| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Jan 2013 17:28:08 +1100 From: Chris Samuel <chris@...muel.org> To: Josh Boyer <jwboyer@...il.com> CC: linux-kernel@...r.kernel.org, Rusty Russell <rusty@...tcorp.com.au>, dhowells@...hat.com Subject: Re: MODSIGN: Modules fail signature verification with -ENOKEY /* Please CC, not on LKML */ Hi Josh, On 12/01/13 00:44, Josh Boyer wrote: > Check the installed modules. A simple: > > hexdump -C <path to module> | tail -n 20 > > should be enough to tell you if the installed modules at least look like > they're signed. You should see the expected "~Module signature appended~" > string. You could also check the modules in the kernel build tree for > the same thing. [...] Good call - neither the modules in the build tree, nor the installed ones are signed. I did a "make mrproper", changed scripts/sign-file to be verbose by default and rebuilt. That confirmed that the modules are getting signed, which left the possibility of make-kpkg stripping the modules after compiling as an option. Google pointed me at the likely culprit, a patch from a certain Mr Ted Ts'o in 2009 to make-kpkg so that it would strip kernel modules by default. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517290 I'll file a bug against it asking for the it to not strip if CONFIG_MODULE_SIG is set. Thanks for the pointer! Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists