Bug 1696671
Summary: | Kernel 5.0.5 loads unsigned kernel modules in a secureboot environment | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hedayat Vatankhah <hedayatv> | ||||
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | airlied, benjamin.doron00, bskeggs, hdegoede, ichavero, itamar, jarodwilson, jcline, jeremy, jglisse, john.j5live, jonathan, josef, kernel-maint, linville, mchehab, mjg59, nicolasoliver03, paul.0000.black, pbrobinson, steved, travis.bugzilla | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | kernel-5.0.8-200.fc29 kernel-5.0.8-100.fc28 kernel-5.0.8-300.fc30 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-05-01 07:46:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1269538 | ||||||
Attachments: |
|
Description
Hedayat Vatankhah
2019-04-05 11:59:23 UTC
I'm seeing the same with VirtualBox modules: [ 53.740674] vboxdrv: loading out-of-tree module taints kernel. [ 53.740799] vboxdrv: module verification failed: signature and/or required key missing - tainting kernel [ 53.747216] vboxdrv: Found 4 processor cores [ 53.763350] vboxdrv: TSC mode is Invariant, tentative frequency 3311999158 Hz [ 53.763351] vboxdrv: Successfully loaded version 6.0.4 (interface 0x00290008) [ 53.969408] VBoxNetFlt: Successfully started. [ 53.971108] VBoxNetAdp: Successfully started. [ 53.973382] VBoxPciLinuxInit [ 53.973386] vboxpci: IOMMU not found (not registered) Also, if I sign the modules it gives an error (although they are still loaded): [ 1410.391839] VBoxPciLinuxLinuxUnload [ 1410.618698] PKCS#7 signature not signed with a trusted key [ 1410.625228] vboxdrv: Found 4 processor cores [ 1410.642357] vboxdrv: TSC mode is Invariant, tentative frequency 3311958543 Hz [ 1410.642358] vboxdrv: Successfully loaded version 6.0.4 (interface 0x00290008) [ 1410.872962] PKCS#7 signature not signed with a trusted key [ 1410.874045] VBoxNetFlt: Successfully started. [ 1410.881808] PKCS#7 signature not signed with a trusted key [ 1410.882190] VBoxNetAdp: Successfully started. [ 1410.890404] PKCS#7 signature not signed with a trusted key [ 1410.890904] VBoxPciLinuxInit [ 1410.890907] vboxpci: IOMMU not found (not registered) The key is trusted; I still get "[ 0.874853] integrity: Loaded X.509 cert 'Paul Black: 4878024124d1b99d545f7d2084a041b56657caa4'" in my output. I'm having a similar issue with the VMware kernel modules. I wrote a "Hello, World" module as a test (it's attached to my report, if it helps), which confirmed that this is an issue with the kernel, not any individual module. I didn't find this bug while filing my own (https://bugzilla.redhat.com/show_bug.cgi?id=1698298), but I strongly suspect that mine is a duplicate of this one. After hearing back from someone, it can be marked as such. I made a number of observations, though. 1. This isn't only confined to EFI secure boot, it's a kernel lockdown issue (but other parts of kernel lockdown are working as expected. Try ``sudo head /dev/mem`` and ``sudo head /dev/port``. These are blocked, as expected.). Try enabling kernel lockdown with "lockdown=1" on the kernel command line, you'll get the same results. 2. You might not be able to test with the rawhide kernel. I couldn't compile any modules on it because I couldn't find kernel-devel for it, so make failed. Perhaps someone else might know what's going on here? 3. I first noticed the issue in 5.0.3-200.fc29.x86_64, it's still in 5.0.6-200.fc29.x86_64 and it was last working for me in 4.20.16-200.fc29.x86_64. Hi folks, This should be fixed in kernel-5.0.8 builds, currently available in updates-testing. These kernels do have a different issue with module loading and signatures (https://bugzilla.redhat.com/show_bug.cgi?id=1701096, platform keys are ignored) which should be fixed in 5.10. *** Bug 1698298 has been marked as a duplicate of this bug. *** Can confirm that this bug and 1701096 are fixed in kernel-5.0.9-301.fc30 Sorry, I never actually tried kernel-5.0.8-200.fc29 because of 1701096 I move for this to be closed. Works for me also. In addition, signing with my own key works in 5.0.10 Closing as the kernel is now stable |