Re: why does an in-tree loadable module taint the kernel

From: jim.cromie@gmail.com
To: Greg KH <greg@kroah.com>
Cc: kernelnewbies <kernelnewbies@kernelnewbies.org>
Subject: Re: why does an in-tree loadable module taint the kernel
Date: Tue, 15 Jun 2021 12:26:19 -0600	[thread overview]
Message-ID: <CAJfuBxwLuJC2XC+wLzbHwCyhx+=MiPi5jgmi=_T6EMaYm15wXg@mail.gmail.com> (raw)
In-Reply-To: <YMjURr/pb9H/oMtt@kroah.com>

On Tue, Jun 15, 2021 at 10:24 AM Greg KH <greg@kroah.com> wrote:
>
> On Tue, Jun 15, 2021 at 10:06:08AM -0600, jim.cromie@gmail.com wrote:
> > On Mon, Jun 14, 2021 at 1:20 AM Greg KH <greg@kroah.com> wrote:
> > >
> > > On Mon, Jun 14, 2021 at 01:09:25AM -0600, jim.cromie@gmail.com wrote:
> > > > serio_raw is apparently tainting the kernel when its modprobed.
> > > > why ?  other modules load properly, no code changes to this module
> > > >
> > > > bash-5.1# dmesg | grep -i taint
> > > > [    6.517150] serio_raw: module verification failed: signature and/or
> > > > required key missing - tainting kernel
> > >
> > > You did not build this with the correct module signing key that your
> > > kernel was built with.  That is what this warning is showing you, try
> > > building all modules with the same key as your kernel had and you should
> > > be fine.
> > >
> >
> > OK, I understand better now -
> >
> > its nothing wrong with serio_raw, its just the 1st module to load,
> > and warning comes just once.
> > kernel/module.c
> > 3962: pr_notice_once("%s: module verification failed: signature "
> >
> > Whats odd is that the same module has a signature when modinfo'd in
> > the kernel running the laptop, but not from the same kernel running inside a VM.
> > Does this constitute a bug of some sort ?
>
> I do not understand, what is different here and what is not working
> properly?
>

I have built and installed 5.13-rc6 onto my laptop, Im running it now.
When I modinfo something, it shows a signature

[jimc@frodo ~]$ modinfo pcspkr
filename:
/lib/modules/5.13.0-rc6-lm1-00004-g28dc6f490a7f/kernel/drivers/input/misc/pcspkr.ko
alias:          platform:pcspkr
license:        GPL
description:    PC Speaker beeper driver
author:         Vojtech Pavlik <vojtech@ucw.cz>
depends:
retpoline:      Y
intree:         Y
name:           pcspkr
vermagic:       5.13.0-rc6-lm1-00004-g28dc6f490a7f SMP mod_unload
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        73:9F:4D:24:D7:05:0A:55:AE:5C:B1:F6:52:B1:BA:E0:5C:68:32:36
sig_hashalgo:   sha512
signature:      47:10:D7:A0:79:BE:B5:24:B1:BE:7F:53:8D:EF:4E:73:BD:39:5C:B4:
CB:7A:CD:3F:C8:96:E4:7A:72:17:A0:2B:42:63:5A:0F:F6:8B:70:7E:
...

when I run precisely the same kernel inside a virtme/kvm/qemu VM,
the same modinfo lacks that sig stuff
Note that vermagic matches exactly

bash-5.1# modinfo pcspkr
filename:
/lib/modules/5.13.0-rc6-lm1-00004-g28dc6f490a7f/kernel/drivers/input/misc/pcspkr.ko
alias:          platform:pcspkr
license:        GPL
description:    PC Speaker beeper driver
author:         Vojtech Pavlik <vojtech@ucw.cz>
depends:
retpoline:      Y
intree:         Y
name:           pcspkr
vermagic:       5.13.0-rc6-lm1-00004-g28dc6f490a7f SMP mod_unload
bash-5.1#

> If you rebuild modules for a kernel without having the key, yes, you
> will get this warning.  You have to have the same key here.

heres how Ive configured:
- copy distro .config from /boot  (Fedora)
- make localmodconfig (to drop building parts I wont need)
- virtme-configkernel --update  (to get support for 9P, virtio etc to
mount host disks)

all the SECURITY stuff came from the distro config,
I havent yet tried to unconfigure it.

I havent done anything specific with keys, I dont know why whatever
key is involved
is not available for both scenarios.
here's the relevant (I hope) config items:

[jimc@frodo local-i915m]$ grep SALT .config
CONFIG_BUILD_SALT="5.8.12-200.fc32.x86_64"

[jimc@frodo local-i915m]$ grep _KEY .config | grep -v '#'
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y
CONFIG_INPUT_KEYBOARD=y
CONFIG_KEYBOARD_ATKBD=y
CONFIG_KEYS=y
CONFIG_KEYS_REQUEST_CACHE=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_KEY_DH_OPERATIONS=y
CONFIG_KEY_NOTIFICATIONS=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_LOAD_UEFI_KEYS=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
[jimc@frodo local-i915m]$

[jimc@frodo local-i915m]$ grep SECURITY .config | grep -v '#'
CONFIG_IP_NF_SECURITY=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_EXT4_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_WRITABLE_HOOKS=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_DEFAULT_SECURITY_SELINUX=y

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies