public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Kernel module signature now shown on modinfo
@ 2018-04-11 20:39 Ben Mezger
  2018-04-12 21:47 ` Dave Trombley
  2018-04-13 15:13 ` Mick
  0 siblings, 2 replies; 5+ messages in thread
From: Ben Mezger @ 2018-04-11 20:39 UTC (permalink / raw
  To: gentoo-user

Greetings,

I have enabled module signature verification on my kernel, and it does
seem to be enabled upon boot:

$  dmesg | grep -i 'x.*509'
[    1.259988] Asymmetric key parser 'x509' registered
[    1.811026] Loading compiled-in X.509 certificates
[    1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
77e716fc52a6293567d953cd24a5977e55b41a5e'

and doing a cat /proc/keys seems to show the key enabled:

$ cat /proc/keys
...
37c67374 I------     1 perm 1f030000     0     0 asymmetri Build time
autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
X509.rsa 55b41a5e []
...

However, if I do a modinfo to see the key on a module, it seems empty:

$modinfo ntfs
filename:       /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
license:        GPL
version:        2.1.32
description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
Altaparmakov and Tuxera Inc.
author:         Anton Altaparmakov <anton@tuxera.com>
alias:          fs-ntfs
srcversion:     0D7ACE93F603E9350827FB8
depends:
intree:         Y
vermagic:       4.9.76-gentoo-r1 SMP mod_unload
signat:         PKCS#7
signer:
sig_key:
sig_hashalgo:   md4

And hex dump does show me the digital signature appended at the end:

$ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
0004e8c0  e3 dd 54 9d 5e f1 1a 12  56 47 4e 54 91 b9 fa ce  |..T.^...VGNT....|
0004e8d0  e6 01 db 37 eb 83 f3 77  10 f0 b5 f8 11 fd 4e 86  |...7...w......N.|
0004e8e0  6c 81 8a 61 c2 15 6d 5a  35 93 8b 33 c0 32 2f e4  |l..a..mZ5..3.2/.|
0004e8f0  8c 15 71 de c8 c5 39 58  cc e8 65 e1 be 36 e6 02  |..q...9X..e..6..|
0004e900  b0 75 b5 a2 73 d8 4d 22  e7 2f 53 1f 42 fb ee 58  |.u..s.M"./S.B..X|
0004e910  f2 65 44 13 26 30 7b 31  1c 58 12 5a f2 5d b1 45  |.eD.&0{1.X.Z.].E|
0004e920  3a f0 a5 79 74 f4 00 00  02 00 00 00 00 00 00 00  |:..yt...........|
0004e930  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module signat|
0004e940  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure appended~.|
0004e94e

My question is: why doesn't modinfo show me the key fingerprint?

-- 
Kind regards,
Met een vriendelijke groet,

Ben Mezger
https://seds.nl
PGP: C473 DDC9 D1B1 40AF 2051  1CF6 18C4 6052 1688 92F7


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-user] Kernel module signature now shown on modinfo
  2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
@ 2018-04-12 21:47 ` Dave Trombley
  2018-04-13 18:32   ` Mick
  2018-04-13 15:13 ` Mick
  1 sibling, 1 reply; 5+ messages in thread
From: Dave Trombley @ 2018-04-12 21:47 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]

This has been broken for almost two years; the signature format switched to
PKCS#7 and modinfo doesn't support it.   It's not as simple as just
patching kmod because evidently the kernel change regressed or disrespected
the relevent structure in the modules in a way that makes it impossible for
kmod to even make sense of.   Details here:
https://github.com/coreos/bugs/issues/1054

-David

On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <su@seds.nl> wrote:

