lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 10 Feb 2015 08:24:32 +0100
From:	Sedat Dilek <sedat.dilek@...il.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	LKML <linux-kernel@...r.kernel.org>,
	Jeff Kirsher <jeffrey.t.kirsher@...el.com>,
	David Howells <dhowells@...hat.com>
Subject: Re: [PATCH 3.18 00/39] 3.18.7-stable review

On Mon, Feb 9, 2015 at 5:02 PM, Sedat Dilek <sedat.dilek@...il.com> wrote:
> On Mon, Feb 9, 2015 at 4:58 PM, Sedat Dilek <sedat.dilek@...il.com> wrote:
>> On Mon, Feb 9, 2015 at 4:44 PM, Greg Kroah-Hartman
>> <gregkh@...uxfoundation.org> wrote:
>>> On Mon, Feb 09, 2015 at 04:35:53PM +0100, Sedat Dilek wrote:
>>>> Hi Greg,
>>>>
>>>> nice to see the kbuild and trace patches I was involved are in this series.
>>>>
>>>> Unfortunately, I see the following in my logs...
>>>>
>>>> [    2.117022] Request for unknown module key 'Magrathea: Glacier
>>>> signing key: 009aa341bb673735a51dc34b238a0ca481d68098' err -11
>>>> [    2.117114] mii: module verification failed: signature and/or
>>>> required key missing - tainting kernel
>>>>
>>>> Not sure whom to CC.
>>>> I CCed Jeff as he worked on MII.
>>>> Signing key ---> Dave Howells?
>>>>
>>>> Attached are my kernel-config and dmesg output.
>>>>
>>>> Hope this helps.
>>>>
>>>> BTW, with v3.18.6 I haven't seen such output.
>>>
>>> Any way you could take the patches at
>>> https://git.kernel.org/cgit/linux/kernel/git/stable/stable-queue.git/
>>> in the queue-3.18 directory and bisect them to see which patch causes
>>> the problem?  I don't see any obvious patch in this series that would be
>>> the issue.
>>>
>>
>> [ CC Dave Howells ]
>>
>> Unfortunately, I make-distclean-ed my build-dir.
>>
>> Is simply the sign-key missing?
>>
>>> mii: module verification failed: signature and/or  required key missing <
>>
>
> To name it's called "x509.genkey".
>
> From [1]:
>
> [ QUOTE ]
>
> Most notably, in the x509.genkey file, the req_distinguished_name section
> should be altered from the default:
>
> [ req_distinguished_name ]
> O = Magrathea
> CN = Glacier signing key
> emailAddress = slartibartfast@...rathea.h2g2
>
> [ /QUOTE ]
>
> - Sedat -
>
> [1] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/module-signing.txt#n118
>
>
>> Documentation/module-signing.txt lists Magrathea, so I CCed Dave.
>> Let's see what he says before doing a git-bisect session.
>>
>> I wanted to trough out the complete module-signing kernel-options for
>> a long time.
>> For test kernels it is simply not needed here.
>>
>> Sorry, for resending my files - build-log is attached as a new file.
>>
>> Hope this helps.
>>
>> BTW, why is there no MII maintainer listed in MAINTAINERS?
>>
>> ( No clue what MII has to do with module-signing, can someone explain? )
>>
>> - Sedat -
>>
>> P.S.: Check the logs for mii and x509 patterns.
>>
>> $ egrep 'mii|x509' build-log_3.18.7-rc1-1-iniza-small.txt
>>   ASN.1   crypto/asymmetric_keys/x509-asn1.c
>>   ASN.1   crypto/asymmetric_keys/x509_rsakey-asn1.c
>>   CC      crypto/asymmetric_keys/x509_public_key.o
>>   CC      crypto/asymmetric_keys/x509-asn1.o
>>   CC      crypto/asymmetric_keys/x509_rsakey-asn1.o
>>   CC      crypto/asymmetric_keys/x509_cert_parser.o
>>   LD      crypto/asymmetric_keys/x509_key_parser.o
>>                 -batch -x509 -config x509.genkey \
>>                 -outform DER -out signing_key.x509 \
>>   CERTS   kernel/x509_certificate_list
>>   - Including cert ./signing_key.x509
>>   CC [M]  drivers/net/mii.o
>>   CC      drivers/net/mii.mod.o
>>   LD [M]  drivers/net/mii.ko
>>   INSTALL drivers/net/mii.ko
>>
>> - EOT -

I have rebuilt a -2 kernel and take care that the x509 files are shipped...

$ LC_ALL=C ll x509-files_3.18.7-rc1-2-iniza-small/*x509*
-rw-r--r-- 1 wearefam wearefam 1446 Feb 10 08:02
x509-files_3.18.7-rc1-2-iniza-small/signing_key.x509
-rw-r--r-- 1 wearefam wearefam  372 Feb 10 08:01
x509-files_3.18.7-rc1-2-iniza-small/x509.genkey

...and the warnings are gone.
So, indeed these files were missing or one of them.

- Sedat -

View attachment "dmesg_3.18.7-rc1-2-iniza-small.txt" of type "text/plain" (55304 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