linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: dhowells@redhat.com, herbert@gondor.hengli.com.au,
	pjones@redhat.com, jwboyer@redhat.com,
	linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, keyrings@linux-nfs.org
Subject: Re: [GIT PULL] Asymmetric keys and module signing
Date: Fri, 28 Sep 2012 09:09:53 +0100	[thread overview]
Message-ID: <27378.1348819793@warthog.procyon.org.uk> (raw)
In-Reply-To: <87ipay3cof.fsf@rustcorp.com.au>


Rusty Russell <rusty@rustcorp.com.au> wrote:

> And after those three fixes, I still get all fail:
> 
> [    3.361036] Request for unknown module key 'Magrathea: Glacier signing key: 6
> e03943da0f3b015ba6ed7f5e0cac4fe48680994' err -11

Can you look back further in your kernel output, see if you can spot the bit
where it's trying to load the keys.  Look for things from modsign_pubkey.c:

	pr_notice("Loading module verification certificates\n");
	...
			pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
			       PTR_ERR(key));
		else
			pr_notice("MODSIGN: Loaded cert '%s'\n",
				  key_ref_to_ptr(key)->description);

> CONFIG_CRYPTO_SHA1=m

Hmmm...  I suspect it's that.  We need a hash to verify the key's own
signature too - and if you're using the key my autogen patch created for you,
I think that would be SHA1, so that must be built in too.

If you can see your kernel log (assuming a panic doesn't prevent you), I
suspect you'll see something like:

	MODSIGN: Problem loading in-kernel X.509 certificate (-65)

which is -ENOPKG.

The answer would be to either select SHA1 in Kconfig or, if possible, to tell
openssl to use the same hash algorithm to sign the key as we're going to use
in signing the modules.

David

  parent reply	other threads:[~2012-09-28  8:10 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-25  0:07 [GIT PULL] Asymmetric keys and module signing David Howells
2012-09-25  0:11 ` David Howells
2012-09-25 15:09 ` Wrong system clock vs X.509 date specifiers David Howells
2012-09-25 15:30   ` Alan Cox
2013-03-14 10:48     ` David Woodhouse
2013-03-14 12:24       ` [PATCH] Fix x509_key_preparse() not to reject keys outside their validity time range David Woodhouse
2013-03-19 21:06         ` Alexander Holler
2012-09-25 15:35   ` Wrong system clock vs X.509 date specifiers David Howells
2012-09-25 15:43     ` Paolo Bonzini
2012-09-25 16:00     ` Alan Cox
2012-09-25 16:02     ` Tomas Mraz
2012-09-25 17:31     ` David Howells
2012-09-25 18:39       ` Tomas Mraz
2012-09-25 21:57     ` David Howells
2012-09-25 15:44 ` [GIT PULL] Asymmetric keys and module signing Kasatkin, Dmitry
2012-09-25 16:15 ` David Howells
2012-09-26  3:46 ` Rusty Russell
2012-09-27  2:04   ` Mimi Zohar
2012-09-28  6:54     ` Rusty Russell
2012-09-28  6:27   ` Geert Uytterhoeven
2012-09-28  8:00   ` David Howells
2012-09-26  9:09 ` David Howells
2012-09-27  0:12   ` Rusty Russell
2012-09-27  9:08   ` David Howells
2012-09-28  5:55     ` Rusty Russell
2012-09-28  5:58     ` [PATCH 1/2] modsign: don't use bashism in sh scripts Rusty Russell
2012-09-28  5:59     ` [PATCH 2/2] modules: don't call eu-strip if it doesn't exist Rusty Russell
2012-09-28  6:05     ` [GIT PULL] Asymmetric keys and module signing Rusty Russell
2012-09-28  8:09     ` David Howells [this message]
2012-09-29  6:53       ` Rusty Russell
2012-09-29  7:13       ` David Howells
2012-10-01 20:41         ` Josh Boyer
2012-10-02  3:28           ` Rusty Russell
2012-10-02 12:17             ` Josh Boyer
2012-09-29  7:16       ` David Howells
2012-10-02  6:12         ` Rusty Russell
2012-10-02 14:07         ` David Howells
2012-10-03 23:22           ` Rusty Russell
2012-10-09 10:55             ` Kasatkin, Dmitry
2012-10-10  9:37               ` Rusty Russell
2012-09-28  8:10     ` [PATCH 1/2] modsign: don't use bashism in sh scripts David Howells
2012-10-02  2:24       ` Rusty Russell
2012-09-28  8:11     ` [PATCH 2/2] modules: don't call eu-strip if it doesn't exist David Howells
2012-09-28  8:13     ` [GIT PULL] Asymmetric keys and module signing David Howells
2012-09-28  9:23     ` David Howells
2012-09-28 10:31     ` David Howells
2012-10-03 17:50     ` [patch] MODSIGN: Fix build error with strict typechecking David Rientjes

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=27378.1348819793@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=herbert@gondor.hengli.com.au \
    --cc=jwboyer@redhat.com \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=pjones@redhat.com \
    --cc=rusty@rustcorp.com.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).