Ubuntu
kernel-package package

make-kpkg strips modules when CONFIG_MODULE_SIG is set, breaking crypto sigs

Bug #1099371 reported by Chris Samuel
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
kernel-package (Debian)
New
Undecided
Unassigned
kernel-package (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

After doing a module install make-kpkg runs objcopy on the modules to copy out the debug sections for a debug package. It then uses objcopy to remove those same debug sections (along with the crypto signature of the module) from the ones in the main package.

Removing those signatures results in any loading of those modules to immediately taint the kernel as the kernel considers the loading of an unsigned module when CONFIG_MODULE_SIG is set as if the module has been forcibly loaded.

make-kpkg should not use objcopy to strip modules if CONFIG_MODULE_SIG is set. My brief testing with my custom kernel config indicated that stripping modules saved 1MB out of 120MB, so it may be not be worth doing in the first place (YMMV).

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: kernel-package 12.036+nmu3
Uname: Linux 3.8.0-rc2-g974b335-2+ x86_64
ApportVersion: 2.6.1-0ubuntu9
Architecture: amd64
Date: Mon Jan 14 22:40:01 2013
InstallationDate: Installed on 2012-09-20 (116 days ago)
InstallationMedia: Kubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120423)
MarkForUpload: True
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_AU:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_AU.UTF-8
 SHELL=/bin/bash
SourcePackage: kernel-package
UpgradeStatus: Upgraded to quantal on 2012-10-04 (101 days ago)

See original description
Revision history for this message
Chris Samuel (chris-csamuel) wrote :
Revision history for this message
Chris Samuel (chris-csamuel) wrote :

This is likely an upstream bug, but looking at its bugreports it doesn't appear to be maintained any more in Debian. :-(

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in kernel-package (Ubuntu):
status: New → Confirmed
Revision history for this message
FR. Loïc (hackurx) wrote :

In fact, I tested this:

modprobe crc7

cat /var/log/syslog | grep "Disabling lock"
kernel: [ 1209.080510] Disabling lock debugging due to kernel taint

cat /proc/sys/kernel/tainted
2

cat /proc/modules
crc7 1290 0 - Live 0x0000000000000000 0x0000000000000000 (F)

Revision history for this message
Chris Samuel (chris-csamuel) wrote :

Please note that after I logged this bug I realised that the issue is not actually INSTALL_MOD_STRIP as the kernel signs the modules *after* they are stripped, so the signatures should be OK.

I believe the issue is that *after* doing the module install make-kpkg then runs objcopy on the modules to copy out the debug sections for a debug package and then uses objcopy to remove the same debug sections (along with the signature) from the ones in the main package. :-(

So currently this is affecting Raring (13.04) kernels causing them to be always tainted (I'll open a separate report to record that), thus:

chris@quad:~$ dmesg | grep -i taint
[ 2.003424] Disabling lock debugging due to kernel taint

chris@quad:~$ grep -w F /proc/modules | wc -l
46

Chris Samuel (chris-csamuel)
description: updated
Revision history for this message
Chris Samuel (chris-csamuel) wrote :

The kernel bug report had already been reported as bug #1096497.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.