Bug 1972678

Summary: Requirements for authenticating kernel modules with X.509
Product: OpenShift Container Platform Reporter: Zvonko Kosic <zkosic>
Component: Special Resource OperatorAssignee: Brett Thurber <bthurber>
Status: CLOSED ERRATA QA Contact: Lena Horsley <lhorsley>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, dagray, lhorsley, wabouham
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1972676 Environment:
Last Closed: 2021-10-18 17:34:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1972676    

Description Zvonko Kosic 2021-06-16 11:57:17 UTC 
+++ This bug was initially created as a clone of Bug #1972676 +++

In RHEL 8, when a kernel module is loaded, the kernel checks the signature of the module against the public X.509 keys from the kernel system keyring (.builtin_trusted_keys) and the kernel platform keyring (.platform). The .platform keyring contains keys from third-party platform providers and custom public keys. The keys from the kernel system .blacklist keyring are excluded from verification.

Additional tools are: yum -y install openssl mokutil keyutils
Comment 2 Lena Horsley 2021-06-21 19:44:35 UTC 
Verified in build: 4.9.0-0.nightly-2021-06-21-131605

1. Go to the OpenShift release nightly build page for the nightly build, click "Download the installer," and then click "release.txt."


2. Search for "driver-toolkit" and pull the corresponding image to your dev machine with the command:
podman pull --authfile /path/to/pullsecret <openshift_release_repo>/<corresponding_image_to_your_dev_machine>


3. Enter the following command from the terminal:
podman run <image_from_previous_step> dnf list installed | grep <string>


=====================================
Output from the command in step #3:

openssl
openssl.x86_64                                1:1.1.1g-15.el8_3                    @rhel-8-baseos-rpms-x86_64   
openssl-libs.x86_64                           1:1.1.1g-15.el8_3                    @System               


keyutils
keyutils.x86_64                               1.5.10-6.el8                         @rhel-8-baseos-rpms-x86_64   
keyutils-libs.x86_64                          1.5.10-6.el8                         @System                     


mokutil
mokutil.x86_64                                1:0.3.0-11.el8                       @rhel-8-baseos-rpms-x86_64
Comment 7 errata-xmlrpc 2021-10-18 17:34:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759