Re: PKCS#7 signature not signed with a trusted key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Wed, 2023-04-12 at 06:54 -0400, Genes Lists wrote:
> On 4/12/23 03:55, Ralf Mardorf wrote
> Bit hard to say from above - clearly these need 2 different keys 
> (right?) also you dont say what CONFIG_MODULE_COMPRESS_xx are set to 
> either since you have 2 different module compressions as well as keys 
> being different.

Hi,

thank you. I try to post complete logs via pastebin or something else
soon, but for the next hours I need to shut down the machine, to do some
work, among other things I'll copy the Arch install from the original
SATA SSD to a NVMe SSD.

[rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/4.19.271-
rt120-0.300-cornflower/build/.config 
CONFIG_MODULE_COMPRESS=y
# CONFIG_MODULE_COMPRESS_GZIP is not set
CONFIG_MODULE_COMPRESS_XZ=y
[rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/6.2.10-
arch1-1/build/.config
# CONFIG_MODULE_COMPRESS_NONE is not set
# CONFIG_MODULE_COMPRESS_GZIP is not set
# CONFIG_MODULE_COMPRESS_XZ is not set
CONFIG_MODULE_COMPRESS_ZSTD=y

> Maybe post the actual fatal kernel error exactly - is it possible the 
> error you printed was non-fatal and something else kiilled boot?

That's possible. At the moment I've got 4 Arch Linux kernels that fail
to boot. 3 were build by me, 1 is from an official Arch repo.

[rocketmouse@archlinux ~]$ grep -ePKCS -eunknown /mnt/m1.xubu20.04/boot/grub/grub.cfg
    menuentry "    Arch Linux Rt Cornflower,  PKCS#7 signature not signed with a trusted key" {
    menuentry "    Arch Linux Rt Pussytoes,   PKCS#7 signature not signed with a trusted key" {
    menuentry "    Arch Linux Rt Securityink, PKCS#7 signature not signed with a trusted key" {
    menuentry "    Arch extra/linux-rt-lts,   unknown issue" {

The one from the repo doesn't spit a PKCS#7 signature error message,
just the kernels build by me do so. All 4 kernels are rt patched
kernels. However, the non-lts rt from the repos, extra/linux-rt
6.2.0.3.realtime1-3 does finish startup without a problem.

I've got a lot of way older (and other new) kernels for different Linux
distros that don't fail to boot, just two other kernels also fail to
boot, but with an "too old" error message.

The kernel parameter "module.sig_enforce=0" was just a test. At some
point after the startup hanged I pushed either Ctrl+Alt+Del or the reset
or power off button.

