Source: linux Version: 4.9.2-2 Severity: normal Tags: patch Dear maintainer, If building with CONFIG_MODULE_SIG_ALL and CONFIG_DEBUG_INFO the objcopy call that adds the debuglink has the side-effect of removing the signature added to the kernel module, which breaks booting if the option to enforce module signatures is also enabled. The fix is to explicitly sign the installed modules again in that case. A small patch from my colleague Jan Blunck is attached. Thank you! Kind regards, Luca Boccassi From 9e6f694354d25f47b4bcb6656d3eb05fc3351a13 Mon Sep 17 00:00:00 2001 From: Jan Blunck <jblunck@infradead.org> Date: Thu, 26 Jan 2017 17:04:11 +0100 Subject: [PATCH] Fix stripped module signatures if CONFIG_DEBUG_INFO If building with CONFIG_MODULE_SIG_ALL and CONFIG_DEBUG_INFO the objcopy call that adds the debuglink has the side-effect of removing the signature added to the kernel module. Let's explicitly sign the installed modules again in that case. --- debian/rules.real | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/rules.real b/debian/rules.real index 868efa3..b818c35 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -417,6 +417,9 @@ ifeq ($(DEBUG),True) find $(PACKAGE_DIR) -name '*.ko' | sed 's|$(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/||' | while read module ; do \ $(CROSS_COMPILE)objcopy --add-gnu-debuglink=$(DIR)/$$module $(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/$$module || exit; \ done + +if grep -qs '^CONFIG_MODULE_SIG_ALL=y' $(DIR)/.config; then \ + $(MAKE_CLEAN) -C $(DIR) modules_sign INSTALL_MOD_PATH='$(CURDIR)'/$(PACKAGE_DIR); \ + fi endif cp $(DIR)/.config $(PACKAGE_DIR)/boot/config-$(REAL_VERSION) cp $(DIR)/System.map $(PACKAGE_DIR)/boot/System.map-$(REAL_VERSION) -- 2.1.4
Attachment:
signature.asc
Description: This is a digitally signed message part