From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E97DC433C1 for ; Wed, 24 Mar 2021 13:12:45 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9049161A0C for ; Wed, 24 Mar 2021 13:12:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9049161A0C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lP3JC-0005Xq-H2; Wed, 24 Mar 2021 09:12:26 -0400 Received: from mail-vs1-xe2e.google.com ([2607:f8b0:4864:20::e2e]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from ) id 1lP3JA-0005Xh-8g for kernelnewbies@kernelnewbies.org; Wed, 24 Mar 2021 09:12:24 -0400 Received: by mail-vs1-xe2e.google.com with SMTP id h25so11280221vso.2 for ; Wed, 24 Mar 2021 06:12:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=rtMGKpjHEKVtGuR9FwCw5lZ7msBNlMNHfMKbl+GLgcE=; b=ADT0v5KKrGF9IwoEuz8xgS1o3A3nSIBLAweVrpgmhSosyoBm7cAS/x57f7qsrWHCZI zyeVIBdrCiowmj8iAG4FAb+7K2CDDsDHs7nCmhWWvxt83/3viwYajKzthvQYIb5W6jA8 Z0mMN/1zEKe5jiEm1td4ioxC/WTyotsfbdHEE6zDVxaMpig2ip4fFAV7GsKCDudo/cIt 4Ca6kTdPEGK9KKTRDNZV0gBuYKmwuURis5Zcy2DhWxUQDklC/uJONvfkkoZH4nAZ3NAn RZXXodu6VFD4mjv31q3H09aeGT1THHqoVDnEnONMP/k9LT5gp/uTCSVL75lpGOFaDhqu INKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=rtMGKpjHEKVtGuR9FwCw5lZ7msBNlMNHfMKbl+GLgcE=; b=YmCIrvC0mLmzkDTfJNH/fQziZrGGFfnE+s7+5Kgc/EgdvZy+MVFdMEt1wwzNsd+xLc 4C/DpK/+1L1m8QodJrCjTdEfcGsmeYiXUUrxH6n/iIKKY5QTHY4FYmiCNtLPAJSKPkL1 Is8lAozXnOhVj2nuRufBAMHI4Kekr8TA+YHMVYbWi40MB6iKo7eWGPymXbBLkkuj8RU6 JMCwOjQFKT0p27LJWOMlh0mktaHg1+Fzy1L4Gka4E3/BPk67/CriQvH1GfdhHWz3STsk KdVwTGH9fuJ757EQRfmGbLmytflwFl9BAZi1LATJWbJY9QX9czt0IC2bX8e4u2QG2iX2 PEhw== X-Gm-Message-State: AOAM532yaKgVGi/ZVSMszE3krCWOaYz1+ePeaGHV8/8T3FBsfEzETknu UuZzEbJQs9mCIN1TPdx1zSp8XYulJtmmGPqjxQ== X-Google-Smtp-Source: ABdhPJwwwbrnuB2dUC0t6LEj42LEakSvZNn/Rx1YC+RRo7xOKCl/jNcwFFlj8nCtqtvHILjaNY2/+3al5v3LrVyr6og= X-Received: by 2002:a67:7cd7:: with SMTP id x206mr1560251vsc.11.1616591542295; Wed, 24 Mar 2021 06:12:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Gidi Gal Date: Wed, 24 Mar 2021 15:12:11 +0200 Message-ID: Subject: Re: "Invalid signature" issue on dev kernel launch To: Aruna Hewapathirane , valdis.kletnieks@vt.edu, kernelnewbies@kernelnewbies.org X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1414132078602463537==" Errors-To: kernelnewbies-bounces@kernelnewbies.org --===============1414132078602463537== Content-Type: multipart/alternative; boundary="000000000000a01eec05be480ce0" --000000000000a01eec05be480ce0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > > From your build.log I see you compiled that kernel 6 times: > Yep, tried all sorts of things that did not work with the signature issue. I assume there's much shorter process for re-signing built kernel without going through a complete build again ? If you have time, I will be grateful for some pointers on the subject. > I am curious are you using linux mint or Debian ? I am using Linux Mint. As a beginner, I took web advice to install Linux Mint. > knowledge on this subject), I am now facing "invalid signature" error whe= n > > I reboot with my installed dev kernel. > > When/where exactly are you getting that error? There's three major > places where things can go wrong: > > 1) If you're using secure boot, and the grub2 stuff isn't signed by > a certificate your BIOS/EFI knows about. > > 2) If you're using secure boot, and the kernel itself isn't signed by > a certificate that grub2 knows about. > > 