UBUNTU: [Debian] Suppress module signing for staging drivers

BugLink: http://bugs.launchpad.net/bugs/1642368
Prevent staging drivers from being loadable in a secure boot environment.

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
new file mode 100644 (file)
index 0000000..c34f191
--- /dev/null
+++ b/drivers/staging/signature-inclusion
@@ -0,0 +1,5 @@
+#
+# This file lists the staging drivers that are safe for signing
+# and loading in a secure boot environment with signed module enforcement.
+#
+

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 07650eeaaf06dd85bb5f3439959ed05c36d8a5ff..0f7b7cb181222850ba93465d6a130424cdd6457b 100644 (file)
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
     mkdir -p $(2) ; \
     cp $@ $(2) ; \
     $(mod_strip_cmd) $(2)/$(notdir $@) ; \
-    $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
-    $(mod_compress_cmd) $(2)/$(notdir $@)
+    if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
+       (! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
+       then echo Not signing "$(2)/$(notdir $@)"; \
+       else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
+               $(mod_compress_cmd) $(2)/$(notdir $@); fi
 
 # Modules built outside the kernel source tree go into extra by default
 INSTALL_MOD_DIR ?= extra