| 1 |
This has been broken for almost two years; the signature format switched to |
| 2 |
PKCS#7 and modinfo doesn't support it. It's not as simple as just |
| 3 |
patching kmod because evidently the kernel change regressed or disrespected |
| 4 |
the relevent structure in the modules in a way that makes it impossible for |
| 5 |
kmod to even make sense of. Details here: |
| 6 |
https://github.com/coreos/bugs/issues/1054 |
| 7 |
|
| 8 |
-David |
| 9 |
|
| 10 |
On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <su@××××.nl> wrote: |
| 11 |
|
| 12 |
> Greetings, |
| 13 |
> |
| 14 |
> I have enabled module signature verification on my kernel, and it does |
| 15 |
> seem to be enabled upon boot: |
| 16 |
> |
| 17 |
> $ dmesg | grep -i 'x.*509' |
| 18 |
> [ 1.259988] Asymmetric key parser 'x509' registered |
| 19 |
> [ 1.811026] Loading compiled-in X.509 certificates |
| 20 |
> [ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key: |
| 21 |
> 77e716fc52a6293567d953cd24a5977e55b41a5e' |
| 22 |
> |
| 23 |
> and doing a cat /proc/keys seems to show the key enabled: |
| 24 |
> |
| 25 |
> $ cat /proc/keys |
| 26 |
> ... |
| 27 |
> 37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time |
| 28 |
> autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e: |
| 29 |
> X509.rsa 55b41a5e [] |
| 30 |
> ... |
| 31 |
> |
| 32 |
> However, if I do a modinfo to see the key on a module, it seems empty: |
| 33 |
> |
| 34 |
> $modinfo ntfs |
| 35 |
> filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko |
| 36 |
> license: GPL |
| 37 |
> version: 2.1.32 |
| 38 |
> description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton |
| 39 |
> Altaparmakov and Tuxera Inc. |
| 40 |
> author: Anton Altaparmakov <anton@××××××.com> |
| 41 |
> alias: fs-ntfs |
| 42 |
> srcversion: 0D7ACE93F603E9350827FB8 |
| 43 |
> depends: |
| 44 |
> intree: Y |
| 45 |
> vermagic: 4.9.76-gentoo-r1 SMP mod_unload |
| 46 |
> signat: PKCS#7 |
| 47 |
> signer: |
| 48 |
> sig_key: |
| 49 |
> sig_hashalgo: md4 |
| 50 |
> |
| 51 |
> And hex dump does show me the digital signature appended at the end: |
| 52 |
> |
| 53 |
> $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail |
| 54 |
> 0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce |
| 55 |
> |..T.^...VGNT....| |
| 56 |
> 0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e 86 |
| 57 |
> |...7...w......N.| |
| 58 |
> 0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 2f e4 |
| 59 |
> |l..a..mZ5..3.2/.| |
| 60 |
> 0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be 36 e6 02 |
| 61 |
> |..q...9X..e..6..| |
| 62 |
> 0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f 42 fb ee 58 |
| 63 |
> |.u..s.M"./S.B..X| |
| 64 |
> 0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 5a f2 5d b1 45 |
| 65 |
> |.eD.&0{1.X.Z.].E| |
| 66 |
> 0004e920 3a f0 a5 79 74 f4 00 00 02 00 00 00 00 00 00 00 |
| 67 |
> |:..yt...........| |
| 68 |
> 0004e930 02 9e 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 |..~Module |
| 69 |
> signat| |
| 70 |
> 0004e940 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ure |
| 71 |
> appended~.| |
| 72 |
> 0004e94e |
| 73 |
> |
| 74 |
> My question is: why doesn't modinfo show me the key fingerprint? |
| 75 |
> |
| 76 |
> -- |
| 77 |
> Kind regards, |
| 78 |
> Met een vriendelijke groet, |
| 79 |
> |
| 80 |
> Ben Mezger |
| 81 |
> https://seds.nl |
| 82 |
> PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7 |
| 83 |
> |
| 84 |
> |
Archives