3) If your kernel config says modules have to be signed, and a module > isn't properly signed with a certificate that your kernel knows about. > > The message is displayed at boot time. Since I am forced to replace kernel, I cannot see this error message in 'dmesg | less', probably because it refers to the last boot ? So I don't know how to gather more info about the exact entity that launched this error. Is there any tool that can test signed kernel to confirm the signature is valid, and if not, to provide clearer information on what is wrong with the signature ? For now I will work with disabled secure boot, as Aruna proposed. I'll be happy to find a way to fix this issue, though. Thanks, Gidi On Wed, Mar 24, 2021 at 4:36 AM Aruna Hewapathirane < aruna.hewapathirane@gmail.com> wrote: > > > On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal > wrote: > >> Greetings, >> >> After receiving a lot of information regarding my query on how to switch >> from installed to dev kernel (thank you to all the people that shared th= eir >> knowledge on this subject), I am now facing "invalid signature" error wh= en >> I reboot with my installed dev kernel. I shared the logs for the build, >> install and also .config and x509.genkey in the following link >> >> . >> Please let me know what additional information can help to solve this >> issue. >> >> I am following the instructions in https://kernelnewbies.org/FirstKernel= Patch >> >> and I am at the step where I am supposed to verify that a printout was >> added to the log after I reboot my dev kernel. >> >> Thanks, >> Gidi >> > > Gidi, > > From your build.log I see you compiled that kernel 6 times: > Kernel: arch/x86/boot/bzImage is ready (#6) > > And the install log tells me: > Sourcing file `/etc/default/grub' > Sourcing file `/etc/default/grub.d/50_linuxmint.cfg' > Sourcing file `/etc/default/grub.d/init-select.cfg' > > I am curious are you using linux mint or Debian ? > > I also see: > CC drivers/cpufreq/cpufreq_ondemand.o > drivers/cpufreq/cpufreq_ondemand.c: In function =E2=80=98od_set_powersave= _bias=E2=80=99: > drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032 > bytes is larger than 1024 bytes [-Wframe-larger-than=3D] > 446 | } > | ^ > This is what causes the compile time errors with possible missing firmwar= e > :-) > > and all the kernels you have you can boot into by selecting 'Advanced > options' in the grub menu then > choosing the kernel you wish to use. > > Sourcing file `/etc/default/grub' > Sourcing file `/etc/default/grub.d/50_linuxmint.cfg' > Sourcing file `/etc/default/grub.d/init-select.cfg' > Generating grub configuration file ... > Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+ > Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+ > Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old > Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+ > Found linux image: /boot/vmlinuz-5.4.0-64-generic > Found initrd image: /boot/initrd.img-5.4.0-64-generic > Found linux image: /boot/vmlinuz-5.4.0-58-generic > Found initrd image: /boot/initrd.img-5.4.0-58-generic > Adding boot menu entry for UEFI Firmware Settings > > Disabling secure boot should make your invalid signature error go away. > > Hope this helps - Aruna > > --000000000000a01eec05be480ce0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Fro= m your build.log I see you compiled that kernel 6 times:

