Build and ship a signed wireguard.ko

Bug #1861284 reported by Andy Whitcroft on 2020-01-29
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Andy Whitcroft
Xenial
Medium
Andy Whitcroft
Bionic
Undecided
Andy Whitcroft
Eoan
Undecided
Andy Whitcroft

Bug Description

..

Andy Whitcroft (apw) on 2020-01-29
Changed in linux (Ubuntu):
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
Launchpad Janitor (janitor) wrote :
Download full text (81.5 KiB)

This bug was fixed in the package linux - 5.4.0-18.22

---------------
linux (5.4.0-18.22) focal; urgency=medium

  * focal/linux: 5.4.0-18.22 -proposed tracker (LP: #1866488)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts

  * Add sysfs attribute to show remapped NVMe (LP: #1863621)
    - SAUCE: ata: ahci: Add sysfs attribute to show remapped NVMe device count

  * [20.04 FEAT] Compression improvements in Linux kernel (LP: #1830208)
    - lib/zlib: add s390 hardware support for kernel zlib_deflate
    - s390/boot: rename HEAP_SIZE due to name collision
    - lib/zlib: add s390 hardware support for kernel zlib_inflate
    - s390/boot: add dfltcc= kernel command line parameter
    - lib/zlib: add zlib_deflate_dfltcc_enabled() function
    - btrfs: use larger zlib buffer for s390 hardware compression
    - [Config] Introducing s390x specific kernel config option CONFIG_ZLIB_DFLTCC

  * [UBUNTU 20.04] s390x/pci: increase CONFIG_PCI_NR_FUNCTIONS to 512 in kernel
    config (LP: #1866056)
    - [Config] Increase CONFIG_PCI_NR_FUNCTIONS from 64 to 512 starting with focal
      on s390x

  * CONFIG_IP_MROUTE_MULTIPLE_TABLES is not set (LP: #1865332)
    - [Config] CONFIG_IP_MROUTE_MULTIPLE_TABLES=y

  * Dell XPS 13 9300 Intel 1650S wifi [34f0:1651] fails to load firmware
    (LP: #1865962)
    - iwlwifi: remove IWL_DEVICE_22560/IWL_DEVICE_FAMILY_22560
    - iwlwifi: 22000: fix some indentation
    - iwlwifi: pcie: rx: use rxq queue_size instead of constant
    - iwlwifi: allocate more receive buffers for HE devices
    - iwlwifi: remove some outdated iwl22000 configurations
    - iwlwifi: assume the driver_data is a trans_cfg, but allow full cfg

  * [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
    (LP: #1861521)
    - Revert "USUNTU: SAUCE: drm/i915: Force DPCD backlight mode on Dell Precision
      4K sku"
    - Revert "UBUNTU: SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd
      Gen 4K AMOLED panel"
    - SAUCE: drm/dp: Introduce EDID-based quirks
    - SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd Gen 4K AMOLED
      panel
    - SAUCE: drm/i915: Force DPCD backlight mode for some Dell CML 2020 panels

  * [20.04 FEAT] Enable proper kprobes on ftrace support (LP: #1865858)
    - s390/ftrace: save traced function caller
    - s390: support KPROBES_ON_FTRACE

  * alsa/sof: load different firmware on different platforms (LP: #1857409)
    - ASoC: SOF: Intel: hda: use fallback for firmware name
    - ASoC: Intel: acpi-match: split CNL tables in three
    - ASoC: SOF: Intel: Fix CFL and CML FW nocodec binary names.

  * [UBUNTU 20.04] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x
    starting with focal (LP: #1865452)
    - [Config] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x starting
      with focal

  * Focal update: v5.4.24 upstream stable release (LP: #1866333)
    - io_uring: grab ->fs as part of async offload
    - EDAC: skx_common: downgrade message importance on missing PCI device
    - net: dsa: b53: Ensure the default VID is untagged
    - net: fib_rules: Correctly set table field when table number exceeds 8 bit...

