lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1016.1348824193@warthog.procyon.org.uk>
Date:	Fri, 28 Sep 2012 10:23:13 +0100
From:	David Howells <dhowells@...hat.com>
To:	Rusty Russell <rusty@...tcorp.com.au>
Cc:	dhowells@...hat.com, herbert@...dor.hengli.com.au,
	pjones@...hat.com, jwboyer@...hat.com,
	linux-crypto@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, keyrings@...ux-nfs.org
Subject: Re: [GIT PULL] Asymmetric keys and module signing


Rusty Russell <rusty@...tcorp.com.au> wrote:

> [    3.361036] Request for unknown module key 'Magrathea: Glacier signing key: 6
> e03943da0f3b015ba6ed7f5e0cac4fe48680994' err -11

Okay, it turns out that my attempts to remove SHA1 by editing it out of the
.config file were doomed to failure because a couple of IPv6 options I had
turned on selected it back on.

Having turned those off and then turned off SHA1, I see in the kernel log:

MODSIGN: Problem loading in-kernel X.509 certificate (-65)
MODSIGN: Loaded cert 'Red Hat Test Certificate: 3580cf35d76b3b667a40df66691cbcf87353b23c'

My kernel has an extra certificate (in the extra_certificates file) given to
me by Peter Jones in addition to the one it generates itself.

The first line is it failing to load the transient SHA1-hashed cert that was
generated by the kernel build (the Magrathean glacier signing key).

The second line is it managing to load the certificate that Peter gave me for
which it doesn't have the parent CA certificate available.  I've made the
assumption (which isn't necessarily warranted) that the signature in the cert,
if the cert is not self-signed, is generated using the CA private key, not by
the private key corresponding to this cert.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