"Invalid signature" issue on dev kernel launch

"Invalid signature" issue on dev kernel launch

[Gidi Gal]

[-- Attachment #1.1: Type: text/plain, Size: 749 bytes --]

Greetings,

After receiving a lot of information regarding my query on how to switch
from installed to dev kernel (thank you to all the people that shared their
knowledge on this subject), I am now facing "invalid signature" error when
I reboot with my installed dev kernel. I shared the logs for the build,
install and also .config and x509.genkey in the following link
<https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
.
Please let me know what additional information can help to solve this issue.

I am following the instructions in https://kernelnewbies.org/FirstKernelPatch

and I am at the step where I am supposed to verify that a printout was
added to the log after I reboot my dev kernel.

Thanks,
Gidi

[-- Attachment #1.2: Type: text/html, Size: 990 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Valdis Klētnieks]

[-- Attachment #1.1: Type: text/plain, Size: 633 bytes --]

On Tue, 23 Mar 2021 18:36:58 +0200, Gidi Gal said:

> knowledge on this subject), I am now facing "invalid signature" error when
> I reboot with my installed dev kernel.

When/where exactly are you getting that error? There's three major
places where things can go wrong:

1) If you're using secure boot, and the grub2 stuff isn't signed by
a certificate your BIOS/EFI knows about.

2) If you're using secure boot, and the kernel itself isn't signed by
a certificate that grub2 knows about.

3) If your kernel config says modules have to be signed, and a module
isn't properly signed with a certificate that your kernel knows about.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Aruna Hewapathirane]

[-- Attachment #1.1: Type: text/plain, Size: 1301 bytes --]

On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com> wrote:

> Greetings,
>
> After receiving a lot of information regarding my query on how to switch
> from installed to dev kernel (thank you to all the people that shared their
> knowledge on this subject), I am now facing "invalid signature" error when
> I reboot with my installed dev kernel. I shared the logs for the build,
> install and also .config and x509.genkey in the following link
> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
> .
> Please let me know what additional information can help to solve this
> issue.
>
> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>
> and I am at the step where I am supposed to verify that a printout was
> added to the log after I reboot my dev kernel.
>
> Thanks,
> Gidi
>
>
Try turning off secure boot in your BIOS. If everything boots smoothly
after disabling secure boot ask Valdis's opinion of if
you should leave it disabled or try and go through some real and serious
pain with certificates and signing and the other BS.





> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies@kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>

[-- Attachment #1.2: Type: text/html, Size: 2306 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Aruna Hewapathirane]

[-- Attachment #1.1: Type: text/plain, Size: 1088 bytes --]

On Tue, Mar 23, 2021 at 5:09 PM Valdis Klētnieks <valdis.kletnieks@vt.edu>
wrote:

> On Tue, 23 Mar 2021 18:36:58 +0200, Gidi Gal said:
>
> > knowledge on this subject), I am now facing "invalid signature" error
> when
> > I reboot with my installed dev kernel.
>
> When/where exactly are you getting that error? There's three major
> places where things can go wrong:
>

I believe just after you select which kernel you wish to boot into. Check
below:
https://www.youtube.com/watch?v=bsCyZlLgrUY


>
> 1) If you're using secure boot, and the grub2 stuff isn't signed by
> a certificate your BIOS/EFI knows about.
>
> 2) If you're using secure boot, and the kernel itself isn't signed by
> a certificate that grub2 knows about.
>
> 3) If your kernel config says modules have to be signed, and a module
> isn't properly signed with a certificate that your kernel knows about.
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies@kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>

[-- Attachment #1.2: Type: text/html, Size: 1874 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Aruna Hewapathirane]

[-- Attachment #1.1: Type: text/plain, Size: 2525 bytes --]

On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com> wrote:

> Greetings,
>
> After receiving a lot of information regarding my query on how to switch
> from installed to dev kernel (thank you to all the people that shared their
> knowledge on this subject), I am now facing "invalid signature" error when
> I reboot with my installed dev kernel. I shared the logs for the build,
> install and also .config and x509.genkey in the following link
> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
> .
> Please let me know what additional information can help to solve this
> issue.
>
> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>
> and I am at the step where I am supposed to verify that a printout was
> added to the log after I reboot my dev kernel.
>
> Thanks,
> Gidi
>

Gidi,

From your build.log I see you compiled that kernel 6 times:
Kernel: arch/x86/boot/bzImage is ready  (#6)

And the install log tells me:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'

I am curious are you using linux mint or Debian ?

I also see:
CC      drivers/cpufreq/cpufreq_ondemand.o
drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
bytes is larger than 1024 bytes [-Wframe-larger-than=]
  446 | }
      | ^
This is what causes the compile time errors with possible missing firmware
:-)

and all the kernels you have you can boot into by selecting 'Advanced
options' in the grub menu then
choosing the kernel you wish to use.

Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+
Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
Found linux image: /boot/vmlinuz-5.4.0-64-generic
Found initrd image: /boot/initrd.img-5.4.0-64-generic
Found linux image: /boot/vmlinuz-5.4.0-58-generic
Found initrd image: /boot/initrd.img-5.4.0-58-generic
Adding boot menu entry for UEFI Firmware Settings

Disabling secure boot should make your invalid signature error go away.

Hope this helps - Aruna

[-- Attachment #1.2: Type: text/html, Size: 3370 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Valdis Klētnieks]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: Type: text/plain; charset=us-ascii, Size: 1639 bytes --]

On Tue, 23 Mar 2021 22:36:33 -0400, Aruna Hewapathirane said:

> I also see:
> CC      drivers/cpufreq/cpufreq_ondemand.o
> drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
> drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
> bytes is larger than 1024 bytes [-Wframe-larger-than=]
>   446 | }
>       | ^
> This is what causes the compile time errors with possible missing firmware

No it's not. That's just a *warning* and doesn't stop the build.  The reason
that we have that warning is because on most architectures, the entire kernel
stack has to fit into 2 contiguous 4k pages.

And a perfectly legal stack can be something like TCP delivering an NFS packet
which then goes to the NFS code, which then hands it off to the VFS layer,
which checks the page cache, which hands it off to XFS, which schedules I/O to
the filesystem, which gets handed to the block subsystem, which realizes that
the target partition is an LVM partition, and LVM realizes that the "physical
volume" is actually a dm-crypt, and then dm-crypt does some cryptography and
calls the block subsystem to write to the physical disk. Feel free to check the code
path yourself... :)

And all of that has to fit in 8K of stack. That's why we warn when things have
a large stack frame entry.

Anyhow, "possible missing firmware" isn't even at compile time - it's during
the build of the initramfs at *install* time.  And the most likely cause of
that is that missing external firmware that's not GPL - it's all confined to 2
graphics drivers - amdgpu and i915, so not at all related to a warning against
cpufreq...


[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Gidi Gal]

[-- Attachment #1.1: Type: text/plain, Size: 3048 bytes --]

>
> Disabling secure boot should make your invalid signature error go away.
>

Thanks, Aruna, I managed to launch my kernel after disabling secure boot.
Finally, I am able to continue with my tutorial :-)

What kind of changes in the kernel require testing with valid signatures ?

Thanks,
Gidi


On Wed, Mar 24, 2021 at 4:36 AM Aruna Hewapathirane <
aruna.hewapathirane@gmail.com> wrote:

>
>
> On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com>
> wrote:
>
>> Greetings,
>>
>> After receiving a lot of information regarding my query on how to switch
>> from installed to dev kernel (thank you to all the people that shared their
>> knowledge on this subject), I am now facing "invalid signature" error when
>> I reboot with my installed dev kernel. I shared the logs for the build,
>> install and also .config and x509.genkey in the following link
>> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
>> .
>> Please let me know what additional information can help to solve this
>> issue.
>>
>> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>>
>> and I am at the step where I am supposed to verify that a printout was
>> added to the log after I reboot my dev kernel.
>>
>> Thanks,
>> Gidi
>>
>
> Gidi,
>
> From your build.log I see you compiled that kernel 6 times:
> Kernel: arch/x86/boot/bzImage is ready  (#6)
>
> And the install log tells me:
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
>
> I am curious are you using linux mint or Debian ?
>
> I also see:
> CC      drivers/cpufreq/cpufreq_ondemand.o
> drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
> drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
> bytes is larger than 1024 bytes [-Wframe-larger-than=]
>   446 | }
>       | ^
> This is what causes the compile time errors with possible missing firmware
> :-)
>
> and all the kernels you have you can boot into by selecting 'Advanced
> options' in the grub menu then
> choosing the kernel you wish to use.
>
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
> Generating grub configuration file ...
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.4.0-64-generic
> Found initrd image: /boot/initrd.img-5.4.0-64-generic
> Found linux image: /boot/vmlinuz-5.4.0-58-generic
> Found initrd image: /boot/initrd.img-5.4.0-58-generic
> Adding boot menu entry for UEFI Firmware Settings
>
> Disabling secure boot should make your invalid signature error go away.
>
> Hope this helps - Aruna
>
>

[-- Attachment #1.2: Type: text/html, Size: 4324 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Gidi Gal]

[-- Attachment #1.1: Type: text/plain, Size: 4419 bytes --]

>
> From your build.log I see you compiled that kernel 6 times:
>

Yep,  tried all sorts of things that did not work with the signature issue.
I assume there's much shorter process for re-signing built kernel without
going through
a complete build again ?  If you have time, I will be grateful for some
pointers on the subject.


> I am curious are you using linux mint or Debian ?


I am using Linux Mint. As a beginner, I took web advice to install Linux
Mint.

> knowledge on this subject), I am now facing "invalid signature" error when
> > I reboot with my installed dev kernel.
>
> When/where exactly are you getting that error? There's three major
> places where things can go wrong:
>
> 1) If you're using secure boot, and the grub2 stuff isn't signed by
> a certificate your BIOS/EFI knows about.
>
> 2) If you're using secure boot, and the kernel itself isn't signed by
> a certificate that grub2 knows about.
>
> 3) If your kernel config says modules have to be signed, and a module
> isn't properly signed with a certificate that your kernel knows about.
>
>
The message is displayed at boot time. Since I am forced to replace kernel,
I cannot see this error message in 'dmesg | less', probably because it
refers to the last boot ? So I don't know how to gather more info about the
exact entity that launched this error.

Is there any tool that can test signed kernel to confirm the signature is
valid, and if not, to provide clearer information on what is wrong with the
signature ?

For now I will work with disabled secure boot, as Aruna proposed. I'll be
happy to find a way to fix this issue, though.

Thanks,
Gidi

On Wed, Mar 24, 2021 at 4:36 AM Aruna Hewapathirane <
aruna.hewapathirane@gmail.com> wrote:

>
>
> On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com>
> wrote:
>
>> Greetings,
>>
>> After receiving a lot of information regarding my query on how to switch
>> from installed to dev kernel (thank you to all the people that shared their
>> knowledge on this subject), I am now facing "invalid signature" error when
>> I reboot with my installed dev kernel. I shared the logs for the build,
>> install and also .config and x509.genkey in the following link
>> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
>> .
>> Please let me know what additional information can help to solve this
>> issue.
>>
>> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>>
>> and I am at the step where I am supposed to verify that a printout was
>> added to the log after I reboot my dev kernel.
>>
>> Thanks,
>> Gidi
>>
>
> Gidi,
>
> From your build.log I see you compiled that kernel 6 times:
> Kernel: arch/x86/boot/bzImage is ready  (#6)
>
> And the install log tells me:
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
>
> I am curious are you using linux mint or Debian ?
>
> I also see:
> CC      drivers/cpufreq/cpufreq_ondemand.o
> drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
> drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
> bytes is larger than 1024 bytes [-Wframe-larger-than=]
>   446 | }
>       | ^
> This is what causes the compile time errors with possible missing firmware
> :-)
>
> and all the kernels you have you can boot into by selecting 'Advanced
> options' in the grub menu then
> choosing the kernel you wish to use.
>
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
> Generating grub configuration file ...
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.4.0-64-generic
> Found initrd image: /boot/initrd.img-5.4.0-64-generic
> Found linux image: /boot/vmlinuz-5.4.0-58-generic
> Found initrd image: /boot/initrd.img-5.4.0-58-generic
> Adding boot menu entry for UEFI Firmware Settings
>
> Disabling secure boot should make your invalid signature error go away.
>
> Hope this helps - Aruna
>
>

