Re: [PATCH 1/4] modsign: Abort modules_install when signing fails

From: Mimi Zohar
Date: Tue May 19 2015 - 07:45:22 EST

Next message: David Laight: "RE: [PATCH v2 0/6] powerpc32: replace memcpy and memset by cacheable alternatives"
Previous message: Borislav Petkov: "Re: [PATCH v5 6/6] mtrr, mm, x86: Enhance MTRR checks for KVA huge page mapping"
In reply to: Woodhouse, David: "Re: [PATCH 1/4] modsign: Abort modules_install when signing fails"
Next in thread: Woodhouse, David: "Re: [PATCH 1/4] modsign: Abort modules_install when signing fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2015-05-19 at 06:40 +0000, Woodhouse, David wrote:
> On Mon, 2015-05-18 at 21:29 -0400, Mimi Zohar wrote:
> > On Fri, 2015-05-15 at 17:52 +0100, David Woodhouse wrote:
> > > Signed-off-by: David Woodhouse <David.Woodhouse@xxxxxxxxx>

> > With this patch, as expected the modules_install aborted on failure. Is
> > there any way to capture the reason for the failure? In my case,
> > dropping the '-j <num>' option resolved the problem.

My mistake the failure was there.

> Hm, was there no output from sign-file when this happened? Remember that
> with a parallel make the error which stops the build might not be the
> last thing it printed. Can you show the full output?

/bin/sh: line 1: 22771 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/ipv6/netfilter/ip6table_filter.ko
/home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/ipv6/netfilter/ip6table_filter.ko' failed
make[2]: *** [net/ipv6/netfilter/ip6table_filter.ko] Error 139
make[2]: *** Waiting for unfinished jobs....
/bin/sh: line 1: 22842 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/netfilter/nf_nat.ko
/home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/netfilter/nf_nat.ko' failed
make[2]: *** [net/netfilter/nf_nat.ko] Error 139
/home/zohar/src/kernel/linux-integrity/Makefile:1123: recipe for target '_modinst_' failed
make[1]: *** [_modinst_] Error 2
make[1]: Leaving directory '/home/zohar/src/kernel/build/linux-test'
Makefile:146: recipe for target 'sub-make' failed
make: *** [sub-make] Error 2

> It's possible that there's a limit on the number of sessions you can
> have open to the hardware token, and we are exceeding it with a parallel
> build. I thought that pcscd was going to serialize the access and it
> should work properly though. I can certainly do 'make -j
> modules_install' with a Yubikey NEO here (although my test build only
> has about 20 modules).
>
> Any better ideas on how to specify the key passphrase/PIN? Just put it
> in a file in the top-level directory?

Define a kbuild command parameter?

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Laight: "RE: [PATCH v2 0/6] powerpc32: replace memcpy and memset by cacheable alternatives"
Previous message: Borislav Petkov: "Re: [PATCH v5 6/6] mtrr, mm, x86: Enhance MTRR checks for KVA huge page mapping"
In reply to: Woodhouse, David: "Re: [PATCH 1/4] modsign: Abort modules_install when signing fails"
Next in thread: Woodhouse, David: "Re: [PATCH 1/4] modsign: Abort modules_install when signing fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]