UBUNTU: [Config] enable CONFIG_MODVERSIONS=y

In order to support the livepatch key we need to ensure we do not allow that key to load modules which are not for the specific kernel. From the documentation on kernel module signing: If you use the same private key to sign modules for multiple kernel configurations, you must ensure that the module version information is sufficient to prevent loading a module into a different kernel. Either set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a different kernel release string by changing ``EXTRAVERSION`` or ``CONFIG_LOCALVERSION``. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
mariux64 · Feb 26, 2021 · 69c62aa · 69c62aa
1 parent 8592e5e
commit 69c62aa
Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/debian.oem/config/annotations b/debian.oem/config/annotations
@@ -10152,11 +10152,13 @@ CONFIG_MODULES                                  policy<{'amd64': 'y', 'arm64': '
 CONFIG_MODULE_FORCE_LOAD                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_UNLOAD                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_FORCE_UNLOAD                      policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_MODVERSIONS                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_MODVERSIONS                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_SRCVERSION_ALL                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_COMPRESS                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_UNUSED_SYMBOLS                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+#
+CONFIG_MODVERSIONS                              mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
 
 # Menu: Enable loadable module support >> Compression algorithm
 

diff --git a/debian.oem/config/config.common.ubuntu b/debian.oem/config/config.common.ubuntu
@@ -379,6 +379,7 @@ CONFIG_ARCNET_RIM_I=m
 CONFIG_AS3935=m
 CONFIG_AS73211=m
 CONFIG_ASHMEM=m
+CONFIG_ASM_MODVERSIONS=y
 CONFIG_ASN1=y
 CONFIG_ASSOCIATIVE_ARRAY=y
 CONFIG_ASUS_LAPTOP=m
@@ -4573,7 +4574,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 CONFIG_MOST=m
 CONFIG_MOST_CDEV=m
 CONFIG_MOST_COMPONENTS=m