[Bug 1194184] New: 8812au: module verification failed: signature and/or required key missing - tainting kernel
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 Bug ID: 1194184 Summary: 8812au: module verification failed: signature and/or required key missing - tainting kernel Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: Ulrich.Windl@rz.uni-regensburg.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- From journal: Dez 30 02:54:57 i7 kernel: 8812au: loading out-of-tree module taints kernel. Dez 30 02:54:57 i7 kernel: 8812au: module verification failed: signature and/or required key missing - tainting kernel From modinfo: filename: /lib/modules/5.3.18-59.10-preempt/weak-updates/updates/8812au.ko version: v5.9.3.2_37279.20201012 author: Realtek Semiconductor Corp. description: Realtek Wireless Lan Driver license: GPL suserelease: SLE15-SP3 srcversion: 7D315923A72BDFA9B9E716B ... name: 8812au vermagic: 5.3.18-57-preempt SMP preempt mod_unload modversions sig_id: PKCS#7 signer: openSUSE Secure Boot CA sig_key: FA:BE:D8:BF:40:9A:5E:64 sig_hashalgo: sha256 signature: 7D:90:7B:D0:1C:98:C1:8C:D9:96:F2:AA:C4:E6:6F:B3:DB:D1:5A:F7: 9F:7D:34:75:70:8B:41:A5:48:D8:A3:B4:EB:31:7C:03:BF:BD:83:73: 59:F7:55:56:1C:88:C7:71:9E:48:C2:97:C6:DA:78:D1:86:EC:0A:E4: 62:AC:A4:75:65:D6:FD:99:46:29:B6:F0:DD:4B:19:99:CD:95:93:07: 8B:32:79:BE:69:5A:31:95:60:30:CF:D7:1F:DD:76:82:33:D6:75:76: ED:03:65:2E:31:9C:F8:1D:FE:40:12:44:E7:63:B1:8C:60:29:54:A5: 8A:A8:FB:86:42:A4:52:99:E3:70:60:BF:36:E7:68:7D:32:3E:5A:BA: EE:89:BB:2A:13:8B:BF:70:D9:9A:C8:BD:3B:A1:45:EA:EB:F8:37:C6: BE:CC:F8:B7:68:C5:C6:29:1A:95:87:0E:F0:44:7A:C7:6B:F4:E1:43: 86:26:63:C5:FB:4F:69:28:7F:72:20:02:CB:C2:04:32:3D:4C:6F:74: 8A:D4:18:26:4D:09:73:EC:5B:E0:50:44:F7:3D:C4:09:B8:94:5B:95: DD:E6:0D:95:86:1D:78:77:7C:B8:3B:DC:88:AA:C2:29:29:DB:21:75: 3F:7E:3B:4A:55:F7:B9:F3:89:33:B4:E3:A9:F1:68:C2 ... So what is the problem? Signature or path? Kernel is inux i7.site 5.3.18-59.10-preempt #1 SMP PREEMPT Fri Jun 25 12:36:56 UTC 2021 (6856d31) x86_64 x86_64 x86_64 GNU/Linux -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c2 Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(Ulrich.Windl@rz.u | |ni-regensburg.de) | --- Comment #2 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- Part of the problem migh be that an Internet search for "Leap 15.3 release notes" shows all kind of hits, but not the Release Notes I was looking for. So I gave up using Yast->Support to display the Release Notes... Unfortunately you cannot search there, so I copied all into a Writer document. Even there I had no match for "signkey". My local version of release notes is release-notes-openSUSE-15.3.20210129-lp153.1.91.noarch (Install Date: Do 30 Dez 2021 00:21:47 CET) Well, I have nothing against concrete instructions! To make things harder for the user, the link https://doc.opensuse.org/release-notes redirects to https://doc.opensuse.org/, leaving the user at a selection of even more guides. In https://doc.opensuse.org/documentation/leap/reference/single-html/book-refer... I only found "24.6.1.2 Creating a self-signed certificate". In https://doc.opensuse.org/documentation/leap/security/single-html/book-securi... I found nothing. In https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/index.html I only found: "4.1 Secure Boot: SUSE Linux Enterprise kernel and openSUSE signed Kernel Module Packages" No honestly: Do you really think it's the users fault not to find the information you are talking about? -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c3 --- Comment #3 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- (In reply to Ulrich Windl from comment #2)
In https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/index.html I only found: "4.1 Secure Boot: SUSE Linux Enterprise kernel and openSUSE signed Kernel Module Packages"
There is says: "The newly introduced openSUSE-signkey-cert package is required for openSUSE KMPs like virtualbox, but only in Secure Boot mode" AFAIK I'm not using Secure Boot, so does that apply? Maybe simply give a reference to the documentation you are talking about. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c4 --- Comment #4 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- I wonder: Could it be related to bug 1194152? -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c5 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(Ulrich.Windl@rz.u | |ni-regensburg.de) --- Comment #5 from Takashi Iwai <tiwai@suse.com> --- I repeat the question again: did you install openSUSE-signkey-cert and properly enroll it? If yes for both and the kernel module verification still fails, it's a bug to be fixed. And, even if you don't enroll the cert, it's just flipping the kernel taint flag as long as the system is booted without secure boot; practically it has no impact on the actual usage. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c6 --- Comment #6 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- I tried to explain in comment 3 that I'm lacking instructions for what you are talking about. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c7 --- Comment #7 from Takashi Iwai <tiwai@suse.com> --- When you install openSUSE-signkey-cert package and reboot, GRUB will ask you whether to enroll the new cert key or not. If you proceed this properly (not only pressing ENTER), the key will be enrolled to the MOK list, and the kernel will verify the signature with this new cert. Note that the MOK enrollment happens only once after this package installation. You can retry either manually via mokutil invocation, or just uninstall and re-install openSUSE-signkey-cert package, and reboot/enroll at GRUB. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c8 Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(Ulrich.Windl@rz.u | |ni-regensburg.de) | --- Comment #8 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- (In reply to Takashi Iwai from comment #7)
When you install openSUSE-signkey-cert package and reboot, GRUB will ask you whether to enroll the new cert key or not. (...)
# LANG= zypper install openSUSE-signkey-cert Loading repository data... Reading installed packages... 'openSUSE-signkey-cert' is already installed. No update candidate for 'openSUSE-signkey-cert-20210302-lp153.1.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do. So obviously this is not the solution. The original upgrade had output this: (1211/5706) Installing: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[done] Additional rpm output: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt (From comment #3)
AFAIK I'm not using Secure Boot, so does that apply?
I'm booting from MBR with no EFI partition involved. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c9 --- Comment #9 from Takashi Iwai <tiwai@suse.com> --- (In reply to Ulrich Windl from comment #8)
(In reply to Takashi Iwai from comment #7)
When you install openSUSE-signkey-cert package and reboot, GRUB will ask you whether to enroll the new cert key or not. (...)
# LANG= zypper install openSUSE-signkey-cert Loading repository data... Reading installed packages... 'openSUSE-signkey-cert' is already installed. No update candidate for 'openSUSE-signkey-cert-20210302-lp153.1.1.x86_64'. The highest available version is already installed. Resolving package dependencies... Nothing to do.
So obviously this is not the solution.
The original upgrade had output this: (1211/5706) Installing: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[done] Additional rpm output: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt
Well, if your system doesn't support EFI variable, it's no way, and you really don't have to care about those issues at all. But you can retry and check again: uninstall openSUSE-signkey-cert package once. Then install it again, check whether the error persists. Then reboot and check whether you can enroll it. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1194184 http://bugzilla.opensuse.org/show_bug.cgi?id=1194184#c10 --- Comment #10 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- (In reply to Takashi Iwai from comment #9)
But you can retry and check again: uninstall openSUSE-signkey-cert package once. Then install it again, check whether the error persists. Then reboot and check whether you can enroll it.
# rpm -ve openSUSE-signkey-cert Preparing packages... openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 EFI variables are not supported on this system Failed to delete /etc/uefi/certs/BDD31A9E-kmp.crt.del # zypper install openSUSE-signkey-cert [...] �berpr�fung auf Dateikonflikte l�uft: .....[fertig] (1/1) Installieren: openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 .....[fertig] Zus�tzliche rpm-Ausgabe: EFI variables are not supported on this system Failed to import /etc/uefi/certs/BDD31A9E-kmp.crt # ll /etc/uefi/certs/ insgesamt 12 -rw-r--r-- 1 root root 1288 24. Nov 07:14 4AAA0B54.crt -rw-r--r-- 1 root root 1257 16. Jul 10:59 BCA4E38E-shim.crt -rw-r--r-- 1 root root 1177 3. Mai 2021 BDD31A9E-kmp.crt -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com