On Mon, May 12, 2025 at 11:02:56PM +0200, Salvatore Bonaccorso wrote: > On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote: > > Control: severity -1 serious > > > > Hi Robert, > > > > On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote: > > > Package: src:linux > > > Version: 6.1.137-1 > > > Severity: important > > > X-Debbugs-Cc: r...@graphiant.com > > > > > > rob@graph-dev-bookworm:~$ sudo modprobe watchdog > > > modprobe: ERROR: could not insert 'watchdog': Bad message > > > > > > Using extract-module-sig.pl from > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl > > > shows there is no signature present for the watchdog kernel object > > > file: > > > > > > $ ~/Downloads/extract-module-sig.pl -s > > > /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko > > > Read 91616 bytes from module file > > > Found magic number at 91616 > > > Found PKCS#7/CMS encapsulation > > > > > > Compared to 6.1.0-34-amd64 version: > > > > > > $ ~/Downloads/extract-module-sig.pl -s > > > /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko > > > Read 92027 bytes from module file > > > Found magic number at 92027 > > > Found PKCS#7/CMS encapsulation > > > Found 411 bytes of signature [3082019706092a864886f70d010702a0] > > > ... > > > > So indeed there was likely a temporary problem when doing the signing > > of the modules for linux-signed-amd64. There is the watchdog module > > and w83977f_wdt one which have zero size signature: > > > > ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig > > ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig > > > > I checked as well linux-signed-i386 and linux-signed-arm64 but there I > > found none with a problem. > > > > Ansgar, assuming at this point we cannot do something anymore for the > > point release. > > > > Cyril, Adam, so skip the kernel update for the upcoming point release? > > The alternative would be given that the "only" two modules affected > are watchdog and w83977f_wdt to proceed as planned with the point > release (testing, Cyril?) and make a nearby src:linux DSA release > including further security fixes. > > 6.14.7, 6.12.29 and 6.1.139 are currently beeing reviewed upstream in > particular including the ITS variant of the "Training Solo" issue > (side note, to be effective the fixes will need as well a > intel-microcode update, cf. #1105172).
Hola, We discussed briefly just now and decided that: - as it's "just" amd64 watchdog and w83977f_wdt modules, and - a kernel DSA is imminent anyway, and - deferring the point release and skipping the kernel are both major upheavals, we intend to continue as planned and include a warning in the announcement on release, that affected users should disable their watchdogs or not reboot until an updated kernel is released very soon after the point release will be. If there are other issues we have not considered please speak up urgently. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
signature.asc
Description: PGP signature