> Greetings,
>
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
>
> $  dmesg | grep -i 'x.*509'
> [    1.259988] Asymmetric key parser 'x509' registered
> [    1.811026] Loading compiled-in X.509 certificates
> [    1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
>
> and doing a cat /proc/keys seems to show the key enabled:
>
> $ cat /proc/keys
> ...
> 37c67374 I------     1 perm 1f030000     0     0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
>
> However, if I do a modinfo to see the key on a module, it seems empty:
>
> $modinfo ntfs
> filename:       /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license:        GPL
> version:        2.1.32
> description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author:         Anton Altaparmakov <anton@tuxera.com>
> alias:          fs-ntfs
> srcversion:     0D7ACE93F603E9350827FB8
> depends:
> intree:         Y
> vermagic:       4.9.76-gentoo-r1 SMP mod_unload
> signat:         PKCS#7
> signer:
> sig_key:
> sig_hashalgo:   md4
>
> And hex dump does show me the digital signature appended at the end:
>
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0  e3 dd 54 9d 5e f1 1a 12  56 47 4e 54 91 b9 fa ce
> |..T.^...VGNT....|
> 0004e8d0  e6 01 db 37 eb 83 f3 77  10 f0 b5 f8 11 fd 4e 86
> |...7...w......N.|
> 0004e8e0  6c 81 8a 61 c2 15 6d 5a  35 93 8b 33 c0 32 2f e4
> |l..a..mZ5..3.2/.|
> 0004e8f0  8c 15 71 de c8 c5 39 58  cc e8 65 e1 be 36 e6 02
> |..q...9X..e..6..|
> 0004e900  b0 75 b5 a2 73 d8 4d 22  e7 2f 53 1f 42 fb ee 58
> |.u..s.M"./S.B..X|
> 0004e910  f2 65 44 13 26 30 7b 31  1c 58 12 5a f2 5d b1 45
> |.eD.&0{1.X.Z.].E|
> 0004e920  3a f0 a5 79 74 f4 00 00  02 00 00 00 00 00 00 00
> |:..yt...........|
> 0004e930  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module
> signat|
> 0004e940  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure
> appended~.|
> 0004e94e
>
> My question is: why doesn't modinfo show me the key fingerprint?
>
> --
> Kind regards,
> Met een vriendelijke groet,
>
> Ben Mezger
> https://seds.nl
> PGP: C473 DDC9 D1B1 40AF 2051  1CF6 18C4 6052 1688 92F7
>
>

[-- Attachment #2: Type: text/html, Size: 3663 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-user] Kernel module signature now shown on modinfo
  2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
  2018-04-12 21:47 ` Dave Trombley
@ 2018-04-13 15:13 ` Mick
  1 sibling, 0 replies; 5+ messages in thread
From: Mick @ 2018-04-13 15:13 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 3263 bytes --]

On Wednesday, 11 April 2018 21:39:30 BST Ben Mezger wrote:
> Greetings,
> 
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
> 
> $  dmesg | grep -i 'x.*509'
> [    1.259988] Asymmetric key parser 'x509' registered
> [    1.811026] Loading compiled-in X.509 certificates
> [    1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
> 
> and doing a cat /proc/keys seems to show the key enabled:
> 
> $ cat /proc/keys
> ...
> 37c67374 I------     1 perm 1f030000     0     0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
> 
> However, if I do a modinfo to see the key on a module, it seems empty:
> 
> $modinfo ntfs
> filename:       /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license:        GPL
> version:        2.1.32
> description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author:         Anton Altaparmakov <anton@tuxera.com>
> alias:          fs-ntfs
> srcversion:     0D7ACE93F603E9350827FB8
> depends:
> intree:         Y
> vermagic:       4.9.76-gentoo-r1 SMP mod_unload
> signat:         PKCS#7
> signer:
> sig_key:
> sig_hashalgo:   md4

I am getting a similar output with later source kernel than yours:

# modinfo ntfs
filename:       /lib/modules/4.15.17-gentoo/kernel/fs/ntfs/ntfs.ko.gz
license:        GPL
version:        2.1.32
description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton 
Altaparmakov and Tuxera Inc.
author:         Anton Altaparmakov <anton@tuxera.com>
alias:          fs-ntfs
srcversion:     B6DF5EBF4EF8B063988F5CB
depends:        
retpoline:      Y
intree:         Y
name:           ntfs
vermagic:       4.15.17-gentoo SMP preempt mod_unload 
signat:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4

Which I find quite confusing.  Not only the keys are not shown, but the 
sig_hashalgo is md4 (cracked since 1995) instead of the SHA512 I had specified 
in my kernel .config.