Yep,=C2=A0 tried all sorts of things that did not work= with the signature issue. I assume there's much shorter process for re= -signing built kernel without going through
a complete build= again ?=C2=A0 If you have time, I will be grateful for some pointers on th= e subject.
=C2=A0
I am curious are you using linux mint or Debian ?
=

I am using Linux Mint. As a beginner, I took web advice= to install Linux Mint.

> knowledge on this sub= ject), I am now facing "invalid signature" error when
> I reboot with my installed dev kernel.

 When/where exactly are you getting that error? There's three major
places where things can go wrong:

1) If you're using secure boot, and the grub2 stuff isn't signed by=
a certificate your BIOS/EFI knows about.

2) If you're using secure boot, and the kernel itself isn't signed = by
a certificate that grub2 knows about.

3) If your kernel config says modules have to be signed, and a module
isn't properly signed with a certificate that your kernel knows about.<= /div>


The message is display= ed at boot time. Since I am forced to replace kernel, I cannot see this err= or message in 'dmesg | less', probably because it refers to the las= t boot ? So I don't know how to gather more info about the exact entity= that launched this error.

Is there any tool t= hat can test signed kernel to confirm the signature is valid, and if not, t= o provide clearer information on what is wrong with the signature ?

For now I will work with disabled secure boot, as Aru= na proposed. I'll be happy to find a way to fix this issue, though.
=

Thanks,
Gidi

On Wed, Mar 24, 2= 021 at 4:36 AM Aruna Hewapathirane <aruna.hewapathirane@gmail.com> wrote:


On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com> wrot= e:
Greetings,

After receiving a lot of infor= mation regarding my query on how to switch from installed to dev kernel (t= hank you to all the people that shared their knowledge on this subject), I = am now facing "invalid signature" error when I reboot with my ins= talled dev kernel. I shared the logs for the build, install and also .confi= g and x509.genkey in the following link.
Please let me know what additional information can he= lp to solve this issue.

I am following the instruc= tions in https://kernelnewbies.org/FirstKernelPatch
and I = am at the step where I am supposed to verify that a printout was added to t= he log after I reboot my dev kernel.

Thanks,
Gidi

Gidi,
<= br>
From your build.log I see you compiled that kernel 6 times: <= br>Kernel: arch/x86/boot/bzImage is ready =C2=A0(#6)

And the install log tells me:
Sourcing file `/etc/default/= grub'
Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
So= urcing file `/etc/default/grub.d/init-select.cfg'

I am curious are you using linux mint or Debian ?

I also see:
CC =C2=A0 =C2=A0 =C2=A0drivers/cpufreq/cpufreq_onde= mand.o
drivers/cpufreq/cpufreq_ondemand.c: In function =E2=80=98od_set_p= owersave_bias=E2=80=99:
drivers/cpufreq/cpufreq_ondemand.c:446:1: warnin= g: the frame size of 1032 bytes is larger than 1024 bytes [-Wframe-larger-t= han=3D]
=C2=A0 446 | }
=C2=A0 =C2=A0 =C2=A0 | ^
This is wha= t causes the compile time errors with possible missing firmware :-)

and all the kernels you have you can boot into by sel= ecting 'Advanced options' in the grub menu then
choo= sing the kernel you wish to use.

Sourcing file `/e= tc/default/grub'
Sourcing file `/etc/default/grub.d/50_linuxmint.cfg= '
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generat= ing grub configuration file ...
Found linux image: /boot/vmlinuz-5.12.0-= rc3-GIDI-DEV+
Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+<= br>Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
Found initr= d image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
Found linux image: /boot/= vmlinuz-5.4.0-64-generic
Found initrd image: /boot/initrd.img-5.4.0-64-g= eneric
Found linux image: /boot/vmlinuz-5.4.0-58-generic
Found initrd= image: /boot/initrd.img-5.4.0-58-generic
Adding boot menu entry for UEF= I Firmware Settings

Disabling secure boot should m= ake your invalid signature error go away.

Hope thi= s helps - Aruna

--000000000000a01eec05be480ce0-- --===============1414132078602463537== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============1414132078602463537==--