[Bug 1194184] New: 8812au: module verification failed: signature and/or required key missing - tainting kernel
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 Bug ID: 1194184 Summary: 8812au: module verification failed: signature and/or required key missing - tainting kernel Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: Ulrich.Windl@rz.uni-regensburg.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- From journal: Dez 30 02:54:57 i7 kernel: 8812au: loading out-of-tree module taints kernel. Dez 30 02:54:57 i7 kernel: 8812au: module verification failed: signature and/or required key missing - tainting kernel From modinfo: filename: /lib/modules/5.3.18-59.10-preempt/weak-updates/updates/8812au.ko version: v5.9.3.2_37279.20201012 author: Realtek Semiconductor Corp. description: Realtek Wireless Lan Driver license: GPL suserelease: SLE15-SP3 srcversion: 7D315923A72BDFA9B9E716B ... name: 8812au vermagic: 5.3.18-57-preempt SMP preempt mod_unload modversions sig_id: PKCS#7 signer: openSUSE Secure Boot CA sig_key: FA:BE:D8:BF:40:9A:5E:64 sig_hashalgo: sha256 signature: 7D:90:7B:D0:1C:98:C1:8C:D9:96:F2:AA:C4:E6:6F:B3:DB:D1:5A:F7: 9F:7D:34:75:70:8B:41:A5:48:D8:A3:B4:EB:31:7C:03:BF:BD:83:73: 59:F7:55:56:1C:88:C7:71:9E:48:C2:97:C6:DA:78:D1:86:EC:0A:E4: 62:AC:A4:75:65:D6:FD:99:46:29:B6:F0:DD:4B:19:99:CD:95:93:07: 8B:32:79:BE:69:5A:31:95:60:30:CF:D7:1F:DD:76:82:33:D6:75:76: ED:03:65:2E:31:9C:F8:1D:FE:40:12:44:E7:63:B1:8C:60:29:54:A5: 8A:A8:FB:86:42:A4:52:99:E3:70:60:BF:36:E7:68:7D:32:3E:5A:BA: EE:89:BB:2A:13:8B:BF:70:D9:9A:C8:BD:3B:A1:45:EA:EB:F8:37:C6: BE:CC:F8:B7:68:C5:C6:29:1A:95:87:0E:F0:44:7A:C7:6B:F4:E1:43: 86:26:63:C5:FB:4F:69:28:7F:72:20:02:CB:C2:04:32:3D:4C:6F:74: 8A:D4:18:26:4D:09:73:EC:5B:E0:50:44:F7:3D:C4:09:B8:94:5B:95: DD:E6:0D:95:86:1D:78:77:7C:B8:3B:DC:88:AA:C2:29:29:DB:21:75: 3F:7E:3B:4A:55:F7:B9:F3:89:33:B4:E3:A9:F1:68:C2 ... So what is the problem? Signature or path? Kernel is inux i7.site 5.3.18-59.10-preempt #1 SMP PREEMPT Fri Jun 25 12:36:56 UTC 2021 (6856d31) x86_64 x86_64 x86_64 GNU/Linux -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c2
Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c3
--- Comment #3 from Ulrich Windl
In https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/index.html I only found: "4.1 Secure Boot: SUSE Linux Enterprise kernel and openSUSE signed Kernel Module Packages"
There is says: "The newly introduced openSUSE-signkey-cert package is required for openSUSE KMPs like virtualbox, but only in Secure Boot mode" AFAIK I'm not using Secure Boot, so does that apply? Maybe simply give a reference to the documentation you are talking about. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c4
--- Comment #4 from Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c5
Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c6
--- Comment #6 from Ulrich Windl
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c7
--- Comment #7 from Takashi Iwai
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c8
Ulrich Windl
When you install openSUSE-signkey-cert package and reboot, GRUB will ask you whether to enroll the new cert key or not. (...)
# LANG= zypper install openSUSE-signkey-cert Loading repository data... Reading installed packages... 'openSUSE-signkey-cert' is already installed. No update candidate for 'openSUSE-signkey-cert-20210302-lp153.1.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do. So obviously this is not the solution. The original upgrade had output this: (1211/5706) Installing: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[done] Additional rpm output: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt (From comment #3)
AFAIK I'm not using Secure Boot, so does that apply?
I'm booting from MBR with no EFI partition involved. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c9
--- Comment #9 from Takashi Iwai
(In reply to Takashi Iwai from comment #7)
When you install openSUSE-signkey-cert package and reboot, GRUB will ask you whether to enroll the new cert key or not. (...)
# LANG= zypper install openSUSE-signkey-cert Loading repository data... Reading installed packages... 'openSUSE-signkey-cert' is already installed. No update candidate for 'openSUSE-signkey-cert-20210302-lp153.1.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do.
So obviously this is not the solution.
The original upgrade had output this: (1211/5706) Installing: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[done] Additional rpm output: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt
Well, if your system doesn't support EFI variable, it's no way, and you really don't have to care about those issues at all. But you can retry and check again: uninstall openSUSE-signkey-cert package once. Then install it again, check whether the error persists. Then reboot and check whether you can enroll it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c10
--- Comment #10 from Ulrich Windl
But you can retry and check again: uninstall openSUSE-signkey-cert package once. Then install it again, check whether the error persists. Then reboot and check whether you can enroll it.
# rpm -ve openSUSE-signkey-cert Preparing packages... openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 EFI variables are not supported on this system Failed to delete /etc/uefi/certs/BDD31A9E-kmp.crt.del # zypper install openSUSE-signkey-cert [...] �berpr�fung auf Dateikonflikte l�uft: .....[fertig] (1/1) Installieren: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[fertig] Zus�tzliche rpm-Ausgabe: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt # ll /etc/uefi/certs/ insgesamt 12 -rw-r--r-- 1 root root 1288 24. Nov 07:14 4AAA0B54.crt -rw-r--r-- 1 root root 1257 16. Jul 10:59 BCA4E38E-shim.crt -rw-r--r-- 1 root root 1177 3. Mai 2021 BDD31A9E-kmp.crt -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com