lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68c375f6-e07e-fec-434d-6a45a4f1390@praktifix.dwd.de>
Date: Fri, 9 Jan 2026 15:04:33 +0100 (CET)
From: Holger Kiehl <Holger.Kiehl@....de>
To: linux-kernel <linux-kernel@...r.kernel.org>
cc: Nathan Chancellor <nathan@...nel.org>, 
    Nicolas Schier <nicolas.schier@...ux.dev>, linux-kbuild@...r.kernel.org
Subject: Since 6.18.x make binrpm-pkg does not sign modules

Hello,

when building kernel with 'make binrpm-pkg' the modules in the
/lib/modules directory of the rpm package are no longer signed
although one sees the following during the build process:

   .
   .
   INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   .
   .
   SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   .
   .

But when installing this RPM and check this it says:

   # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   alias:          net-pf-42
   license:        GPL v2
   description:    Qualcomm IPC-router driver
   license:        Dual BSD/GPL
   description:    Qualcomm IPC Router Nameservice
   author:         Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>
   srcversion:     473C5AB47E04ECEA0106681
   depends:        
   intree:         Y
   name:           qrtr
   retpoline:      Y
   vermagic:       6.18.4 SMP preempt mod_unload modversions

This happens (no signature) with all modules, qrtr.ko was just taken
as an example.

Building the kernel via 'make && make modules_install && make install'
the modules then do have a signature. Also with kernel 6.12.x the
modules are signed when building with 'make binrpm-pkg'.

Config looks as follows:

   # grep CONFIG_MODULE_ .config
   CONFIG_MODULE_SIG_FORMAT=y
   CONFIG_MODULE_DEBUGFS=y
   # CONFIG_MODULE_DEBUG is not set
   # CONFIG_MODULE_FORCE_LOAD is not set
   CONFIG_MODULE_UNLOAD=y
   # CONFIG_MODULE_FORCE_UNLOAD is not set
   CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
   CONFIG_MODULE_SRCVERSION_ALL=y
   CONFIG_MODULE_SIG=y
   # CONFIG_MODULE_SIG_FORCE is not set
   CONFIG_MODULE_SIG_ALL=y
   # CONFIG_MODULE_SIG_SHA1 is not set
   # CONFIG_MODULE_SIG_SHA256 is not set
   # CONFIG_MODULE_SIG_SHA384 is not set
   CONFIG_MODULE_SIG_SHA512=y
   # CONFIG_MODULE_SIG_SHA3_256 is not set
   # CONFIG_MODULE_SIG_SHA3_384 is not set
   # CONFIG_MODULE_SIG_SHA3_512 is not set
   CONFIG_MODULE_SIG_HASH="sha512"
   # CONFIG_MODULE_COMPRESS is not set
   # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
   CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
   CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
   # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set

What am I missing?

Regards,
Holger

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