* [gentoo-user] Kernel module signature now shown on modinfo
@ 2018-04-11 20:39 Ben Mezger
2018-04-12 21:47 ` Dave Trombley
2018-04-13 15:13 ` Mick
0 siblings, 2 replies; 5+ messages in thread
From: Ben Mezger @ 2018-04-11 20:39 UTC (permalink / raw
To: gentoo-user
Greetings,
I have enabled module signature verification on my kernel, and it does
seem to be enabled upon boot:
$ dmesg | grep -i 'x.*509'
[ 1.259988] Asymmetric key parser 'x509' registered
[ 1.811026] Loading compiled-in X.509 certificates
[ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
77e716fc52a6293567d953cd24a5977e55b41a5e'
and doing a cat /proc/keys seems to show the key enabled:
$ cat /proc/keys
...
37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time
autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
X509.rsa 55b41a5e []
...
However, if I do a modinfo to see the key on a module, it seems empty:
$modinfo ntfs
filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
license: GPL
version: 2.1.32
description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
Altaparmakov and Tuxera Inc.
author: Anton Altaparmakov <anton@tuxera.com>
alias: fs-ntfs
srcversion: 0D7ACE93F603E9350827FB8
depends:
intree: Y
vermagic: 4.9.76-gentoo-r1 SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
And hex dump does show me the digital signature appended at the end:
$ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce |..T.^...VGNT....|
0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e 86 |...7...w......N.|
0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 2f e4 |l..a..mZ5..3.2/.|
0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be 36 e6 02 |..q...9X..e..6..|
0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f 42 fb ee 58 |.u..s.M"./S.B..X|
0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 5a f2 5d b1 45 |.eD.&0{1.X.Z.].E|
0004e920 3a f0 a5 79 74 f4 00 00 02 00 00 00 00 00 00 00 |:..yt...........|
0004e930 02 9e 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 |..~Module signat|
0004e940 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ure appended~.|
0004e94e
My question is: why doesn't modinfo show me the key fingerprint?
--
Kind regards,
Met een vriendelijke groet,
Ben Mezger
https://seds.nl
PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] Kernel module signature now shown on modinfo
2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
@ 2018-04-12 21:47 ` Dave Trombley
2018-04-13 18:32 ` Mick
2018-04-13 15:13 ` Mick
1 sibling, 1 reply; 5+ messages in thread
From: Dave Trombley @ 2018-04-12 21:47 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]
This has been broken for almost two years; the signature format switched to
PKCS#7 and modinfo doesn't support it. It's not as simple as just
patching kmod because evidently the kernel change regressed or disrespected
the relevent structure in the modules in a way that makes it impossible for
kmod to even make sense of. Details here:
https://github.com/coreos/bugs/issues/1054
-David
On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <su@seds.nl> wrote:
> Greetings,
>
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
>
> $ dmesg | grep -i 'x.*509'
> [ 1.259988] Asymmetric key parser 'x509' registered
> [ 1.811026] Loading compiled-in X.509 certificates
> [ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
>
> and doing a cat /proc/keys seems to show the key enabled:
>
> $ cat /proc/keys
> ...
> 37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
>
> However, if I do a modinfo to see the key on a module, it seems empty:
>
> $modinfo ntfs
> filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license: GPL
> version: 2.1.32
> description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author: Anton Altaparmakov <anton@tuxera.com>
> alias: fs-ntfs
> srcversion: 0D7ACE93F603E9350827FB8
> depends:
> intree: Y
> vermagic: 4.9.76-gentoo-r1 SMP mod_unload
> signat: PKCS#7
> signer:
> sig_key:
> sig_hashalgo: md4
>
> And hex dump does show me the digital signature appended at the end:
>
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce
> |..T.^...VGNT....|
> 0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e 86
> |...7...w......N.|
> 0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 2f e4
> |l..a..mZ5..3.2/.|
> 0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be 36 e6 02
> |..q...9X..e..6..|
> 0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f 42 fb ee 58
> |.u..s.M"./S.B..X|
> 0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 5a f2 5d b1 45
> |.eD.&0{1.X.Z.].E|
> 0004e920 3a f0 a5 79 74 f4 00 00 02 00 00 00 00 00 00 00
> |:..yt...........|
> 0004e930 02 9e 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 |..~Module
> signat|
> 0004e940 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ure
> appended~.|
> 0004e94e
>
> My question is: why doesn't modinfo show me the key fingerprint?
>
> --
> Kind regards,
> Met een vriendelijke groet,
>
> Ben Mezger
> https://seds.nl
> PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7
>
>
[-- Attachment #2: Type: text/html, Size: 3663 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] Kernel module signature now shown on modinfo
2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
2018-04-12 21:47 ` Dave Trombley
@ 2018-04-13 15:13 ` Mick
1 sibling, 0 replies; 5+ messages in thread
From: Mick @ 2018-04-13 15:13 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3263 bytes --]
On Wednesday, 11 April 2018 21:39:30 BST Ben Mezger wrote:
> Greetings,
>
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
>
> $ dmesg | grep -i 'x.*509'
> [ 1.259988] Asymmetric key parser 'x509' registered
> [ 1.811026] Loading compiled-in X.509 certificates
> [ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
>
> and doing a cat /proc/keys seems to show the key enabled:
>
> $ cat /proc/keys
> ...
