[Bug 1198167] New: modprobe: ERROR: could not insert 'libafs': Key was rejected by service
http://bugzilla.opensuse.org/show_bug.cgi?id=1198167 Bug ID: 1198167 Summary: modprobe: ERROR: could not insert 'libafs': Key was rejected by service Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: x86-64 OS: openSUSE Leap 15.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: kenaaker@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36 Build Identifier: I just ran across this. Whenever I try to do a modprobe (or insmod) of the libafs.ko module from the OpenSUSE Leap 15.3 build, I get the following error message # modprobe libafs "modprobe: ERROR: could not insert 'libafs': Key was rejected by service". I get the same failure for the afspag module. # modprobe afspag modprobe: ERROR: could not insert 'afspag': Key was rejected by service Both those modules seem to be coming from the same OpenSUSE built rpm This is the info I get about that package from zypper. # zypper info openafs-kmp-default Loading repository data... Reading installed packages... Information for package openafs-kmp-default: -------------------------------------------- Repository : Filesystem tools and FUSE-related packages (15.3) Name : openafs-kmp-default Version : 1.8.8.1_k5.3.18_150300.59.60-150300.92.27 Arch : x86_64 Vendor : obs://build.opensuse.org/filesystems Installed Size : 84.5 MiB Installed : Yes Status : up-to-date Source package : openafs-1.8.8.1-150300.92.27.src Summary : OpenAFS Distributed File System - kernel module Description : This package contains the kernel module for OpenAFS. For details see the openafs package. Reproducible: Didn't try Steps to Reproduce: 1.Fresh install of OpenSUSE Leap 15.3 on an x86_64 (from the OpenSUSE online repository. 2.zypper install openafs-client openafs-kmp-default 3.Enter command at root prompt "# " "modprobe libafs" Actual Results: modprobe: ERROR: could not insert 'libafs': Key was rejected by service Expected Results: Should be no output and the libafs module should insert into the Linux kernel. Here's the output from "uname -a" # uname -a Linux sif 5.3.18-150300.59.60-default #1 SMP Fri Mar 18 18:37:08 UTC 2022 (79e1683) x86_64 x86_64 x86_64 GNU/Linux -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1198167 http://bugzilla.opensuse.org/show_bug.cgi?id=1198167#c4 --- Comment #4 from Kenneth Aaker <kenaaker@gmail.com> --- That's a useful suggestion. Thank you. I just tried it, and found a couple things. I couldn't find any package titled openSUSE-signing-certificate, but I did find one titled openSUSE-signkey-cert, so I installed that. Then when I rebooted, I did get the MOK prompt. So, that seemed promising. I still am not certain what "MOK" stands for. I was uncertain which "password" was being prompted for, so I used my general administrative password. That seemed to be Ok. Then the system rebooted again. And, I still get the same failure. I'll try it again. By the way, I'm generally running a Xen hypervisor (that showed the same failure), but I did try it with a non-Xen regular Linux kernel and got the same failure. So, in short it still fails whether running the Xen hypervisor, or a plain vmlinuz kernel. Regards, Ken Aaker(In reply to Marcus Meissner from comment #2)
actually when you first install opensUSE Leap 15.3 and reboot, you would be presented by the MOK Manager Dialog.
you can reenforce this by:
zypper in -f openSUSE-signing-cert reboot ... acknowledge the new key in the MOK dialog ...
This package will ask the MOK Manager to enroll the openSUSE signing key into the MOK.
After that you can do modprobe libafs.
(This should be happening during installation, but people might not see tzhe mok manager as it runs just once and has a 10 second timeout.)
That's a useful suggestion. Thank you. I just tried it, and found a couple things. I couldn't find any package titled openSUSE-signing-certificate, but I did find one titled openSUSE-signkey-cert, so I installed that. Then when I rebooted, I did get the MOK prompt. So, that seemed promising. I still am not certain what "MOK" stands for. I was uncertain which "password" was being prompted for, so I used my general administrative password. That seemed to be Ok. Then the system rebooted again. And, I still get the same failure. I'll try it again. By the way, I'm generally running a Xen hypervisor (that showed the same failure), but I did try it with a non-Xen regular Linux kernel and got the same failure. So, in short it still fails whether running the Xen hypervisor, or a plain vmlinuz kernel. Regards, Ken Aaker -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1198167 http://bugzilla.opensuse.org/show_bug.cgi?id=1198167#c8 --- Comment #8 from Kenneth Aaker <kenaaker@gmail.com> --- I've been digging around to try to figure out something that works for my situation. So far, I've learned that MOK stands for "Machine Owner Key(s)", and that when the system was working previously, it was probably booting through an old BIOS boot, so secure boot wasn't an issue. I also realized that I have a functional system in a very similar state (with an older ASUS motherboard) that is probably booting in the old BIOS mode. Anyway, I'd like to add some more information. Here's the "mokutil --list-enrolled" output. The interesting bit might be that the last certificate "SHA1 fingerprint: bd:d3...." seems to be the certificate that is associated with the OpenSUSE build system. Thing is, from the "failure" message, I can't tell anything about the key(s) that are supposed to be in use. [key 1] SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8 Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de Validity Not Before: Apr 18 14:33:41 2013 GMT Not After : Mar 14 14:33:41 2035 GMT Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c: c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd: f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71: 9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35: cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe: 26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8: 1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29: f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b: a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58: 35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5: da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6: 0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74: a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8: 1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2: b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d: e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2: 13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43: 3d:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F X509v3 Authority Key Identifier: keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de serial:01 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29: d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f: b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09: 70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8: 3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7: 44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e: 4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0: 4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca: 1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2: e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42: 83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90: f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24: 10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39: 19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1: b4:61:6b:4e [key 2] SHA1 Fingerprint: bd:d3:1a:9e:0f:7e:d3:12:76:84:65:e6:57:8e:0d:c0:00:64:46:16 Certificate: Data: Version: 3 (0x2) Serial Number: fa:be:d8:bf:40:9a:5e:64 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Mar 2 13:01:54 2021 GMT Not After : Jan 9 13:01:54 2031 GMT Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f2:c8:f4:01:12:b8:0d:1a:a9:72:e0:47:05:fb: 95:4d:6d:77:a1:e1:0b:73:a3:fa:4c:0a:24:9b:c5: fe:4c:00:fb:5b:e2:5b:fd:5c:0b:8b:d2:f6:6b:a2: 80:51:de:dd:be:02:3f:06:7d:59:1c:5b:e5:6c:a2: de:7c:4f:d5:f8:d8:c0:59:b2:80:19:ea:5a:fc:cc: 4f:11:99:04:5b:a1:71:04:29:48:f0:db:8d:63:84: 88:5b:29:55:96:ef:90:11:7b:b7:47:2e:d4:47:29: 29:a1:e5:fa:93:ea:55:d5:ab:87:5d:66:93:b6:d2: 8e:76:06:01:9d:01:14:74:37:6e:78:42:b8:7d:7e: a7:83:c8:30:b0:05:64:84:50:f6:cb:96:f6:de:5c: 68:ea:07:2b:aa:62:7e:2b:0e:63:2f:96:47:76:bf: d8:01:53:09:92:1d:64:8b:9e:56:9b:cf:1e:11:a0: 8c:40:e8:13:4c:27:a0:08:39:94:a0:e7:f9:20:14: 4b:b2:62:5b:2f:e1:75:3d:94:73:f3:a3:1f:5a:27: 5e:2f:7d:91:35:83:38:cc:10:03:e8:36:77:b2:40: 3e:d2:ee:7a:97:0a:a6:25:1b:15:a4:7e:ec:a2:58: 5a:19:1f:8a:de:96:63:3e:34:b0:2e:90:3c:c0:07: 22:3f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 9D:DF:43:D9:F1:A0:27:27:3F:52:C6:C0:77:59:08:EE:01:67:13:25 X509v3 Authority Key Identifier: keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62 DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org serial:01 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption 9e:32:bb:ac:bd:d3:fc:5b:b8:e3:71:10:48:1d:dc:57:65:7c: e2:94:1c:39:c4:1f:dd:d0:92:c7:c5:53:d7:86:53:82:4a:75: 44:63:38:aa:be:15:f1:fa:00:ec:5c:ab:f5:41:3e:c7:6c:c4: 33:37:15:cb:67:99:d9:a8:a1:3b:fa:9a:43:f2:46:66:2f:1c: a7:5a:63:ab:49:cd:31:44:23:81:71:74:60:6c:a7:41:a9:e3: 6f:fe:3c:57:97:8e:17:d6:75:87:fc:10:d0:72:12:4d:d9:30: b2:f1:94:4b:49:5e:1d:3d:cb:8d:75:8d:44:bf:50:06:9d:50: 8b:90:39:20:4e:6d:f2:fa:57:3b:10:2f:1c:d4:ec:2a:cc:7a: c7:6a:7c:47:7c:95:2d:7e:eb:63:ce:31:bc:12:42:a8:70:d8: f6:d6:03:43:65:5b:55:7e:c2:13:0e:71:f4:57:df:a1:b6:29: 63:fb:35:94:25:7f:7e:13:93:86:6f:ea:fe:9f:4f:af:78:72: 77:12:8f:e0:fa:31:c7:00:6d:20:8f:e9:d3:32:53:31:61:04: 7c:eb:0a:ff:30:12:de:ff:0b:b6:5c:fc:de:04:e4:59:7f:b6: a1:7a:63:fd:64:45:b1:85:88:11:74:cf:c0:49:b8:33:06:16: c7:0e:6b:33 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1198167 http://bugzilla.opensuse.org/show_bug.cgi?id=1198167#c9 --- Comment #9 from Kenneth Aaker <kenaaker@gmail.com> --- I got the modprobe libafs thing to work finally. I had to download the ssl certificate from the OBS site directly (for a certificate with a signature of "CF:AE:EE:5C:71:9A:E9:DE"), I then converted the certificate to a DER format, used mokutil to enroll it, rebooted and answered the MOK boot time questions and "enrolled" the DER key in the signature system. Once that boot was finished, it loaded the libafs module without complaints. I found helpful comments in the comment section for zfs... The URL for that is https://build.opensuse.org/package/show/filesystems/zfs. The helpful comments are about a year old. The user name associated with the comments are kokeko and adathor. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com