From 771001178762a3d336bfa44522289a7431b2a4d9 Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Wed, 16 Nov 2016 10:28:21 -0700
Subject: [PATCH] UBUNTU: [Debian] Suppress module signing for staging drivers

BugLink: http://bugs.launchpad.net/bugs/1642368

Prevent staging drivers from being loadable in a secure boot environment.

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 drivers/staging/signature-inclusion | 5 +++++
 scripts/Makefile.modinst            | 7 +++++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 drivers/staging/signature-inclusion

diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
new file mode 100644
index 000000000000..c34f1912ffe0
--- /dev/null
+++ b/drivers/staging/signature-inclusion
@@ -0,0 +1,5 @@
+#
+# This file lists the staging drivers that are safe for signing
+# and loading in a secure boot environment with signed module enforcement.
+#
+
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 07650eeaaf06..0f7b7cb18122 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -22,8 +22,11 @@ quiet_cmd_modules_install = INSTALL $@
     mkdir -p $(2) ; \
     cp $@ $(2) ; \
     $(mod_strip_cmd) $(2)/$(notdir $@) ; \
-    $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
-    $(mod_compress_cmd) $(2)/$(notdir $@)
+    if (echo "$(2)/$(notdir $@)" | egrep -q "\/drivers\/staging\/") && \
+	(! egrep -x "$(2)/$(notdir $@)" $(CURDIR)/drivers/staging/signature-inclusion) ; \
+	then echo Not signing "$(2)/$(notdir $@)"; \
+	else $(mod_sign_cmd) $(2)/$(notdir $@) $(patsubst %,|| true,$(KBUILD_EXTMOD)) && \
+		$(mod_compress_cmd) $(2)/$(notdir $@); fi
 
 # Modules built outside the kernel source tree go into extra by default
 INSTALL_MOD_DIR ?= extra
-- 
2.39.5