> 37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
>
> However, if I do a modinfo to see the key on a module, it seems empty:
>
> $modinfo ntfs
> filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license: GPL
> version: 2.1.32
> description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author: Anton Altaparmakov <anton@tuxera.com>
> alias: fs-ntfs
> srcversion: 0D7ACE93F603E9350827FB8
> depends:
> intree: Y
> vermagic: 4.9.76-gentoo-r1 SMP mod_unload
> signat: PKCS#7
> signer:
> sig_key:
> sig_hashalgo: md4
I am getting a similar output with later source kernel than yours:
# modinfo ntfs
filename: /lib/modules/4.15.17-gentoo/kernel/fs/ntfs/ntfs.ko.gz
license: GPL
version: 2.1.32
description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
Altaparmakov and Tuxera Inc.
author: Anton Altaparmakov <anton@tuxera.com>
alias: fs-ntfs
srcversion: B6DF5EBF4EF8B063988F5CB
depends:
retpoline: Y
intree: Y
name: ntfs
vermagic: 4.15.17-gentoo SMP preempt mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
Which I find quite confusing. Not only the keys are not shown, but the
sig_hashalgo is md4 (cracked since 1995) instead of the SHA512 I had specified
in my kernel .config.
> And hex dump does show me the digital signature appended at the end:
>
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce
> |..T.^...VGNT....| 0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e
> 86 |...7...w......N.| 0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32
> 2f e4 |l..a..mZ5..3.2/.| 0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be
> 36 e6 02 |..q...9X..e..6..| 0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f
> 42 fb ee 58 |.u..s.M"./S.B..X| 0004e910 f2 65 44 13 26 30 7b 31 1c 58 12
> 5a f2 5d b1 45 |.eD.&0{1.X.Z.].E| 0004e920 3a f0 a5 79 74 f4 00 00 02 00
> 00 00 00 00 00 00 |:..yt...........| 0004e930 02 9e 7e 4d 6f 64 75 6c 65
> 20 73 69 67 6e 61 74 |..~Module signat| 0004e940 75 72 65 20 61 70 70 65
> 6e 64 65 64 7e 0a |ure appended~.| 0004e94e
>
> My question is: why doesn't modinfo show me the key fingerprint?
I don't know the answer, but would be interested to find out. I have only
used kernel autogenerated keys to do this, so I can't attest if the result is
the same when creating own keys manually.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] Kernel module signature now shown on modinfo
2018-04-12 21:47 ` Dave Trombley
@ 2018-04-13 18:32 ` Mick
2018-04-15 23:46 ` Ben Mezger
0 siblings, 1 reply; 5+ messages in thread
From: Mick @ 2018-04-13 18:32 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 583 bytes --]
On Thursday, 12 April 2018 22:47:31 BST Dave Trombley wrote:
> This has been broken for almost two years; the signature format switched to
> PKCS#7 and modinfo doesn't support it. It's not as simple as just
> patching kmod because evidently the kernel change regressed or disrespected
> the relevent structure in the modules in a way that makes it impossible for
> kmod to even make sense of. Details here:
> https://github.com/coreos/bugs/issues/1054
>
> -David
Thanks David, I had come across an older bug somewhere, but there was no
detailed explanation.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] Kernel module signature now shown on modinfo
2018-04-13 18:32 ` Mick
@ 2018-04-15 23:46 ` Ben Mezger
0 siblings, 0 replies; 5+ messages in thread
From: Ben Mezger @ 2018-04-15 23:46 UTC (permalink / raw
To: gentoo-user
Thanks for the link. It seems that the sign-file utility from the
kernel (scripts/sign-file) has been converted to a .c file and somehow
it produces a different output.
I think if you really want to make sure the module is signed is by
doing a hexdump and perhaps strip the signature out and try to load
it.
Regards,
On 13 April 2018 at 15:32, Mick <michaelkintzios@gmail.com> wrote:
> On Thursday, 12 April 2018 22:47:31 BST Dave Trombley wrote:
>> This has been broken for almost two years; the signature format switched to
>> PKCS#7 and modinfo doesn't support it. It's not as simple as just
>> patching kmod because evidently the kernel change regressed or disrespected
>> the relevent structure in the modules in a way that makes it impossible for
>> kmod to even make sense of. Details here:
>> https://github.com/coreos/bugs/issues/1054
>>
>> -David
>
> Thanks David, I had come across an older bug somewhere, but there was no
> detailed explanation.
>
> --
> Regards,
> Mick
--
Kind regards,
Met een vriendelijke groet,
Ben Mezger
https://seds.nl
PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-15 23:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
2018-04-12 21:47 ` Dave Trombley
2018-04-13 18:32 ` Mick
2018-04-15 23:46 ` Ben Mezger
2018-04-13 15:13 ` Mick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox