This has been broken for almost two years; the signature format switched to
PKCS#7 and modinfo doesn't support it.   It's not as simple as just
patching kmod because evidently the kernel change regressed or disrespected
the relevent structure in the modules in a way that makes it impossible for
kmod to even make sense of.   Details here:
https://github.com/coreos/bugs/issues/1054

-David

On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <su@seds.nl> wrote:

> Greetings,
>
> I have enabled module signature verification on my kernel, and it does
> seem to be enabled upon boot:
>
> $  dmesg | grep -i 'x.*509'
> [    1.259988] Asymmetric key parser 'x509' registered
> [    1.811026] Loading compiled-in X.509 certificates
> [    1.813833] Loaded X.509 cert 'Build time autogenerated kernel key:
> 77e716fc52a6293567d953cd24a5977e55b41a5e'
>
> and doing a cat /proc/keys seems to show the key enabled:
>
> $ cat /proc/keys
> ...
> 37c67374 I------     1 perm 1f030000     0     0 asymmetri Build time
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e:
> X509.rsa 55b41a5e []
> ...
>
> However, if I do a modinfo to see the key on a module, it seems empty:
>
> $modinfo ntfs
> filename:       /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko
> license:        GPL
> version:        2.1.32
> description:    NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton
> Altaparmakov and Tuxera Inc.
> author:         Anton Altaparmakov <anton@tuxera.com>
> alias:          fs-ntfs
> srcversion:     0D7ACE93F603E9350827FB8
> depends:
> intree:         Y
> vermagic:       4.9.76-gentoo-r1 SMP mod_unload
> signat:         PKCS#7
> signer:
> sig_key:
> sig_hashalgo:   md4
>
> And hex dump does show me the digital signature appended at the end:
>
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail
> 0004e8c0  e3 dd 54 9d 5e f1 1a 12  56 47 4e 54 91 b9 fa ce
> |..T.^...VGNT....|
> 0004e8d0  e6 01 db 37 eb 83 f3 77  10 f0 b5 f8 11 fd 4e 86
> |...7...w......N.|
> 0004e8e0  6c 81 8a 61 c2 15 6d 5a  35 93 8b 33 c0 32 2f e4
> |l..a..mZ5..3.2/.|
> 0004e8f0  8c 15 71 de c8 c5 39 58  cc e8 65 e1 be 36 e6 02
> |..q...9X..e..6..|
> 0004e900  b0 75 b5 a2 73 d8 4d 22  e7 2f 53 1f 42 fb ee 58
> |.u..s.M"./S.B..X|
> 0004e910  f2 65 44 13 26 30 7b 31  1c 58 12 5a f2 5d b1 45
> |.eD.&0{1.X.Z.].E|
> 0004e920  3a f0 a5 79 74 f4 00 00  02 00 00 00 00 00 00 00
> |:..yt...........|
> 0004e930  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module
> signat|
> 0004e940  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure
> appended~.|
> 0004e94e
>
> My question is: why doesn't modinfo show me the key fingerprint?
>
> --
> Kind regards,
> Met een vriendelijke groet,
>
> Ben Mezger
> https://seds.nl
> PGP: C473 DDC9 D1B1 40AF 2051  1CF6 18C4 6052 1688 92F7
>
>