Re: CAAM and IMA/EVM : caam_rsa_enc: DECO: desc idx 7: Protocol Size Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Fabio,

On Tue, Apr 10, 2018 at 7:22 PM, Fabio Estevam <festevam@xxxxxxxxx> wrote:
> Hi Martin,
>
> On Tue, Apr 10, 2018 at 2:06 PM, Martin Townsend
> <mtownsend1973@xxxxxxxxx> wrote:
>> Hi Fabio,
>>
>> On Tue, Apr 10, 2018 at 5:59 PM, Fabio Estevam <festevam@xxxxxxxxx> wrote:
>>> Hi Martin,
>>>
>>> On Mon, Apr 9, 2018 at 5:41 AM, Martin Townsend <mtownsend1973@xxxxxxxxx> wrote:
>>>> Hi,
>>>>
>>>> I'm trying to get to the bottom of an issue I'm seeing when enabling
>>>> the CAAM in the kernel with IMA/EVM enabled.  I'm using the official
>>>> NXP (imx_4.9.11_1.0.0_ga) vendor Kernel.
>>>
>>> Does it work better if you try mainline kernel instead?
>>
>> I had a few issues getting mainline working, the board kept resetting,
>
> Let's try to fix this reset problem then :-)

My preference would be mainline, no offence to the NXP kernel but it
would be good to use the LTSI kernel so we get security updates etc :)
 The reset was something to do with USB but that was as far as I got.

>
>> when I checked there are lots of patches in the NXP kernel not in
>> mainline.   This CAAM problem does occur really early in the boot so
>> just for an experiment its worth a try.
>
> Ok, I just applied this patch that adds CAAM for mx6ull against linux-next:
>
> http://code.bulix.org/rjkzt5-317022
>
> and I see the following issue with cfg80211 certificate, but I do not
> get a reset as you reported:

The reset (which is not the reset described above) occurs because I
have IMA enabled and because it can't load the x509 certificate it
can't verify init on the filesystem and hence it panics and resets.

The message you are seeing below is the same as I'm seeing.  I'm not
sure if you've seen my later posts but I put some debug statements and
could see that in my case the signature is 257 bytes and key 270 bytes
which is at odds with the error message.  Reading a post some
signatures can contain extra information beside the signature so I'm
wondering if the 257 bytes is a 256 byte signature plus a byte which
indicates the encryption used to create the signature or something
like that.

