why does an in-tree loadable module taint the kernel
Greg KH
greg at kroah.com
Wed Jun 16 04:05:30 EDT 2021
On Tue, Jun 15, 2021 at 12:26:19PM -0600, jim.cromie at gmail.com wrote:
> On Tue, Jun 15, 2021 at 10:24 AM Greg KH <greg at kroah.com> wrote:
> >
> > On Tue, Jun 15, 2021 at 10:06:08AM -0600, jim.cromie at gmail.com wrote:
> > > On Mon, Jun 14, 2021 at 1:20 AM Greg KH <greg at kroah.com> wrote:
> > > >
> > > > On Mon, Jun 14, 2021 at 01:09:25AM -0600, jim.cromie at gmail.com wrote:
> > > > > serio_raw is apparently tainting the kernel when its modprobed.
> > > > > why ? other modules load properly, no code changes to this module
> > > > >
> > > > > bash-5.1# dmesg | grep -i taint
> > > > > [ 6.517150] serio_raw: module verification failed: signature and/or
> > > > > required key missing - tainting kernel
> > > >
> > > > You did not build this with the correct module signing key that your
> > > > kernel was built with. That is what this warning is showing you, try
> > > > building all modules with the same key as your kernel had and you should
> > > > be fine.
> > > >
> > >
> > > OK, I understand better now -
> > >
> > > its nothing wrong with serio_raw, its just the 1st module to load,
> > > and warning comes just once.
> > > kernel/module.c
> > > 3962: pr_notice_once("%s: module verification failed: signature "
> > >
> > > Whats odd is that the same module has a signature when modinfo'd in
> > > the kernel running the laptop, but not from the same kernel running inside a VM.
> > > Does this constitute a bug of some sort ?
> >
> > I do not understand, what is different here and what is not working
> > properly?
> >
>
> I have built and installed 5.13-rc6 onto my laptop, Im running it now.
> When I modinfo something, it shows a signature
>
> [jimc at frodo ~]$ modinfo pcspkr
> filename:
> /lib/modules/5.13.0-rc6-lm1-00004-g28dc6f490a7f/kernel/drivers/input/misc/pcspkr.ko
> alias: platform:pcspkr
> license: GPL
> description: PC Speaker beeper driver
> author: Vojtech Pavlik <vojtech at ucw.cz>
> depends:
> retpoline: Y
> intree: Y
> name: pcspkr
> vermagic: 5.13.0-rc6-lm1-00004-g28dc6f490a7f SMP mod_unload
> sig_id: PKCS#7
> signer: Build time autogenerated kernel key
> sig_key: 73:9F:4D:24:D7:05:0A:55:AE:5C:B1:F6:52:B1:BA:E0:5C:68:32:36
> sig_hashalgo: sha512
> signature: 47:10:D7:A0:79:BE:B5:24:B1:BE:7F:53:8D:EF:4E:73:BD:39:5C:B4:
> CB:7A:CD:3F:C8:96:E4:7A:72:17:A0:2B:42:63:5A:0F:F6:8B:70:7E:
> ...
>
> when I run precisely the same kernel inside a virtme/kvm/qemu VM,
> the same modinfo lacks that sig stuff
> Note that vermagic matches exactly
>
> bash-5.1# modinfo pcspkr
> filename:
> /lib/modules/5.13.0-rc6-lm1-00004-g28dc6f490a7f/kernel/drivers/input/misc/pcspkr.ko
> alias: platform:pcspkr
> license: GPL
> description: PC Speaker beeper driver
> author: Vojtech Pavlik <vojtech at ucw.cz>
> depends:
> retpoline: Y
> intree: Y
> name: pcspkr
> vermagic: 5.13.0-rc6-lm1-00004-g28dc6f490a7f SMP mod_unload
> bash-5.1#
Are you sure the modinfo you are running inside the vm knows to read the
signature information? Odds are a busybox/toybox modinfo does not know
this type of thing. Let me check:
$ ./busybox modinfo visor | grep signature
$ modinfo visor | grep signature
signature: 51:F5:13:E1:F9:49:FA:20:68:45:F8:32:67:E2:4D:9C:DD:B6:55:EA:
Yup, busybox does not know about these things.
Is the md5sum the same for these modules?
> > If you rebuild modules for a kernel without having the key, yes, you
> > will get this warning. You have to have the same key here.
>
> heres how Ive configured:
> - copy distro .config from /boot (Fedora)
> - make localmodconfig (to drop building parts I wont need)
> - virtme-configkernel --update (to get support for 9P, virtio etc to
> mount host disks)
>
> all the SECURITY stuff came from the distro config,
> I havent yet tried to unconfigure it.
>
> I havent done anything specific with keys, I dont know why whatever
> key is involved
> is not available for both scenarios.
> here's the relevant (I hope) config items:
Look at the CONFIG_MODULE_SIG* items, that's the relevant ones.
Here's what I use in my custom kernels for my systems:
$ zcat /proc/config.gz | grep MODULE_SIG
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
Watch out when using MODULE_SIG_FORCE, that requires you to sign all
modules.
If you want to keep a keyset around when building custom kernels, that's
fine, but I delete mine instantly after signing the kernel so that it's
impossible (well harder) to load modules that were not signed as part of
my local build process. I do that by doing:
rm certs/signing_key.*
after installing the kernel.
Hope this helps,
greg k-h
More information about the Kernelnewbies
mailing list