> And hex dump does show me the digital signature appended at the end:
> 
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0  e3 dd 54 9d 5e f1 1a 12  56 47 4e 54 91 b9 fa ce 
> |..T.^...VGNT....| 0004e8d0  e6 01 db 37 eb 83 f3 77  10 f0 b5 f8 11 fd 4e
> 86  |...7...w......N.| 0004e8e0  6c 81 8a 61 c2 15 6d 5a  35 93 8b 33 c0 32
> 2f e4  |l..a..mZ5..3.2/.| 0004e8f0  8c 15 71 de c8 c5 39 58  cc e8 65 e1 be
> 36 e6 02  |..q...9X..e..6..| 0004e900  b0 75 b5 a2 73 d8 4d 22  e7 2f 53 1f
> 42 fb ee 58  |.u..s.M"./S.B..X| 0004e910  f2 65 44 13 26 30 7b 31  1c 58 12
> 5a f2 5d b1 45  |.eD.&0{1.X.Z.].E| 0004e920  3a f0 a5 79 74 f4 00 00  02 00
> 00 00 00 00 00 00  |:..yt...........| 0004e930  02 9e 7e 4d 6f 64 75 6c  65
> 20 73 69 67 6e 61 74  |..~Module signat| 0004e940  75 72 65 20 61 70 70 65 
> 6e 64 65 64 7e 0a        |ure appended~.| 0004e94e
> 
> My question is: why doesn't modinfo show me the key fingerprint?

I don't know the answer, but would be interested to find out.  I have only 
used kernel autogenerated keys to do this, so I can't attest if the result is 
the same when creating own keys manually.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-user] Kernel module signature now shown on modinfo
  2018-04-12 21:47 ` Dave Trombley
@ 2018-04-13 18:32   ` Mick
  2018-04-15 23:46     ` Ben Mezger
  0 siblings, 1 reply; 5+ messages in thread
From: Mick @ 2018-04-13 18:32 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

On Thursday, 12 April 2018 22:47:31 BST Dave Trombley wrote:
> This has been broken for almost two years; the signature format switched to
> PKCS#7 and modinfo doesn't support it.   It's not as simple as just
> patching kmod because evidently the kernel change regressed or disrespected
> the relevent structure in the modules in a way that makes it impossible for
> kmod to even make sense of.   Details here:
> https://github.com/coreos/bugs/issues/1054
> 
> -David

Thanks David, I had come across an older bug somewhere, but there was no 
detailed explanation.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-user] Kernel module signature now shown on modinfo
  2018-04-13 18:32   ` Mick
@ 2018-04-15 23:46     ` Ben Mezger
  0 siblings, 0 replies; 5+ messages in thread
From: Ben Mezger @ 2018-04-15 23:46 UTC (permalink / raw
  To: gentoo-user

Thanks for the link. It seems that the sign-file utility from the
kernel (scripts/sign-file) has been converted to a .c file and somehow
it produces a different output.
I think if you really want to make sure the module is signed is by
doing a hexdump and perhaps strip the signature out and try to load
it.

Regards,

On 13 April 2018 at 15:32, Mick <michaelkintzios@gmail.com> wrote:
> On Thursday, 12 April 2018 22:47:31 BST Dave Trombley wrote:
>> This has been broken for almost two years; the signature format switched to
>> PKCS#7 and modinfo doesn't support it.   It's not as simple as just
>> patching kmod because evidently the kernel change regressed or disrespected
>> the relevent structure in the modules in a way that makes it impossible for
>> kmod to even make sense of.   Details here:
>> https://github.com/coreos/bugs/issues/1054
>>
>> -David
>
> Thanks David, I had come across an older bug somewhere, but there was no
> detailed explanation.
>
> --
> Regards,
> Mick



-- 
Kind regards,
Met een vriendelijke groet,

Ben Mezger
https://seds.nl
PGP: C473 DDC9 D1B1 40AF 2051  1CF6 18C4 6052 1688 92F7


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-04-15 23:47 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
2018-04-12 21:47 ` Dave Trombley
2018-04-13 18:32   ` Mick
2018-04-15 23:46     ` Ben Mezger
2018-04-13 15:13 ` Mick

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox