Re: MODSIGN: Modules fail signature verification with -ENOKEY
From: Josh Boyer
Date: Sat Jan 12 2013 - 08:13:53 EST
On Sat, Jan 12, 2013 at 1:28 AM, Chris Samuel <chris@xxxxxxxxxxx> wrote:
> /* Please CC, not on LKML */
>
> Hi Josh,
>
>
> On 12/01/13 00:44, Josh Boyer wrote:
>
>> Check the installed modules. A simple:
>>
>> hexdump -C <path to module> | tail -n 20
>>
>> should be enough to tell you if the installed modules at least look like
>> they're signed. You should see the expected "~Module signature appended~"
>> string. You could also check the modules in the kernel build tree for
>> the same thing. [...]
>
>
> Good call - neither the modules in the build tree, nor the installed ones
> are signed. I did a "make mrproper", changed scripts/sign-file to be
> verbose by default and rebuilt. That confirmed that the modules are getting
> signed, which left the possibility of make-kpkg stripping the modules after
> compiling as an option.
Having worked through 3 different versions of the module signing code, I
forgot that they aren't signed until you do modules_install now. So the
modules in the build tree won't be signed. I misspoke on that. The
installed modules still should be.
> Google pointed me at the likely culprit, a patch from a certain Mr Ted Ts'o
> in 2009 to make-kpkg so that it would strip kernel modules by default.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517290
>
> I'll file a bug against it asking for the it to not strip if
> CONFIG_MODULE_SIG is set.
>
> Thanks for the pointer!
Great. Glad you figured it out.
josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/