[-- Attachment #1.2: Type: text/html, Size: 6176 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Aruna Hewapathirane]

[-- Attachment #1.1: Type: text/plain, Size: 2097 bytes --]

On Wed, Mar 24, 2021 at 1:26 AM Valdis Klētnieks <valdis.kletnieks@vt.edu>
wrote:

> On Tue, 23 Mar 2021 22:36:33 -0400, Aruna Hewapathirane said:
>
> > I also see:
> > CC      drivers/cpufreq/cpufreq_ondemand.o
> > drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
> > drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
> > bytes is larger than 1024 bytes [-Wframe-larger-than=]
> >   446 | }
> >       | ^
> > This is what causes the compile time errors with possible missing
> firmware
>
> No it's not. That's just a *warning* and doesn't stop the build.  The
> reason
> that we have that warning is because on most architectures, the entire
> kernel
> stack has to fit into 2 contiguous 4k pages.
>
> Oh dear that's right it does not stop the build what was I thinking ..


> And a perfectly legal stack can be something like TCP delivering an NFS
> packet
> which then goes to the NFS code, which then hands it off to the VFS layer,
> which checks the page cache, which hands it off to XFS, which schedules
> I/O to
> the filesystem, which gets handed to the block subsystem, which realizes
> that
> the target partition is an LVM partition, and LVM realizes that the
> "physical
> volume" is actually a dm-crypt, and then dm-crypt does some cryptography
> and
> calls the block subsystem to write to the physical disk. Feel free to
> check the code
> path yourself... :)
>
>
Oh my... and oh dear ( again! )


> And all of that has to fit in 8K of stack. That's why we warn when things
> have
> a large stack frame entry.
>

I still don't understand why the 8K barrier ? Why can't we make it say 16K
?

>
> Anyhow, "possible missing firmware" isn't even at compile time - it's
> during
> the build of the initramfs at *install* time.  And the most likely cause of
> that is that missing external firmware that's not GPL - it's all confined
> to 2
> graphics drivers - amdgpu and i915, so not at all related to a warning
> against
> cpufreq...
>
> Understood and my apologies :-)

[-- Attachment #1.2: Type: text/html, Size: 3062 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Aruna Hewapathirane]

[-- Attachment #1.1: Type: text/plain, Size: 3448 bytes --]

On Wed, Mar 24, 2021 at 8:58 AM Gidi Gal <gidi.gal.linux@gmail.com> wrote:

> Disabling secure boot should make your invalid signature error go away.
>>
>
> Thanks, Aruna, I managed to launch my kernel after disabling secure boot.
> Finally, I am able to continue with my tutorial :-)
>

See your a kernel hacker now and your are welcome but thank Valdis he said
something about secure boot that got me thinking :-)

 What kind of changes in the kernel require testing with valid signatures ?

I frankly have no clue. I never needed signatures so far anyway. Valdis any
thoughts please ?

