Bug#1105164: linux-image-6.1.0-35-amd64: watchdog kernel module load errors with "Bad message"

Fri, 16 May 2025 23:54:12 -0700 

Hi

[not yet trimming the CC list to give a short update]

On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote:
> Control: severity -1 serious
> 
> Hi Robert,
> 
> On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:
> > Package: src:linux
> > Version: 6.1.137-1
> > Severity: important
> > X-Debbugs-Cc: r...@graphiant.com
> > 
> >     rob@graph-dev-bookworm:~$ sudo modprobe watchdog
> >     modprobe: ERROR: could not insert 'watchdog': Bad message
> > 
> > Using extract-module-sig.pl from
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
> > shows there is no signature present for the watchdog kernel object
> > file:
> > 
> >     $ ~/Downloads/extract-module-sig.pl -s
> > /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
> >     Read 91616 bytes from module file
> >     Found magic number at 91616
> >     Found PKCS#7/CMS encapsulation
> > 
> > Compared to 6.1.0-34-amd64 version:
> > 
> >     $ ~/Downloads/extract-module-sig.pl -s
> > /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
> >     Read 92027 bytes from module file
> >     Found magic number at 92027
> >     Found PKCS#7/CMS encapsulation
> >     Found 411 bytes of signature [3082019706092a864886f70d010702a0]
> >     ...
> 
> So indeed there was likely a temporary problem when doing the signing
> of the modules for linux-signed-amd64. There is the watchdog module
> and w83977f_wdt one which have zero size signature:
> 
> ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
> ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig
> 
> I checked as well linux-signed-i386 and linux-signed-arm64 but there I
> found none with a problem.

After a short double-checking with Ansgar, the check might be
included in
https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L180
in the sign_kmod function. And similarly in sign_efi function as well
in
https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L200

Regards,
Salvatore

Reply via email to