Re: modsign vs build-id

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Roland McGrath wrote:
>> Ya got me, but upon unpacking the initrd, modinfo tells me the bits in
>> the initrd have the right vermagic. 
> 
> That doesn't tell you anything useful.  Compare the signature sections,
> e.g. readelf -x .module_sig on each.

The signature sections are identical. Triple-checked that I was
comparing with the ext3.ko from the initrd that booted the system.

>> However, the file sizes don't match.
>> In fact, they aren't even close.
>>
>> # (cd /tmp/initrd-104/lib; ll ext3.ko)
>> -rw------- 1 root root 189096 2007-08-14 15:31 ext3.ko
>>
>> # (cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kerne/fs/ext3; ll ext3.ko)
>> -rw-r--r-- 1 root root 2719832 2007-08-14 12:46 ext3.ko
> 
> mkinitrd runs strip -g on the modules copied to the initrd.
> I hadn't noticed that before, but it should not be a problem.
> (Its affect on the signature issue should not have changed.)

And indeed, the size matches if I manually run strip -g on the
unstripped ko.

To make it even more interesting:

# cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kernel/drivers/net/e1000
# insmod e1000.ko
Modules signature verification failed
insmod: error inserting 'e1000.ko': -1 Key was rejected by service
# strip -g e1000.ko
# insmod e1000.ko
# lsmod |grep e1000
e1000       125977 0

>> Okay, so I rebuilt the initrd and bounced the box... And there's the
>> expected kernel panic.

Only, if mkinitrd is stripping the modules, based on the above info,
this *should* have worked...

>> So now I'm thoroughly confused as to where the
>> hell the modules that at least booted the system came from...
> 
> Ok, we'll call the first experience a mysterious hiccup then.
> 
> Did you save your rpmbuild log?  Can you double-check that it has no
> debugedit or find-debuginfo.sh runs that follow the modsign.sh runs?

I didn't save it, but I can do a rebuild with the same options.

> Also, you could try setting MODSIGN_DEBUG in kernel/module-verify-sig.c
> (linux-2.6-modsign-core.patch) and booting with "debug" to see those msgs.

Sure, I'll add that too.

-- 
Jarod Wilson
jwilson@xxxxxxxxxx

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Fedora-kernel-list mailing list
Fedora-kernel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-kernel-list
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux