Re: MODSIGN: Modules fail signature verification with -ENOKEY

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Samuel <chris@csamuel.org>
To: Josh Boyer <jwboyer@gmail.com>
Cc: linux-kernel@vger.kernel.org,
	Rusty Russell <rusty@rustcorp.com.au>,
	dhowells@redhat.com
Subject: Re: MODSIGN: Modules fail signature verification with -ENOKEY
Date: Sat, 12 Jan 2013 17:28:08 +1100	[thread overview]
Message-ID: <50F10278.3050309@csamuel.org> (raw)
In-Reply-To: <CA+5PVA5hCuTar1F=g5vgT2Cj1ZbF7w+HcWzhATUx7wFs_kuSWw@mail.gmail.com>

/* Please CC, not on LKML */

Hi Josh,

On 12/01/13 00:44, Josh Boyer wrote:

> Check the installed modules.  A simple:
>
>      hexdump -C <path to module> | tail -n 20
>
> should be enough to tell you if the installed modules at least look like
> they're signed.  You should see the expected "~Module signature appended~"
> string.  You could also check the modules in the kernel build tree for
> the same thing. [...]

Good call - neither the modules in the build tree, nor the installed 
ones are signed.   I did a "make mrproper", changed scripts/sign-file to 
be verbose by default and rebuilt.  That confirmed that the modules are 
getting signed, which left the possibility of make-kpkg stripping the 
modules after compiling as an option.

Google pointed me at the likely culprit, a patch from a certain Mr Ted 
Ts'o in 2009 to make-kpkg so that it would strip kernel modules by default.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517290

I'll file a bug against it asking for the it to not strip if 
CONFIG_MODULE_SIG is set.

Thanks for the pointer!
Chris
-- 
  Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC

next prev parent reply	other threads:[~2013-01-12  6:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <50EEA4C4.4080103@csamuel.org>
2013-01-11  9:41 ` Fwd: MODSIGN: Modules fail signature verification with -ENOKEY Chris Samuel
2013-01-11 13:44   ` Josh Boyer
2013-01-12  6:28     ` Chris Samuel [this message]
2013-01-12 13:08       ` Josh Boyer
2013-01-12 22:33         ` Chris Samuel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50F10278.3050309@csamuel.org \
    --to=chris@csamuel.org \
    --cc=dhowells@redhat.com \
    --cc=jwboyer@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.