dkms: skip module signing when hash is unknown #312
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The variable is a simple int/bool, so make sure it's initialized and properly check it. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
No functional change for now. Later commit will rework the behaviour, so this keeps code motion and behaviour changes into separate commits. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Currently we'll attempt to sign the modules, even when we don't have the kernel config and/or when CONFIG_MODULE_SIG_HASH is not set. This serves little purpose, since in either of those cases the kernel won't check the signature. Surprise! Turns out Debian 9 does not enable signing, even though it ships the sign-file tool. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Currently we strip out all the signing, even when non is happening. This can trivially mask bugs, so let's stop that. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
|
As anticipated, there were some holes in the behaviour and tooling. Aka we were trying to sign things on Debian 9, which does not support it. While there, I've also tweaked the tests to strip/generalise only as needed. |
|
Just had another look through this and it seems reasonable - merging. @xuzhen do let me know if you spot anything wrong. Happy to do any follow-up fixes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently we'll attempt to sign the modules, even when we don't have the
kernel config and/or when CONFIG_MODULE_SIG_HASH is not set.
This serves little purpose, since in either of those cases the kernel
won't check the signature.
As mentioned previously
@xuzhen please give this a once-over. I suspect that some tests may fail, because we duck-tap (read workarounds) which need updateing