Bug 1490975

Summary: kernel module signatures: use of MD4 and no key
Product: [Fedora] Fedora Reporter: Stephan Mueller <smueller>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: airlied, ajax, bskeggs, eparis, esandeen, facet-bcld, freaky, hdegoede, ichavero, itamar, jarodwilson, jforbes, jglisse, jonathan, josef, jwboyer, kernel-maint, labbott, linville, mchehab, mjg59, nhorman, quintela, steved, ykaliuta
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-31 20:38:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephan Mueller 2017-09-12 16:08:01 UTC 
Description of problem:

$ uname -r
4.12.8-300.fc26.x86_64

$ modinfo usb-storage
...
sig_key:
sig_hashalgo:   md4

Note, this applies to all kernel modules.

On RHEL 7 systems a key and SHA-256 is used. Shouldn't the Fedora kernel modules be signed with the same cryptographic mechanisms as RHEL? At least MD4 should replaced.
Comment 1 Josh Boyer 2017-09-12 16:22:55 UTC 
The kernel config file has this set to SHA256:

CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"


md4 isn't even an option.  Perhaps this is a bug in modinfo?
Comment 2 Ferry 2018-01-30 15:28:27 UTC 
This is quite odd, just noticed the same when building my own kernel. Did use Fedora 27's latest kernels config from /boot.

Copied the module in question to a CentOS 7 machine, and it shows no signature information at all there.

Then copied it to a gentoo machine (rebuild/updated kmod before checking) and that shows md4 as well.

It's also notable the signature is way longer than what CentOS reports on it's own modules.

On Fedora 27 (my module):
root@builder3 /home/ferry/kernel/linux-4.14.15 # modinfo /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz
filename:       /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
depends:        
intree:         Y
name:           soundcore
vermagic:       4.14.15 SMP mod_unload 
sig_id:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
signature:      30:82:02:18:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:09:30:
		82:02:05:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02:
		01:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:01:E2:30:82:
		01:DE:02:01:01:30:81:B8:30:81:AA:31:0B:30:09:06:03:55:04:06:
		13:02:4E:4C:31:16:30:14:06:03:55:04:08:0C:0D:4E:6F:6F:72:64:
		2D:42:72:61:62:61:6E:74:31:13:30:11:06:03:55:04:07:0C:0A:4F:
		69:73:74:65:72:77:69:6A:6B:31:1D:30:1B:06:03:55:04:0A:0C:14:
		43:69:74:72:75:73:20:53:6F:66:74:77:61:72:65:20:42:2E:56:2E:
		31:30:30:2E:06:03:55:04:03:0C:27:43:69:74:72:75:73:20:53:6F:
		66:74:77:61:72:65:20:2D:20:4B:65:72:6E:65:6C:20:4D:6F:64:75:
		6C:65:20:53:69:67:6E:69:6E:67:31:1D:30:1B:06:09:2A:86:48:86:
		F7:0D:01:09:01:16:0E:69:6E:66:6F:40:63:69:74:72:75:73:2E:6E:
		6C:02:09:00:A7:00:32:D5:AE:FB:A1:2C:30:0B:06:09:60:86:48:01:
		65:03:04:02:01:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:
		04:82:01:00:5B:89:89:2B:38:50:FD:7F:20:6D:AC:1C:3D:B8:0A:9B:
		02:3A:20:F0:49:A7:6E:4A:64:90:64:85:4B:15:93:42:41:04:16:5A:
		70:81:3D:72:19:BA:BA:C0:F5:E0:0D:16:B9:F0:96:80:A5:5D:0F:C8:
		EE:11:E3:CC:91:E8:05:0D:A6:91:D2:79:D9:34:5C:83:66:8A:C6:11:
		38:18:EB:DB:1D:9D:55:B5:5C:ED:BA:F4:A9:32:A2:C1:34:63:50:DC:
		89:D0:E5:A6:B0:C1:B3:74:49:B0:FC:C0:73:89:51:E6:C1:18:96:58:
		5C:82:83:1B:49:88:DB:4D:8E:1C:41:0A:C9:F3:2A:E4:B9:BB:42:9F:
		58:4B:E9:3D:8C:0E:0D:BF:91:26:5A:3A:9D:F7:98:06:05:1A:37:CD:
		54:32:DE:65:58:3A:99:A5:50:5E:6D:8B:D4:AB:87:36:C6:D4:01:36:
		FC:E5:A1:AB:E7:98:A8:B8:74:2B:16:8F:4F:5B:62:E1:36:1A:50:E8:
		CD:62:60:1B:C8:AA:BA:9B:23:1B:D0:2D:D7:1C:E9:01:D2:99:AE:CD:
		0E:90:78:76:FC:A4:26:F2:8B:B6:18:11:94:14:15:DD:C9:91:64:06:
		CC:84:8A:45:5E:02:F5:B3:EB:E3:43:3A:C2:39:F3:97:99:D8:2A:17
parm:           preclaim_oss:int




CentOS 7 (current kernel's module)
[root@web-01 ~]# modinfo /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko 
filename:       /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
rhelversion:    7.3
srcversion:     5C2138EBC7579D20483929A
depends:        
intree:         Y
vermagic:       3.10.0-514.10.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        27:F2:04:85:EB:EB:3B:2D:54:AD:D6:1E:57:B3:08:FA:E0:70:F4:1F
sig_hashalgo:   sha256
parm:           preclaim_oss:int




CentOS 7 (my module - no signing info at all)
[root@web-01 ~]# modinfo /tmp/soundcore.ko.xz 
filename:       /tmp/soundcore.ko.xz
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
depends:        
intree:         Y
name:           soundcore
vermagic:       4.14.15 SMP mod_unload 
parm:           preclaim_oss:int

Gentoo shows the same output as Fedora 27 so I omitted it.
Comment 3 Yauheni Kaliuta 2018-01-31 20:38:20 UTC 

*** This bug has been marked as a duplicate of bug 1320921 ***