On Wed, Feb 13, 2019 at 12:26 AM James Prestwood
<james.prestwood@xxxxxxxxxxxxxxx> wrote:
>
> On Tue, 2019-02-12 at 10:53 -0800, James Prestwood wrote:
> > On Tue, 2019-02-12 at 19:42 +0100, Johannes Berg wrote:
> > > On Tue, 2019-02-12 at 10:02 -0800, James Prestwood wrote:
> > > >
> > > > Ok, so one of the issue was that my kernel has only builtin
> > > > modules,
> > > > and the filesystem with /lib/firmware was not mounted until after
> > > > kernel boot. I built in both regulatory.db and regulatory.db.p7s
> > > > into
> > > > the kernel and now I see it actually tried to load them.
> > > > Unfortunately
> > > > its getting missing/invalid signature:
> > > >
> > > > [0.377072] cfg80211: Loading compiled-in X.509 certificates for
> > > > regulatory database
> > > > [ 0.378458] cfg80211: Loaded X.509 cert 'sforshee:
> > > > 00b28ddf47aef9cea7'
> > > > [ 0.379777] PKCS#7 signature not signed with a trusted key
> > > > [ 0.380524] cfg80211: loaded regulatory.db is malformed or
> > > > signature
> > > > is missing/invalid
> > > >
> > > > This is a test machine, so I really don't care about ensuring my
> > > > regulatory.db is signed. I tried disabling this with
> > > > CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=n but when I rebuild this
> > > > option
> > > > gets overwritten and it changes back to being enabled. There must
> > > > be a
> > > > conflicting option.
> > >
> > > It depends on CFG80211_CERTIFICATION_ONUS=y.
>
> Looks like this + CONFIG_EXPERT=y allowed me to disable the
> verification! I think this is enough as I really don't need the
> verification on this test machine.
>
> Thanks for all your help.
>
> >
> > Ill try disabling this, as well as the other options.
> >
> > >
> > > > Optimally it would be nice to just disable this verification
> > > > completely, but if that's not possible I assume I need to add the
> > > > key
> > > > that signed the regulatory.db into the kernel? If so can that
> > > > also
> > > > be
> > > > built into the kernel?
> > >
> > > Seth's key is there ("Loaded X.509 cert: 'sforshee: ...'"), so not
> > > sure
> > > why you're getting a verification failure if you built both the db
> > > and
> > > the signature file into the kernel ... hmm.
> > >
> > > You didn't build those yourself, did you?
> >
> > I have tried a few different things:
> > - Use regulatory.db preset on my host machine (Ubuntu 18.04)
> > - Downloaded the mentioned tarball and copied files into
> > /lib/firmware
This should have worked (you just need regulatory.db)
> > - Run make/make install inside mentioned tarball
If you build it yourselves then it will generate a new key for you and
sign the database
with it, so it won't work.
> >
> > All of these result in a failed verification.
> >
> > Right now I have the kernel hacked to default 'n' for the REGDB
> > options, and this does allow me to use VHT. So this definitely was
> > the
> > problem. Ill try disabling CERTIFICATION_ONUS and see if I can get
> > those options to stay disabled.
> >
> > Thanks,
> > James
> >
> > >
> > > johannes
> > >
> >
> >
> > _______________________________________________
> > Hostap mailing list
> > Hostap@xxxxxxxxxxxxxxxxxxx
> > http://lists.infradead.org/mailman/listinfo/hostap
>
--
Thanks,
Regards,
Chaitanya T K.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
