From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Woodhouse, David" <david.woodhouse@intel.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"mmarek@suse.cz" <mmarek@suse.cz>,
"keyrings@linux-nfs.org" <keyrings@linux-nfs.org>,
"seth.forshee@canonical.com" <seth.forshee@canonical.com>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"rusty@rustcorp.com.au" <rusty@rustcorp.com.au>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"mcgrof@suse.com" <mcgrof@suse.com>,
"mjg59@srcf.ucam.org" <mjg59@srcf.ucam.org>
Subject: Re: [PATCH 1/4] modsign: Abort modules_install when signing fails
Date: Tue, 19 May 2015 07:45:00 -0400 [thread overview]
Message-ID: <1432035900.4510.81.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1432017624.3277.19.camel@intel.com>
On Tue, 2015-05-19 at 06:40 +0000, Woodhouse, David wrote:
> On Mon, 2015-05-18 at 21:29 -0400, Mimi Zohar wrote:
> > On Fri, 2015-05-15 at 17:52 +0100, David Woodhouse wrote:
> > > Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> > With this patch, as expected the modules_install aborted on failure. Is
> > there any way to capture the reason for the failure? In my case,
> > dropping the '-j <num>' option resolved the problem.
My mistake the failure was there.
> Hm, was there no output from sign-file when this happened? Remember that
> with a parallel make the error which stops the build might not be the
> last thing it printed. Can you show the full output?
/bin/sh: line 1: 22771 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/ipv6/netfilter/ip6table_filter.ko
/home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/ipv6/netfilter/ip6table_filter.ko' failed
make[2]: *** [net/ipv6/netfilter/ip6table_filter.ko] Error 139
make[2]: *** Waiting for unfinished jobs....
/bin/sh: line 1: 22842 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/netfilter/nf_nat.ko
/home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/netfilter/nf_nat.ko' failed
make[2]: *** [net/netfilter/nf_nat.ko] Error 139
/home/zohar/src/kernel/linux-integrity/Makefile:1123: recipe for target '_modinst_' failed
make[1]: *** [_modinst_] Error 2
make[1]: Leaving directory '/home/zohar/src/kernel/build/linux-test'
Makefile:146: recipe for target 'sub-make' failed
make: *** [sub-make] Error 2
> It's possible that there's a limit on the number of sessions you can
> have open to the hardware token, and we are exceeding it with a parallel
> build. I thought that pcscd was going to serialize the access and it
> should work properly though. I can certainly do 'make -j
> modules_install' with a Yubikey NEO here (although my test build only
> has about 20 modules).
>
> Any better ideas on how to specify the key passphrase/PIN? Just put it
> in a file in the top-level directory?
Define a kbuild command parameter?
Mimi
next prev parent reply other threads:[~2015-05-19 11:45 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar [this message]
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432035900.4510.81.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=david.woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).