On Tue, 2019-02-12 at 10:53 -0800, James Prestwood wrote:
> On Tue, 2019-02-12 at 19:42 +0100, Johannes Berg wrote:
> > On Tue, 2019-02-12 at 10:02 -0800, James Prestwood wrote:
> > >
> > > Ok, so one of the issue was that my kernel has only builtin
> > > modules,
> > > and the filesystem with /lib/firmware was not mounted until after
> > > kernel boot. I built in both regulatory.db and regulatory.db.p7s
> > > into
> > > the kernel and now I see it actually tried to load them.
> > > Unfortunately
> > > its getting missing/invalid signature:
> > >
> > > [0.377072] cfg80211: Loading compiled-in X.509 certificates for
> > > regulatory database
> > > [ 0.378458] cfg80211: Loaded X.509 cert 'sforshee:
> > > 00b28ddf47aef9cea7'
> > > [ 0.379777] PKCS#7 signature not signed with a trusted key
> > > [ 0.380524] cfg80211: loaded regulatory.db is malformed or
> > > signature
> > > is missing/invalid
> > >
> > > This is a test machine, so I really don't care about ensuring my
> > > regulatory.db is signed. I tried disabling this with
> > > CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=n but when I rebuild this
> > > option
> > > gets overwritten and it changes back to being enabled. There must
> > > be a
> > > conflicting option.
> >
> > It depends on CFG80211_CERTIFICATION_ONUS=y.
Looks like this + CONFIG_EXPERT=y allowed me to disable the
verification! I think this is enough as I really don't need the
verification on this test machine.
Thanks for all your help.
>
> Ill try disabling this, as well as the other options.
>
> >
> > > Optimally it would be nice to just disable this verification
> > > completely, but if that's not possible I assume I need to add the
> > > key
> > > that signed the regulatory.db into the kernel? If so can that
> > > also
> > > be
> > > built into the kernel?
> >
> > Seth's key is there ("Loaded X.509 cert: 'sforshee: ...'"), so not
> > sure
> > why you're getting a verification failure if you built both the db
> > and
> > the signature file into the kernel ... hmm.
> >
> > You didn't build those yourself, did you?
>
> I have tried a few different things:
> - Use regulatory.db preset on my host machine (Ubuntu 18.04)
> - Downloaded the mentioned tarball and copied files into
> /lib/firmware
> - Run make/make install inside mentioned tarball
>
> All of these result in a failed verification.
>
> Right now I have the kernel hacked to default 'n' for the REGDB
> options, and this does allow me to use VHT. So this definitely was
> the
> problem. Ill try disabling CERTIFICATION_ONUS and see if I can get
> those options to stay disabled.
>
> Thanks,
> James
>
> >
> > johannes
> >
>
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
