Comments (15)
I've upgraded kernel.
Still same problem, dkms build the modules with signature, but at reboot is rejected by Dkms service under secure boot.
A way to solve the problem ?
from dkms.
Before the machine
keyring was introduced with kernel 5.18, all MOK keys were loaded into the platform
keyring. You can see them with sudo keyctl list %:.platform
. The only problem is, the platform
keyring is not used for module signature verification.
Fedora and many other distributions used an out of tree patch to allow the keys contained within the platform
keyring to be used for module verification.
Here is the relevant part of file patch-5.15-redhat.patch in https://kojipkgs.fedoraproject.org//packages/kernel/5.15.18/200.fc35/src/kernel-5.15.18-200.fc35.src.rpm
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 8723ae70ea1f..fb2d773498c2 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFY_USE_SECONDARY_KEYRING,
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ }
+ return ret;
}
You need to ask the maintainer of https://copr.fedorainfracloud.org/coprs/kwizart/kernel-longterm-5.15/packages/ to add this patch.
from dkms.
Thanks fo answer.
I had let a post at https://copr.fedorainfracloud.org/coprs/kwizart/kernel-longterm-5.15/ at bottom of page since feb the 10th , no response. Is he reading there ?
Kernel 5.15 is under 5.18, it is working fine on partitions Red hat 8 (kernel 4.18) , Debian 11 (kernel 5.10), Mint 20.3 (kernel 5.4) on same computer. Mok from Dkms is registered in Nvram and is identical for signing on all 4 partitions, only Fedora's signatures are not valid, why ?
Is something missing in the Copr kernel and if yes how to debug ?
Other kernel Copr's modules are signed by "Red Hat Test Certificate".
New readings, at botom : https://bugzilla.redhat.com/show_bug.cgi?id=2139560
from dkms.
Kernel 5.15 is under 5.18, it is working fine on partitions Red hat 8 (kernel 4.18) , Debian 11 (kernel 5.10), Mint 20.3 (kernel 5.4) on same computer. Mok from Dkms is registered in Nvram and is identical for signing on all 4 partitions, only Fedora's signatures are not valid, why ?
As I said before, they all applied that patch except the copr kernels. You can find that patch in their source codes.
RHEL 8/CentOS 8: kernel/module_signing.c is already patched in https://vault.centos.org/8.5.2111/BaseOS/Source/SPackages/kernel-4.18.0-348.7.1.el8_5.src.rpm
Debian 11: debian/patches/features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch in https://ftp.debian.org/debian/pool/main/l/linux/linux_5.10.162-1.debian.tar.xz
Mint 20.3/Ubuntu 20.04.5: line 990191-990218 of http://archive.ubuntu.com/ubuntu/pool/main/l/linux/linux_5.4.0-144.161.diff.gz
And the kernels provided by https://copr.fedorainfracloud.org/coprs/kwizart/kernel-longterm-5.15/packages/, does not have that patch in their source code repo: https://copr-dist-git.fedorainfracloud.org/cgit/kwizart/kernel-longterm-5.15/kernel-longterm.git/tree/?h=f37
from dkms.
Ok, I've done a comment on https://copr.fedorainfracloud.org/coprs/kwizart/kernel-longterm-5.15/
and https://bugzilla.redhat.com/show_bug.cgi?id=2139560
Wait and see
from dkms.
In light of some signature related digging yesterday, I'm wondering if we shouldn't disable signing if the kernel_config is missing/CONFIG_MODULE_SIG_HASH isn't found. @xuzhen what do you think?
from dkms.
I've posted there too : https://bugzilla.redhat.com/show_bug.cgi?id=2070866
from dkms.
Thanks for rising the issue to me for the 5.15 LT kernel.
Any idea why this patch isn't merged upstream ?
from dkms.
I don't know. What we know is that all main distributions have this patch , including Ubuntu, Debian, Redhat ...
Did your sources comes from Kernel.org or Fedora ?
from dkms.
My sources only comes from kernel.org upstream. There this specific issue is unfixed. (I've checked up to 6.1 LT kernel).
from dkms.
On kernel.org I agree. I don't know if someone can push the patch there. I've seen a new build in progress, did it include the patch ?
from dkms.
Any idea why this patch isn't merged upstream ?
That patch was rejected by upstream several times.
https://lore.kernel.org/lkml/[email protected]/
https://lore.kernel.org/lkml/[email protected]/
from dkms.
I'm wondering if we shouldn't disable signing if the kernel_config is missing/CONFIG_MODULE_SIG_HASH isn't found.
Currently we don't disable signing in those cases. DKMS will use sha512 instead.
Lines 984 to 990 in 2bb211d
from dkms.
Hi, last version from yesterday is working, thanks to you.
from dkms.
Kwizart knows about it and will add the dkms patch in the next "kernel-longterm" update:
https://bugzilla.redhat.com/show_bug.cgi?id=2070866#c5
He posted that message on March 3rd 2023.
from dkms.
Related Issues (20)
- common.postinst and AUTOINSTALL="" HOT 6
- adding a BUILD_EXCLUSIVE_KERNEL... blacklist? HOT 3
- command to (re)sign currently installed modules
- Warnings since dkms-3.0.10 on Arch system HOT 9
- dkms built modules may be compressed in a way unsupported by the kernel HOT 4
- Kernel match for BUILT_MODULE_NAME HOT 9
- Introduce a `build $module for all kernels` functionality HOT 1
- Reintroduce support for `dkms add/build/install m/v --all` HOT 1
- A typo in the readme file
- Ubuntu 22.04 VM broke HOT 6
- marking built/installed modules as rebuild-needed
- parameter validation
- 3.0.13 release isn't tagged as latest on GitHub HOT 1
- OBSOLETE_BY does not prevent building HOT 1
- Retrospective from the recent XZ vuln HOT 1
- DOS-style line endings in dkms.conf break dkms in unpredictable ways HOT 1
- Stop handling dkms.conf as a bash/shell script HOT 8
- Failing to compile nvidia-open-dkms while using a ThinLTO/Clang kernel HOT 3
- Leftover files after zfs build HOT 2
- Keep the Module.symvers file along with the *.ko HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dkms.