** Description changed: - Problem: + After doing a module install make-kpkg runs objcopy on the modules to + copy out the debug sections for a debug package. It then uses objcopy + to remove those same debug sections (along with the crypto signature of + the module) from the ones in the main package. - When using make-kpkg to build a current mainline kernel with - CONFIG_MODULE_SIG to enable cryptographically signed modules the - resulting kernel, when installed and booted, will be tainted immediately - upon loading any module, and all modules will appear to have been force - loaded. + Removing those signatures results in any loading of those modules to + immediately taint the kernel as the kernel considers the loading of an + unsigned module when CONFIG_MODULE_SIG is set as if the module has been + forcibly loaded. - This is the result of make-kpkg unconditionally passing - INSTALL_MOD_STRIP=1 when installing modules into its tree for packaging, - resulting in their cryptographic signatures being stripped and so - failing verification with -ENOKEY. - - Fix: - - make-kpkg should not pass INSTALL_MOD_STRIP=1 if CONFIG_MODULE_SIG is - set. + make-kpkg should not use objcopy to strip modules if CONFIG_MODULE_SIG + is set. My brief testing with my custom kernel config indicated that + stripping modules saved 1MB out of 120MB, so it may be not be worth + doing in the first place (YMMV). ProblemType: Bug DistroRelease: Ubuntu 12.10 Package: kernel-package 12.036+nmu3 Uname: Linux 3.8.0-rc2-g974b335-2+ x86_64 ApportVersion: 2.6.1-0ubuntu9 Architecture: amd64 Date: Mon Jan 14 22:40:01 2013 InstallationDate: Installed on 2012-09-20 (116 days ago) InstallationMedia: Kubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120423) MarkForUpload: True PackageArchitecture: all ProcEnviron: LANGUAGE=en_AU:en TERM=xterm PATH=(custom, no user) LANG=en_AU.UTF-8 SHELL=/bin/bash SourcePackage: kernel-package UpgradeStatus: Upgraded to quantal on 2012-10-04 (101 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1099371 Title: make-kpkg strips modules when CONFIG_MODULE_SIG is set, breaking crypto sigs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kernel-package/+bug/1099371/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
