[opensuse-kernel] Signed external kernel modules from OBS on SLES 12
Hello all, I have a strange problem with loading a kernel-module (openafs) built on OBS (package filesystems/openafs16). The module builds fine and is apparently signed : dummy0:~ # modinfo /lib/modules/3.12.28-4-default/updates/libafs.ko filename: /lib/modules/3.12.28-4-default/updates/libafs.ko license: http://www.openafs.org/dl/license10.html srcversion: 40263E5014D985AEA7C9C32 depends: vermagic: 3.12.28-4-default SMP mod_unload modversions signer: SUSE Linux Enterprise Secure Boot Signkey sig_key: 3F:B0:77:B6:CE:BC:6F:F2:52:2E:1C:14:8C:57:C7:77:C7:88:E3:E7 sig_hashalgo: sha256 insmod however fails with ERANGE : dummy0:~ # insmod /lib/modules/3.12.28-4-default/updates/libafs.ko insmod: ERROR: could not insert module /lib/modules/3.12.28-4- default/updates/libafs.ko: Numerical result out of range Unfortunately, ERANGE is not mentioned as a possible errno in the man-page, neither can I find something useful on google. However, I provide also the kernel-module source as an rpm for people to build the module against custom kernels. This one also builds fine and is of course unsigned : dummy0:~ # modinfo /usr/src/kernel- modules/openafs/libafs_tree/src/libafs/MODLOAD-3.12.28-4-default-MP/libafs.ko filename: /usr/src/kernel- modules/openafs/libafs_tree/src/libafs/MODLOAD-3.12.28-4-default-MP/libafs.ko license: http://www.openafs.org/dl/license10.html srcversion: 40263E5014D985AEA7C9C32 depends: vermagic: 3.12.28-4-default SMP mod_unload modversions and insmod works : dummy0:~ # insmod /usr/src/kernel- modules/openafs/libafs_tree/src/libafs/MODLOAD-3.12.28-4-default-MP/libafs.ko dummy0:~ # lsmod | grep afs libafs 844736 0 (Actually, the whole openafs-client works). The only difference I see is the signature of the module. Can you have a look at it ? Many thanks, Christof -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 2014-11-12 08:07, Christof Hanke wrote:
Hello all,
I have a strange problem with loading a kernel-module (openafs) built on OBS (package filesystems/openafs16).
The module builds fine and is apparently signed :
dummy0:~ # modinfo /lib/modules/3.12.28-4-default/updates/libafs.ko filename: /lib/modules/3.12.28-4-default/updates/libafs.ko license: http://www.openafs.org/dl/license10.html srcversion: 40263E5014D985AEA7C9C32 depends: vermagic: 3.12.28-4-default SMP mod_unload modversions signer: SUSE Linux Enterprise Secure Boot Signkey
Which project is it? I guess you'll see the following warning in the build log: warning: No buildservice project certificate found, add warning: # needssslcertforbuild to the specfile warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback Just do what the warning says :). The reason why module claims to be signed by the SLE SB key is that the fallback public cerfiticate is the SLE one (as a convenience for the packages built as part of the distribution). But the actual signature made by your home project's key. Michal -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Nov 2014 10:55:00 +0100 Michal Marek <mmarek@suse.cz> wrote:
On 2014-11-12 08:07, Christof Hanke wrote:
Hello all,
I have a strange problem with loading a kernel-module (openafs) built on OBS (package filesystems/openafs16).
The module builds fine and is apparently signed :
dummy0:~ # modinfo /lib/modules/3.12.28-4-default/updates/libafs.ko filename: /lib/modules/3.12.28-4-default/updates/libafs.ko license: http://www.openafs.org/dl/license10.html srcversion: 40263E5014D985AEA7C9C32 depends: vermagic: 3.12.28-4-default SMP mod_unload modversions signer: SUSE Linux Enterprise Secure Boot Signkey
Which project is it? I guess you'll see the following warning in the
filesystems
build log:
warning: No buildservice project certificate found, add warning: # needssslcertforbuild to the specfile warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback
Yes, true.
Just do what the warning says :). The reason why module claims to be signed by the SLE SB key is that the fallback public cerfiticate is the SLE one (as a convenience for the packages built as part of the distribution). But the actual signature made by your home project's key. Thanks, that did the trick!
So, for me the matter is sorted out. You still may look how to make the error with modprobe a bit more understandable. T/Christof -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJUY2oEAAoJEHOAkeR8FKk+4JwH/jFy2p0yGuqCNMLB2+MBVS2E wMZ9P4Ds9rbDj5sFRfKrdW0VCgLyrYklXPtQ0vQm0+HK1SZc334jnNbRo+/Ni4ak 1g6m1RCOPOyY1e49gOuPbepIPvCmu8EdeykyfjZEE+XM0NuwL7mLHFd4aAWpuZi8 Yln5sbaqqNT+l1jlECX/ESKcLmStMc8Vy8saBrhbYJxSMaNaNDelnbMdFBgqjDUK C8Pyj7pieds1uh+XgUOwd890BkZbzftCsKSZjbbGkJoeupXRBmPC3es3+t3IdmWn YZxoI7ci7YCFEUCyOuQtnfiSypUmSt0/ukw/v/xdI4FQAugIYKqtfjcPkTy/TII= =b6HJ -----END PGP SIGNATURE-----
participants (2)
-
Christof Hanke -
Michal Marek