location, and the second of which uses the full path to match against modules in signature-inclusion rather than just the module name. - Regression Potential: The fix is simple and trivially tested, so no + Regression Potential: The fix is simple and trivial to test, so no regressions are expected. --- The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed. There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found. The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1690908 Title: Module signing exclusion for staging drivers does not work properly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1690908/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