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Changed in linux (Ubuntu Eoan):
status: New → In Progress
Changed in linux (Ubuntu Eoan):
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Khaled El Mously (kmously) wrote :

Confirmed that wireguard.ko is built:

┌[kmously@kbuntu] [11:50:24] [1]
└[~/download/firefox]> dpkg -c linux-modules-5.3.0-56-generic_5.3.0-56.50_amd64.deb|grep -i wire
drwxr-xr-x root/root 0 2020-05-25 23:45 ./lib/modules/5.3.0-56-generic/kernel/wireguard/
-rw-r--r-- root/root 273625 2020-05-25 23:45 ./lib/modules/5.3.0-56-generic/kernel/wireguard/wireguard.ko

And signed:

┌[kmously@kbuntu] [11:52:53]
└[~/download/firefox]> modinfo /tmp/wireguard.ko
filename: /tmp/wireguard.ko
intree: Y
alias: net-pf-16-proto-16-family-wireguard
alias: rtnl-link-wireguard
version: 1.0.20200506
author: Jason A. Donenfeld <email address hidden>
description: WireGuard secure network tunnel
license: GPL v2
srcversion: 9A3DC535BF0B1CFF7B9F87A
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
name: wireguard
vermagic: 5.3.0-56-generic SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4

tags: added: verification-done-eoan
removed: verification-needed-eoan
Launchpad Janitor (janitor) wrote :
Download full text (22.0 KiB)

This bug was fixed in the package linux - 5.3.0-59.53

---------------
linux (5.3.0-59.53) eoan; urgency=medium

  * CVE-2020-0543
    - SAUCE: x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

linux (5.3.0-56.50) eoan; urgency=medium

  * eoan/linux: 5.3.0-56.50 -proposed tracker (LP: #1880111)

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] wireguard -- add support for building signed .ko
    - [Config] wireguard -- enable on all architectures

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * debian/scripts/file-downloader does not handle positive failures correctly
    (LP: #1878897)
    - [Packaging] file-downloader not handling positive failures correctly

  * Killer(R) Wi-Fi 6 AX1650i 160MHz Wireless Network Adapter (201NGW),
    REV=0x354 [8086:a0f0] subsystem id [1a56:1651] wireless adapter not found
    due to firmware crash (LP: #1874685)
    - iwlwifi: pcie: handle QuZ configs with killer NICs as well

  * CVE-2020-12114
    - propagate_one(): mnt_set_mountpoint() needs mount_lock

  * Eoan update: upstream stable patchset 2020-05-11 (LP: #1878073)
    - ext4: fix extent_status fragmentation for plain files
    - bpftool: Fix printing incorrect pointer in btf_dump_ptr
    - [Config] updateconfigs for ARM64_ERRATUM_1542419
    - arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419
    - arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419
    - arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space
    - arm64: Silence clang warning on mismatched value/register sizes
    - watchdog: reset last_hw_keepalive time at start
    - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login
    - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG
    - ceph: return ceph_mdsc_do_request() errors from __get_parent()
    - ceph: don't skip updating wanted caps when cap is stale
    - pwm: rcar: Fix late Runtime PM enablement
    - scsi: iscsi: Report unbind session event when the target has been removed
    - ASoC: Intel: atom: Take the drv->lock mutex before calling
      sst_send_slot_map()
    - nvme: fix deadlock caused by ANA update wrong locking
    - kernel/gcov/fs.c: gcov_seq_next() should increase position index
    - selftests: kmod: fix handling test numbers above 9
    - ipc/util.c: sysvipc_find_ipc() should increase position index
    - kconfig: qconf: Fix a few alignment issues
    - s390/cio: avoid duplicated 'ADD' uevents
    - loop: Better discard support for block devices
    - Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs
      enabled"
    - pwm: renesas-tpu: Fix late Runtime PM enablement
    - pwm: bcm2835: Dynamically allocate base
    - perf/core: Disable page faults when get...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2020-06-19
Changed in linux (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
tags: added: verification-needed-xenial
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (17.7 KiB)

This bug was fixed in the package linux - 4.15.0-109.110

---------------
linux (4.15.0-109.110) bionic; urgency=medium

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - update dkms package versions

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] wireguard -- add support for building signed .ko

  * CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start

  * CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open

  * CVE-2019-12380
    - efi/x86/Add missing error handling to old_memmap 1:1 mapping code

  * CVE-2019-19039 // CVE-2019-19377
    - btrfs: sink flush_fn to extent_write_cache_pages
    - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up
    - btrfs: Don't submit any btree write bio if the fs has errors

