Fix signing of staging modules in eoan
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Seth Forshee | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification
Impact: Staging drivers should not be signed, apart from a small list of selected modules in drivers/
Fix: Check for a signature on the module before adding the .gnu_debuglink section, and only sign the result if the original was signed.
Test Case: Attached script which compares the built modules to the signature inclusion file and prints out any modules which are signed but not expected to be signed, and vice versa.
Regression Potential: Unsigned modules cannot be loaded under lockdown, which is automatically enabled under secure boot. Some may have been using erroneously signed modules under secure boot and will no longer be able to do so.
CVE References
information type: | Private Security → Public |
tags: | added: patch |
Changed in linux (Ubuntu Eoan): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Updated patch.