>
> [    2.999416] caam_jr 2142000.jr1: 40000789: DECO: desc idx 7:
> Protocol Size Error - A protocol has seen an error in size. When
> running RSA, pdb size N < (size of F) when no formatting is used; or
> pdb si
> ze N < (F + 11) when formatting is used.
> [    3.022168] ------------[ cut here ]------------
> [    3.027247] WARNING: CPU: 0 PID: 1 at
> crypto/asymmetric_keys/public_key.c:148
> public_key_verify_signature+0x27c/0x2b0
> [    3.038075] Modules linked in:
> [    3.041226] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
> 4.16.0-next-20180410-00002-gf0ccf31-dirty #223
> [    3.050413] Hardware name: Freescale i.MX6 Ultralite (Device Tree)
> [    3.056643] Backtrace:
> [    3.059173] [<c010d118>] (dump_backtrace) from [<c010d3d8>]
> (show_stack+0x18/0x1c)
> [    3.066802]  r7:00000000 r6:60000153 r5:00000000 r4:c107ae78
> [    3.072523] [<c010d3c0>] (show_stack) from [<c0a50d24>]
> (dump_stack+0xb4/0xe8)
> [    3.079810] [<c0a50c70>] (dump_stack) from [<c012618c>] (__warn+0x104/0x130)
> [    3.086922]  r9:d604dc94 r8:00000094 r7:00000009 r6:c0d3aea8
> r5:00000000 r4:00000000
> [    3.094728] [<c0126088>] (__warn) from [<c01262d0>]
> (warn_slowpath_null+0x44/0x50)
> [    3.102356]  r8:c1008908 r7:d67846c0 r6:c040bbc4 r5:00000094 r4:c0d3aea8
> [    3.109120] [<c012628c>] (warn_slowpath_null) from [<c040bbc4>]
> (public_key_verify_signature+0x27c/0x2b0)
> [    3.118745]  r6:40000789 r5:d6782f00 r4:d6787f40
> [    3.123428] [<c040b948>] (public_key_verify_signature) from
> [<c040cbd4>] (x509_check_for_self_signed+0xc8/0x104)
> [    3.133664]  r10:d602f000 r9:c0bcb1d0 r8:000002a8 r7:d6787f00
> r6:d6787f40 r5:00000000
> [    3.141543]  r4:d6782d80
> [    3.144140] [<c040cb0c>] (x509_check_for_self_signed) from
> [<c040bdd0>] (x509_cert_parse+0x11c/0x190)
> [    3.153415]  r7:c0bcb1d0 r6:d6787f80 r5:d6782d80 r4:d6787f00
> [    3.159138] [<c040bcb4>] (x509_cert_parse) from [<c040c860>]
> (x509_key_preparse+0x1c/0x194)
> [    3.167550]  r9:c0bcb1d0 r8:c10235dc r7:d604de30 r6:c1026a84
> r5:d604de30 r4:c1026af0
> [    3.175357] [<c040c844>] (x509_key_preparse) from [<c040adbc>]
> (asymmetric_key_preparse+0x50/0x80)
> [    3.184376]  r9:c0bcb1d0 r8:c10235dc r7:d604de30 r6:c1026a84
> r5:c1008908 r4:c1026af0
> [    3.192187] [<c040ad6c>] (asymmetric_key_preparse) from
> [<c03e40b4>] (key_create_or_update+0x138/0x404)
> [    3.201638]  r7:d6495601 r6:d6495600 r5:c1008908 r4:c1026a8c
> [    3.207366] [<c03e3f7c>] (key_create_or_update) from [<c0f5a9c4>]
> (regulatory_init_db+0xf4/0x1e8)
> [    3.216303]  r10:0000000e r9:1f030000 r8:c0d1d144 r7:c17f1e7c
> r6:c0bcb478 r5:000002a8
> [    3.224180]  r4:c0bcb1d0
> [    3.226780] [<c0f5a8d0>] (regulatory_init_db) from [<c0102764>]
> (do_one_initcall+0x50/0x1a4)
> [    3.235278]  r10:c0f00630 r9:c0f64858 r8:c107cb00 r7:00000000
> r6:c0f5a8d0 r5:c1008908
> [    3.243155]  r4:ffffe000
> [    3.245753] [<c0102714>] (do_one_initcall) from [<c0f00f04>]
> (kernel_init_freeable+0x118/0x1d8)
> [    3.254512]  r9:c0f64858 r8:000000f4 r7:c0e1ec98 r6:c0f64854
> r5:c107cb00 r4:c0f78f70
> [    3.262324] [<c0f00dec>] (kernel_init_freeable) from [<c0a665b8>]
> (kernel_init+0x10/0x118)
> [    3.270650]  r10:00000000 r9:00000000 r8:00000000 r7:00000000
> r6:00000000 r5:c0a665a8
> [    3.278527]  r4:00000000
> [    3.281127] [<c0a665a8>] (kernel_init) from [<c01010b4>]
> (ret_from_fork+0x14/0x20)
> [    3.288749] Exception stack(0xd604dfb0 to 0xd604dff8)
> [    3.293859] dfa0:                                     00000000
> 00000000 00000000 00000000
> [    3.302098] dfc0: 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000
> [    3.310329] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> [    3.316993]  r5:c0a665a8 r4:00000000
> [    3.320825] irq event stamp: 186525
> [    3.324504] hardirqs last  enabled at (186543): [<c01803b8>]
> console_unlock+0x4d4/0x5c8
> [    3.332584] hardirqs last disabled at (186550): [<c017ffac>]
> console_unlock+0xc8/0x5c8
> [    3.340664] softirqs last  enabled at (186566): [<c01023a0>]
> __do_softirq+0x1f8/0x2a0
> [    3.348665] softirqs last disabled at (186577): [<c012bffc>]
> irq_exit+0x14c/0x1a8
> [    3.356307] ---[ end trace abf8fdf803902ee1 ]---
> [    3.361030] cfg80211: Problem loading in-kernel X.509 certificate (-22)
> [    3.370633] platform regulatory.0: Direct firmware load for
> regulatory.db failed with error -2
> [    3.379780] cfg80211: failed to load regulatory.db
> [    3.385260] VSD_3V3: disabling
> [    3.388632] ALSA device list:
> [    3.391662]   #0: mx6ul-wm8960
> [    3.536866] EXT4-fs (mmcblk1p2): recovery complete
> [    3.545725] EXT4-fs (mmcblk1p2): mounted filesystem with ordered
> data mode. Opts: (null)
> [    3.554300] VFS: Mounted root (ext4 filesystem) on device 179:2.
> [    3.587857] devtmpfs: mounted
> [    3.600044] Freeing unused kernel memory: 1024K
> [    3.775667] EXT4-fs (mmcblk1p2): re-mounted. Opts: (null)
> Starting logging: OK
> Initializing random number generator... done.
> Starting network: OK
>
> Welcome to Buildroot
>
> It would be nice to fix this cfg80211 certificate issue though. My
> colleague Breno has observed this same issue on a imx7.
>
> Thanks



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux