[Bug 1046158] New: [kmp, psign, obs] Building KMPs without # needssslcertforbuild leads to broken Signatures
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158 Bug ID: 1046158 Summary: [kmp, psign, obs] Building KMPs without # needssslcertforbuild leads to broken Signatures Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: BuildService Assignee: mmarek@suse.com Reporter: eich@suse.com QA Contact: adrian@suse.com CC: adrian@suse.com, glin@suse.com Found By: Third Party Developer/Partner Blocker: --- Loading the lustre-client KMP from OpenHPC (http://build.openhpc.community/OpenHPC:/1.3/SLE_12/) on a SLE-12-SP2 system (running any officially released kernel) fails with -ERANGE: # modprobe lustre modprobe: ERROR: could not insert 'lustre': Numerical result out of range strace reveals that the failing syscall is: finit_module(3, "", 0) = -1 ERANGE (Numerical result out of range) Hunting this down in the kernel one finds that in crypto/asymmetric_keys/rsa.c:RSA_I2OSP() the test below fails and returns -ERANGE: x_size = mpi_get_nbits(x); pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8); if (x_size != xLen * 8 - 15) return -ERANGE; In this case, no attempt is made to actually load the module unlike when an unsigned module is loaded as long as no strict signature checking is required (ie in the non-secureboot case). This indicates that the signature in this kernel module is bogus. The build was done on an OBS system at OpenHPC. OpenHPC doesn't seem to run a signing server, and the '# needssslcertforbuild' magic was not set in the spec file. Still the OBS voodoo for kernel module signing runs and the test for a cert fails and the fallback is taken as can be seen by the message: warning: No buildservice project certificate found, add warning: # needssslcertforbuild to the specfile warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback Check: https://build.openhpc.community/build/OpenHPC:1.3/SLE_12/x86_64/lustre-clien... I don't think this behaviour is intended as the built modules are useless unless a signing server is run. I'm not sure how relevant secure boot and signed kernel modules are in the HPC realm. Right now this looks to me like an issue in pesign-obs-integration, thus the assignment. The same issue can be found when building this package in the openSUSE OBS (as well as in IBS). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c2
--- Comment #2 from Egbert Eich
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c3
--- Comment #3 from Egbert Eich
The pesign-obs-integration package is pulled into the OpenHPC build already as can be seen from the line [ 107s] [164/165] installing pesign-obs-integration-10.0-29.1 pulled from the link in the description. I may have misunderstood - I was under the impression that the # needssslcertforbuild should only be used when a signing server is active. I will tell the openHPC folks to branch the package and build it with this line added and see if this helps.
I cannot test this in our OBS instance as we do have a signing server set up, so, with the above option set, I do get a valid signature. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c5
Egbert Eich
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c9
Karl Schulz
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c11
--- Comment #11 from Karl Schulz
As to new SP2 requirement, this has been required since SLE11 SP3 and throughout the whole SLE12 series, but maybe you only started to build kernel modules now?
Actually, we used OBS to build Lustre kernel modules that loaded fine in SLE12 SP1. This seemed to first crop up for us with SP2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c13
--- Comment #13 from Karl Schulz
Did the SLE12 SP1 project have an SSL certificate generated?
No, same setup as we have currently. We have a global GPG key configured for packaging signing using the functionality in BSConfig.pm, but nothing specific using "osc signkey". It does work now if I generate a new gpg key for this current project using "osc signkey --create", but obviously that overrides our global GPG project key which is undesirable. Is there some equivalent way to configure it to leverage our existing GPG key during the kernel module signing process? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c15
Egbert Eich
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c17
Adrian Schröter
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c18
--- Comment #18 from Egbert Eich
An OBS admin could of course copy the key from one project to another one, but the question is then if you don't break the idea of secure boot kernels.
If you really want to copy the key, you need to copy on your source server the _pubkey and _signkey file in /srv/obs/projects/$PROJECT.pkg/ . Afterwards you need to generate the _sslcert using
osc signkey --sslcert $project
or regenerate it if an old one is there using
osc signkey --extend $project
However, I think it makes more sense just to disable the secure boot option as this basically breaks the idea.
Thanks Adrian! So the suggestion now is to disable the signing completely. Karl, would this be an option? I guess, the easiest way to achieve this would be to remove: BuildRequires: pesign-obs-integration in the spec file. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158
http://bugzilla.opensuse.org/show_bug.cgi?id=1046158#c19
--- Comment #19 from Karl Schulz
So the suggestion now is to disable the signing completely. Karl, would this be an option? I guess, the easiest way to achieve this would be to remove: BuildRequires: pesign-obs-integration in the spec file.
Sure - disabling signing is an option. Recall that it was originally suggested to add BuildRequires: pesign-obs-integration when we first observed the module load failure. So as expected, removing this one line was not sufficient to get it working. However, if I also remove the following line: BuildRequires: %kernel_module_package_buildreqs then, that combination looks to disable the signing attempt and I can indeed load the resulting kernel module under SLE SP2. Thanks everyone for the help getting to the bottom of this! Cheers. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com