>
> Thanks,
> Gidi
>
>
> On Wed, Mar 24, 2021 at 4:36 AM Aruna Hewapathirane <
> aruna.hewapathirane@gmail.com> wrote:
>
>>
>>
>> On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com>
>> wrote:
>>
>>> Greetings,
>>>
>>> After receiving a lot of information regarding my query on how to switch
>>> from installed to dev kernel (thank you to all the people that shared their
>>> knowledge on this subject), I am now facing "invalid signature" error when
>>> I reboot with my installed dev kernel. I shared the logs for the build,
>>> install and also .config and x509.genkey in the following link
>>> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
>>> .
>>> Please let me know what additional information can help to solve this
>>> issue.
>>>
>>> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>>>
>>> and I am at the step where I am supposed to verify that a printout was
>>> added to the log after I reboot my dev kernel.
>>>
>>> Thanks,
>>> Gidi
>>>
>>
>> Gidi,
>>
>> From your build.log I see you compiled that kernel 6 times:
>> Kernel: arch/x86/boot/bzImage is ready  (#6)
>>
>> And the install log tells me:
>> Sourcing file `/etc/default/grub'
>> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
>> Sourcing file `/etc/default/grub.d/init-select.cfg'
>>
>> I am curious are you using linux mint or Debian ?
>>
>> I also see:
>> CC      drivers/cpufreq/cpufreq_ondemand.o
>> drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
>> drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
>> bytes is larger than 1024 bytes [-Wframe-larger-than=]
>>   446 | }
>>       | ^
>> This is what causes the compile time errors with possible missing
>> firmware :-)
>>
>> and all the kernels you have you can boot into by selecting 'Advanced
>> options' in the grub menu then
>> choosing the kernel you wish to use.
>>
>> Sourcing file `/etc/default/grub'
>> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
>> Sourcing file `/etc/default/grub.d/init-select.cfg'
>> Generating grub configuration file ...
>> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+
>> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
>> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
>> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
>> Found linux image: /boot/vmlinuz-5.4.0-64-generic
>> Found initrd image: /boot/initrd.img-5.4.0-64-generic
>> Found linux image: /boot/vmlinuz-5.4.0-58-generic
>> Found initrd image: /boot/initrd.img-5.4.0-58-generic
>> Adding boot menu entry for UEFI Firmware Settings
>>
>> Disabling secure boot should make your invalid signature error go away.
>>
>> Hope this helps - Aruna
>>
>>

[-- Attachment #1.2: Type: text/html, Size: 5140 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Valdis Klētnieks]

[-- Attachment #1.1: Type: text/plain, Size: 478 bytes --]

On Wed, 24 Mar 2021 09:21:31 -0400, Aruna Hewapathirane said:

> > And all of that has to fit in 8K of stack. That's why we warn when things have
> > a large stack frame entry.

> I still don't understand why the 8K barrier ? Why can't we make it say 16K ?

The issue is that then you need 4 contiguous pages for fork() to succeed, which can
become a problem if memory gets fragmented.  The chances of being able to find
2 contiguous pages are *much* higher than 4.


[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: "Invalid signature" issue on dev kernel launch

[Valdis Klētnieks]

[-- Attachment #1.1: Type: text/plain, Size: 961 bytes --]

On Wed, 24 Mar 2021 14:58:05 +0200, you said:

> What kind of changes in the kernel require testing with valid signatures ?

Pretty much only changes that affect module signing.

If your threat model doesn't include "hacker sticks rogue module on
your box and gets it loaded to install backdoor", you can turn off
module signing on your self-compiled kernels.  Distros don't do that,
because those kernels *do* get installed on high-value targets where
"hacker installs backdoor kernel module" is very much part of the threat model.

Conversely, you can get secure boot to work with self-compiled kernels, but you
have to create a local trusted signature, feed it to the bios/efi, then sign
grub2 with that signature, and then lather/rinse repeat, telling grub2 about a
certificate used to sign the kernel, and then enable kernel module signing.
Very much a  "some assembly required" procedure, and you have to remember to
re-sign grub2 whenever it's updated.


[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies