Bug#820008: fixed in linux 4.5.1-1

Tue, 19 Apr 2016 12:18:50 -0700 

On Thu, 14 Apr 2016 15:00:55 +0000 Ben Hutchings wrote:
> Source: linux
> Source-Version: 4.5.1-1
>
> We believe that the bug you reported is fixed in the latest version of
> linux, which is due to be installed in the Debian FTP archive.
>

Hello,

As far as I tested, I believe the bug is incorrectly fixed. The modules
are not signed and fails to load with secureboot. insmod fails to load 
modules with "required key not available" error message.

# hexdump -C /lib/modules/4.5.0-1-amd64//kernel/drivers/ata/ahci.ko | tail
00011560  00 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  |................|
00011570  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00011580  60 ad 00 00 00 00 00 00  d8 27 00 00 00 00 00 00  |`........'......|
00011590  1d 00 00 00 59 01 00 00  08 00 00 00 00 00 00 00  |....Y...........|
000115a0  18 00 00 00 00 00 00 00  09 00 00 00 03 00 00 00  |................|
000115b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000115c0  38 d5 00 00 00 00 00 00  7b 1f 00 00 00 00 00 00  |8.......{.......|
000115d0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|

This should read a signature like:
# hexdump -C /lib/modules/4.6.0-rc4/kernel/drivers/ata/ahci.ko | tail
000118c0  1b 82 ea 02 4a d3 0d a7  00 8d 3e ab 7a f0 b2 0b  |....J.....>.z...|
000118d0  00 48 0d 2d 0e f4 af fb  6d 36 2d 48 c7 8e ec fa  |.H.-....m6-H....|
000118e0  f2 62 49 18 84 a8 4e d3  79 9d 86 01 44 27 ad c0  |.bI...N.y...D'..|
000118f0  66 24 fc eb bb 6f de 1f  df b1 79 70 a8 22 35 2e  |f$...o....yp."5.|
00011900  bf a1 03 5f 1e 71 0f 03  8b d7 b1 3a 33 60 b1 61  |..._.q.....:3`.a|
00011910  81 c3 1a d3 e5 17 13 3c  86 71 74 23 d8 9b c2 6f  |.......<.qt#...o|
00011920  f6 1d 00 00 02 00 00 00  00 00 00 00 02 82 7e 4d  |..............~M|
00011930  6f 64 75 6c 65 20 73 69  67 6e 61 74 75 72 65 20  |odule signature |
00011940  61 70 70 65 6e 64 65 64  7e 0a                    |appended~.|

This may be cause by two reasons:
 1/ required config is missing (CONFIG_MODULE_SIG_KEY)
    I believe this settings should point to a file containing both
    private key and public key in PEM format.

 2/ modules get stripped
    from https://www.kernel.org/doc/Documentation/module-signing.txt
    ============================
    SIGNED MODULES AND STRIPPING
    ============================
    
    A signed module has a digital signature simply appended at the end.  The 
string
    "~Module signature appended~." at the end of the module's file confirms 
that a
    signature is present but it does not confirm that the signature is valid!
    
    Signed modules are BRITTLE as the signature is outside of the defined ELF
    container.  Thus they MAY NOT be stripped once the signature is computed and
    attached.  Note the entire module is the signed payload, including any and 
all
    debug information present at the time of signing.

-- 
\o/ Arthur
 G  Gandi.net

Reply via email to