Re: MODSIGN: Modules fail signature verification with -ENOKEY
From: Chris Samuel
Date: Sat Jan 12 2013 - 01:36:04 EST
/* Please CC, not on LKML */
Hi Josh,
On 12/01/13 00:44, Josh Boyer wrote:
Check the installed modules. A simple:
hexdump -C <path to module> | tail -n 20
should be enough to tell you if the installed modules at least look like
they're signed. You should see the expected "~Module signature appended~"
string. You could also check the modules in the kernel build tree for
the same thing. [...]
Good call - neither the modules in the build tree, nor the installed
ones are signed. I did a "make mrproper", changed scripts/sign-file to
be verbose by default and rebuilt. That confirmed that the modules are
getting signed, which left the possibility of make-kpkg stripping the
modules after compiling as an option.
Google pointed me at the likely culprit, a patch from a certain Mr Ted
Ts'o in 2009 to make-kpkg so that it would strip kernel modules by default.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517290
I'll file a bug against it asking for the it to not strip if
CONFIG_MODULE_SIG is set.
Thanks for the pointer!
Chris
--
Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/