[rocketmouse@archlinux ~]$ journalctl -b -2
Apr 12 09:25:45 archlinux kernel: Linux version 4.19.271-rt120-0.300-cornflower (linux-rt-cornflower@archlinux) (gcc version 12.2.1 20230111 (GCC)) #1 SMP PREEMPT RT Sat, 04 Feb 2023 02:01:3>
Apr 12 09:25:45 archlinux kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-linux-rt-cornflower root=/dev/disk/by-label/s3.archlinux ro module.sig_enforce=0
[snip]
Apr 12 09:25:45 archlinux kernel: Loading compiled-in X.509 certificates
Apr 12 09:25:45 archlinux kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f1c3403526458c3d1252b029fd8c628d7fa915df'
[snip]
Apr 12 09:25:47 archlinux libvirtd[422]: libvirt version: 9.2.0
Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-11'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-7'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on 'usb2'
Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at offset 1
Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:01: duplicate WMI GUID 05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00)
Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:02: duplicate WMI GUID 05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00)
Apr 12 09:25:47 archlinux kernel: PKCS#7 signature not signed with a trusted key
Apr 12 09:25:47 archlinux kernel: r8125: loading out-of-tree module taints kernel.
Apr 12 09:25:47 archlinux kernel: r8125: module verification failed: signature and/or required key missing - tainting kernel
Apr 12 09:25:47 archlinux kernel: r8125 2.5Gigabit Ethernet driver 9.011.00-NAPI loaded
Apr 12 09:25:47 archlinux kernel: r8125: This product is covered by one or more of the following patents: US6,570,884, US6,115,776, and US6,327,625.
Apr 12 09:25:47 archlinux kernel: r8125  Copyright (C) 2022 Realtek NIC software team <nicfae@xxxxxxxxxxx> 
                                   This program comes with ABSOLUTELY NO WARRANTY; for details, please see <http://www.gnu.org/licenses/>. 
                                   This is free software, and you are welcome to redistribute it under certain conditions; see <http://www.gnu.org/licenses/>. 
Apr 12 09:25:48 archlinux kernel: snd_hdspm 0000:01:00.0: enabling device (0000 -> 0002)
Apr 12 09:25:48 archlinux kernel: snd_hda_intel 0000:00:1f.3: enabling device (0000 -> 0002)
[snip]
Apr 12 09:25:54 archlinux kernel: r8125: enp5s0: link up
Apr 12 09:25:54 archlinux kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp5s0: link becomes ready
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: IAID 3c:26:c4:c6
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: adding address fe80::4388:6700:a99d:1b58
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: rebinding lease of 192.168.1.2
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: soliciting an IPv6 router
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: DHCP lease expired
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: soliciting a DHCP lease
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: Router Advertisement from fe80::1
Apr 12 09:25:59 archlinux dnsmasq[587]: reading /etc/resolv.conf
Apr 12 09:25:59 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: offered 192.168.1.2 from 192.168.1.1
Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: probing address 192.168.1.2/24
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: leased 192.168.1.2 for 604800 seconds
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding route to 192.168.1.0/24
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding default route via 192.168.1.1
Apr 12 09:26:05 archlinux dnsmasq[587]: reading /etc/resolv.conf
Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver 192.168.1.1#53
Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53
Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: failed to request DHCPv6 information
Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:19 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:21 archlinux systemd[1]: Received SIGINT.
Apr 12 09:26:21 archlinux systemd[1]: Activating special unit System Reboot...
[snip]
Apr 12 09:26:22 archlinux systemd[1]: Finished System Reboot.
Apr 12 09:26:22 archlinux systemd[1]: Reached target System Reboot.
Apr 12 09:26:22 archlinux systemd[1]: Shutting down.
Apr 12 09:26:22 archlinux systemd-shutdown[1]: Syncing filesystems and block devices.
Apr 12 09:26:22 archlinux systemd-shutdown[1]: Sending SIGTERM to remaining processes...
Apr 12 09:26:22 archlinux systemd-journald[312]: Received SIGTERM from PID 1 (systemd-shutdow).
Apr 12 09:26:22 archlinux haveged[311]: haveged: Stopping due to signal 15
Apr 12 09:26:22 archlinux haveged[311]: tot tests(BA8): A:1/1 B:1/1 continuous tests(B):  last entropy estimate 8.00161
Apr 12 09:26:22 archlinux haveged[311]: fills: 1, generated: 512 K bytes, RNDADDENTROPY: 256
Apr 12 09:26:22 archlinux dnsmasq[587]: exiting on receipt of SIGTERM
Apr 12 09:26:22 archlinux haveged[311]: haveged starting up
Apr 12 09:26:22 archlinux systemd-journald[312]: Journal stopped


[rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i error -B1 -A1
Apr 12 09:25:45 archlinux kernel: mce: Using 20 MCE banks
Apr 12 09:25:45 archlinux kernel: RAS: Correctable Errors collector initialized.
Apr 12 09:25:45 archlinux kernel: microcode: sig=0xb06f5, pf=0x4, revision=0x2c
--
Apr 12 09:25:46 archlinux kernel: cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
Apr 12 09:25:46 archlinux kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
Apr 12 09:25:46 archlinux kernel: cfg80211: failed to load regulatory.db
--
Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-11'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-7'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on 'usb2'
Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at offset 1
--
Apr 12 09:25:50 archlinux systemd[1]: Manage Sound Card State (restore and store) was skipped because of an unmet condition check (ConditionPathExists=/etc/alsa/state-daemon.conf).
Apr 12 09:25:50 archlinux alsactl[709]: alsa-lib main.c:1541:(snd_use_case_mgr_open) error: failed to import hw:0 use case configuration -2
Apr 12 09:25:50 archlinux kernel: enp5s0: 0xffffbb3507400000, 74:56:3c:26:c4:c6, IRQ 18


[rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i warn -B1 -A1
Apr 12 09:25:45 archlinux kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Apr 12 09:25:45 archlinux kernel: Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Apr 12 09:25:45 archlinux kernel: Spectre V2 : Mitigation: Enhanced IBRS
--
Apr 12 09:25:45 archlinux kernel: hw perf events fixed 4 > max(3), clipping!
Apr 12 09:25:45 archlinux kernel: WARNING: CPU: 0 PID: 1 at arch/x86/events/intel/core.c:4515 intel_pmu_init+0x1022/0x120c
Apr 12 09:25:45 archlinux kernel: Modules linked in:

> My understanding of out of tree signed kernel modules (and some tools) 
> is captured here (wiki is similar but likely bit out of date vs GH):
> 
>      https://github.com/gene-git/Arch-SKM
> 
> That all said, it appears you've built the kernel with one cert and 
> signed using a different one - maybe?

I don't understand it. If it should be a signing issue, then it does
matter when using one mobo and doesn't matter, if the same SSD holding
the Arch Linux install is connected to another mobo? It only matters
when UEFI booting (with secure boot disabled), but doesn't matter when
legacy booting is enabled by the older mobo? Isn't this signing
independent of the used boot mechanism?

Maybe the culprit is something else, but I couldn't identify something
else.

Regards,
Ralf
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux