| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aWFt34dkIvlu1EYI@derry.ads.avm.de>
Date: Fri, 9 Jan 2026 22:06:39 +0100
From: Nicolas Schier <nsc@...nel.org>
To: Holger Kiehl <Holger.Kiehl@....de>
Cc: linux-kernel <linux-kernel@...r.kernel.org>,
Nathan Chancellor <nathan@...nel.org>, linux-kbuild@...r.kernel.org
Subject: Re: Since 6.18.x make binrpm-pkg does not sign modules
On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> Hello,
>
> when building kernel with 'make binrpm-pkg' the modules in the
> /lib/modules directory of the rpm package are no longer signed
> although one sees the following during the build process:
>
> .
> .
> INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> .
> .
> SIGN /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
thanks for your report; well, that's interesting. The modules signed
during the package build preparations ("SIGN .../rpmbuild/BUILD/...")
is significantly larger than the one in the build tree (as expected, as
the latter is unsigned); but the one that lands in the rpm package is
_smaller_ than the module in the build tree.
My experience with rpmbuild is limited, I need more time for
investigation.
Nathan, do you have more insights on the rpm build process?
Kind regards,
Nicolas
> .
> .
>
> But when installing this RPM and check this it says:
>
> # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> filename: /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> alias: net-pf-42
> license: GPL v2
> description: Qualcomm IPC-router driver
> license: Dual BSD/GPL
> description: Qualcomm IPC Router Nameservice
> author: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>
> srcversion: 473C5AB47E04ECEA0106681
> depends:
> intree: Y
> name: qrtr
> retpoline: Y
> vermagic: 6.18.4 SMP preempt mod_unload modversions
>
> This happens (no signature) with all modules, qrtr.ko was just taken
> as an example.
>
> Building the kernel via 'make && make modules_install && make install'
> the modules then do have a signature. Also with kernel 6.12.x the
> modules are signed when building with 'make binrpm-pkg'.
>
> Config looks as follows:
>
> # grep CONFIG_MODULE_ .config
> CONFIG_MODULE_SIG_FORMAT=y
> CONFIG_MODULE_DEBUGFS=y
> # CONFIG_MODULE_DEBUG is not set
> # CONFIG_MODULE_FORCE_LOAD is not set
> CONFIG_MODULE_UNLOAD=y
> # CONFIG_MODULE_FORCE_UNLOAD is not set
> CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
> CONFIG_MODULE_SRCVERSION_ALL=y
> CONFIG_MODULE_SIG=y
> # CONFIG_MODULE_SIG_FORCE is not set
> CONFIG_MODULE_SIG_ALL=y
> # CONFIG_MODULE_SIG_SHA1 is not set
> # CONFIG_MODULE_SIG_SHA256 is not set
> # CONFIG_MODULE_SIG_SHA384 is not set
> CONFIG_MODULE_SIG_SHA512=y
> # CONFIG_MODULE_SIG_SHA3_256 is not set
> # CONFIG_MODULE_SIG_SHA3_384 is not set
> # CONFIG_MODULE_SIG_SHA3_512 is not set
> CONFIG_MODULE_SIG_HASH="sha512"
> # CONFIG_MODULE_COMPRESS is not set
> # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
> CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
> # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
>
> What am I missing?
>
> Regards,
> Holger
--
Nicolas
Powered by blists - more mailing lists