lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <71bc53a4-9b54-c15a-96e-23fb338ac71@praktifix.dwd.de>
Date: Sat, 10 Jan 2026 12:43:26 +0100 (CET)
From: Holger Kiehl <Holger.Kiehl@....de>
To: Nicolas Schier <nsc@...nel.org>
cc: linux-kernel <linux-kernel@...r.kernel.org>, 
    Nathan Chancellor <nathan@...nel.org>, linux-kbuild@...r.kernel.org, 
    Uday Shankar <ushankar@...estorage.com>
Subject: Re: Since 6.18.x make binrpm-pkg does not sign modules

On Fri, 9 Jan 2026, Nicolas Schier wrote:

> On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> > Hello,
> > 
> > when building kernel with 'make binrpm-pkg' the modules in the
> > /lib/modules directory of the rpm package are no longer signed
> > although one sees the following during the build process:
> > 
> >    .
> >    .
> >    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    .
> >    .
> >    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> 
> thanks for your report; well, that's interesting.  The modules signed
> during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
> is significantly larger than the one in the build tree (as expected, as
> the latter is unsigned); but the one that lands in the rpm package is
> _smaller_ than the module in the build tree.
> 
Reading the comment in scripts/package/kernel.spec

   # later, we make all modules executable so that find-debuginfo.sh strips
   # them up. but they don't actually need to be executable, so remove the
   # executable bit, taking care to do it _after_ find-debuginfo.sh has run

I would think that find-debuginfo.sh also strips the signature of the
modules. As a quick test I replaced scripts/package/kernel.spec and
scripts/package/mkspec in the 6.18.4 tree with those from 6.12.64 and
then did a 'make binrpm-pkg'. Then the signature of the modules in
the rpm package are not removed.

Looking back, it looks like this change was introduced with 6.15-rc1:

https://github.com/torvalds/linux/commit/a7c699d090a1f3795c3271c2b399230e182db06e
   or
https://lkml.org/lkml/2025/3/31/1313

The module signatures are needed if you run the kernel in lockdown mode.
The kernel refuses to load unsigned modules.

Regards,
Holger

> My experience with rpmbuild is limited, I need more time for
> investigation.
> 
> Nathan, do you have more insights on the rpm build process?
> 
> Kind regards,
> Nicolas
> 
> 
> 
> >    .
> >    .
> > 
> > But when installing this RPM and check this it says:
> > 
> >    # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    alias:          net-pf-42
> >    license:        GPL v2
> >    description:    Qualcomm IPC-router driver
> >    license:        Dual BSD/GPL
> >    description:    Qualcomm IPC Router Nameservice
> >    author:         Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>
> >    srcversion:     473C5AB47E04ECEA0106681
> >    depends:        
> >    intree:         Y
> >    name:           qrtr
> >    retpoline:      Y
> >    vermagic:       6.18.4 SMP preempt mod_unload modversions
> > 
> > This happens (no signature) with all modules, qrtr.ko was just taken
> > as an example.
> > 
> > Building the kernel via 'make && make modules_install && make install'
> > the modules then do have a signature. Also with kernel 6.12.x the
> > modules are signed when building with 'make binrpm-pkg'.
> > 
> > Config looks as follows:
> > 
> >    # grep CONFIG_MODULE_ .config
> >    CONFIG_MODULE_SIG_FORMAT=y
> >    CONFIG_MODULE_DEBUGFS=y
> >    # CONFIG_MODULE_DEBUG is not set
> >    # CONFIG_MODULE_FORCE_LOAD is not set
> >    CONFIG_MODULE_UNLOAD=y
> >    # CONFIG_MODULE_FORCE_UNLOAD is not set
> >    CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
> >    CONFIG_MODULE_SRCVERSION_ALL=y
> >    CONFIG_MODULE_SIG=y
> >    # CONFIG_MODULE_SIG_FORCE is not set
> >    CONFIG_MODULE_SIG_ALL=y
> >    # CONFIG_MODULE_SIG_SHA1 is not set
> >    # CONFIG_MODULE_SIG_SHA256 is not set
> >    # CONFIG_MODULE_SIG_SHA384 is not set
> >    CONFIG_MODULE_SIG_SHA512=y
> >    # CONFIG_MODULE_SIG_SHA3_256 is not set
> >    # CONFIG_MODULE_SIG_SHA3_384 is not set
> >    # CONFIG_MODULE_SIG_SHA3_512 is not set
> >    CONFIG_MODULE_SIG_HASH="sha512"
> >    # CONFIG_MODULE_COMPRESS is not set
> >    # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
> >    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> >    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
> >    # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
> > 
> > What am I missing?
> > 
> > Regards,
> > Holger
> 
> -- 
> Nicolas
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