  * CVE-2019-19036
    - btrfs: volumes: Use more straightforward way to calculate map length
    - btrfs: tree-checker: Try to detect missing INODE_ITEM
    - Btrfs: tree-checker: detect file extent items with overlapping ranges
    - Btrfs: make tree checker detect checksum items with overlapping ranges
    - btrfs: harden agaist duplicate fsid on scanned devices
    - Btrfs: fix missing data checksums after replaying a log tree
    - btrfs: reloc: fix reloc root leak and NULL pointer dereference
    - btrfs: Validate child tree block's level and first key
    - btrfs: Detect unbalanced tree with empty leaf before crashing btree
      operations

  * CVE-2019-19318
    - btrfs: tree-checker: Replace root parameter with fs_info
    - btrfs: tree-checker: Check level for leaves and nodes
    - btrfs: tree-checker: get fs_info from eb in generic_err
    - btrfs: tree-checker: get fs_info from eb in file_extent_err
    - btrfs: tree-checker: get fs_info from eb in check_csum_item
    - btrfs: tree-checker: get fs_info from eb in dir_item_err
    - btrfs: tree-checker: get fs_info from eb in check_dir_item
    - btrfs: tree-checker: get fs_info from eb in block_group_err
    - btrfs: tree-checker: get fs_info from eb in check_block_group_item
    - btrfs: tree-checker: get fs_info from eb in check_extent_data_item
    - btrfs: tree-checker: get fs_info from eb in check_leaf_item
    - btrfs: tree-checker: get fs_info from eb in check_leaf
    - btrfs: tree-checker: get fs_info from eb in chunk_err
    - btrfs: tree-checker: get fs_info from eb in dev_item_err
    - btrfs: tree-checker: get fs_info from eb in check_dev_item
    - btrfs: tree-checker: get fs_info from eb in check_inode_item
    - btrfs: tree-checker: Add ROOT_ITEM check
    - btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check
    - btrfs: tree-checker: Add simple keyed refs check
    - btrfs: tree-checker: Add EXTENT_DATA_REF check
    - btrfs: tree-checker: Fix wrong check on max devid
    - Btrfs: fix selftests failure due to uninitialized i_mode in test inodes

  * CVE-2019-19813 // CVE-2019-19816
    - btrfs: Refactor parameter of BTRFS_MAX_DEVS() from root to fs_info
    - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it
    - btrfs: tree-checker: Make chunk item checker messages more readable
    - btrfs...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Khaled El Mously (kmously) wrote :

The -modules package of the -112 kernel contains the following wireguard module:

└[~]> modinfo /tmp/wireguard.ko
filename: /tmp/wireguard.ko
intree: Y
alias: net-pf-16-proto-16-family-wireguard
alias: rtnl-link-wireguard
version: 1.0.20200611
author: Jason A. Donenfeld <email address hidden>
description: WireGuard secure network tunnel
license: GPL v2
srcversion: DB5EB522A99DFA7CDEC1B3A
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
name: wireguard
vermagic: 4.15.0-112-generic SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4

Andy Whitcroft (apw) on 2020-07-28
Changed in linux (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
Stefan Bader (smb) on 2020-08-06
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
Stefan Bader (smb) on 2020-08-11
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (17.7 KiB)

This bug was fixed in the package linux - 4.4.0-189.219

---------------
linux (4.4.0-189.219) xenial; urgency=medium

  * xenial/linux: 4.4.0-189.219 -proposed tracker (LP: #1891057)

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [Packaging] dkms -- dkms package build packaging support
    - [Packaging] wireguard -- add support for building signed .ko
    - [Packaging] ignore wireguard modules when wireguard is disabled
    - [Config] update dkms package versions
    - [Config] wireguard -- enable for all architectures

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (4.4.0-188.218) xenial; urgency=medium

  * xenial/linux: 4.4.0-188.218 -proposed tracker (LP: #1890670)

  * Xenial update: v4.4.232 upstream stable release (LP: #1889928)
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - perf/core: Fix locking for children siblings group read
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - x86/fpu: Disable bottom halves while loading FPU registers
    - btrfs: fix mount failure caused by race with umount
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - scripts/decode_stacktrace: strip basepath from all paths
    - regmap: dev_get_regmap_match(): fix string comparison
    - usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init()
    - arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
    - x86: math-emu: Fix up 'cmp' insn for clang ias
    - Revert "cifs: Fix the target file was deleted when rename failed."
    - staging: wlan-ng: properly check endpoint types
    - staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
    - staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
    - serial: 8250: fix null-ptr-deref in serial8250_start_tx()
    - serial: 8250_mtk: Fix high-speed baud rates clamping
    - mm/memcg: fix refcount error while moving and swapping
 ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers