public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Dave Trombley <dave.trombley@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Kernel module signature now shown on modinfo
Date: Thu, 12 Apr 2018 17:47:31 -0400	[thread overview]
Message-ID: <CACggcZQOqVVGTTtFN7uudfVdbXHr9zEvZ05oXx7jUzys1UNiFw@mail.gmail.com> (raw)
In-Reply-To: <CANLyGzZAR4NZmSnyYh3kciB8kZmHYAvPkx6X3vu3iSSt6X3WHA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2801 bytes --]

This has been broken for almost two years; the signature format switched to
PKCS#7 and modinfo doesn't support it.   It's not as simple as just
patching kmod because evidently the kernel change regressed or disrespected
the relevent structure in the modules in a way that makes it impossible for
kmod to even make sense of.   Details here:
https://github.com/coreos/bugs/issues/1054

-David

On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <su@seds.nl> wrote:

> Greetings,
>
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
>
> $  dmesg | grep -i 'x.*509'
> [    1.259988] Asymmetric key parser 'x509' registered
> [    1.811026] Loading compiled-in X.509 certificates
> [    1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
>
> and doing a cat /proc/keys seems to show the key enabled:
>
> $ cat /proc/keys
> ...
> 37c67374 I------     1 perm 1f030000     0     0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
>
> However, if I do a modinfo to see the key on a module, it seems empty:
>
> $modinfo ntfs
> filename:       /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license:        GPL
> version:        2.1.32
> description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author:         Anton Altaparmakov <anton@tuxera.com>
> alias:          fs-ntfs
> srcversion:     0D7ACE93F603E9350827FB8
> depends:
> intree:         Y
> vermagic:       4.9.76-gentoo-r1 SMP mod_unload
> signat:         PKCS#7
> signer:
> sig_key:
> sig_hashalgo:   md4
>
> And hex dump does show me the digital signature appended at the end:
>
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0  e3 dd 54 9d 5e f1 1a 12  56 47 4e 54 91 b9 fa ce
> |..T.^...VGNT....|
> 0004e8d0  e6 01 db 37 eb 83 f3 77  10 f0 b5 f8 11 fd 4e 86
> |...7...w......N.|
> 0004e8e0  6c 81 8a 61 c2 15 6d 5a  35 93 8b 33 c0 32 2f e4
> |l..a..mZ5..3.2/.|
> 0004e8f0  8c 15 71 de c8 c5 39 58  cc e8 65 e1 be 36 e6 02
> |..q...9X..e..6..|
> 0004e900  b0 75 b5 a2 73 d8 4d 22  e7 2f 53 1f 42 fb ee 58
> |.u..s.M"./S.B..X|
> 0004e910  f2 65 44 13 26 30 7b 31  1c 58 12 5a f2 5d b1 45
> |.eD.&0{1.X.Z.].E|
> 0004e920  3a f0 a5 79 74 f4 00 00  02 00 00 00 00 00 00 00
> |:..yt...........|
> 0004e930  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module
> signat|
> 0004e940  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure
> appended~.|
> 0004e94e
>
> My question is: why doesn't modinfo show me the key fingerprint?
>
> --
> Kind regards,
> Met een vriendelijke groet,
>
> Ben Mezger
> https://seds.nl
> PGP: C473 DDC9 D1B1 40AF 2051  1CF6 18C4 6052 1688 92F7
>
>

[-- Attachment #2: Type: text/html, Size: 3663 bytes --]

  reply	other threads:[~2018-04-12 21:47 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-11 20:39 [gentoo-user] Kernel module signature now shown on modinfo Ben Mezger
2018-04-12 21:47 ` Dave Trombley [this message]
2018-04-13 18:32   ` Mick
2018-04-15 23:46     ` Ben Mezger
2018-04-13 15:13 ` Mick

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACggcZQOqVVGTTtFN7uudfVdbXHr9zEvZ05oXx7jUzys1UNiFw@mail.gmail.com \
    --to=dave.trombley@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox