Bug 295581
| Summary: | Module padlock-sha has a bug in kernels >= 2.6.22.4-65.fc7 (Via C7) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Andrejkovic <jandrejkovic> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 7 | CC: | bmr, chris.brown |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-16 20:26:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Andrejkovic
2007-09-18 23:50:35 UTC
Are there any kernel messages in the system log when this happens? *** Bug 275681 has been marked as a duplicate of this bug. *** I made some additional checks on 2.6.22.5-76.fc7 - just to prove any other module is affected once padlock-sha is loaded. The error message in logs is "Module signature verification failed". Once I remove padlock-sha from memory they work fine: [machine]# /sbin/lsmod | grep cbq [machine]# /sbin/modprobe padlock-sha [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /sbin/rmmod padlock-sha [machine]# /sbin/modprobe sch_cbq [machine]# /sbin/lsmod | grep cbq sch_cbq 19521 0 [machine]# /sbin/modprobe padlock-sha [machine]# /sbin/modprobe sch_cbq [machine]# /sbin/rmmod sch_cbq [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /var/log/messages: Sep 20 machine kernel: padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms. Sep 20 machine kernel: Module signature verification failed Sep 20 machine kernel: Module signature verification failed Sep 20 machine kernel: padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms. Sep 20 machine kernel: Module signature verification failed [machine]# /sbin/modprobe xfs FATAL: Error inserting xfs (/lib/modules/2.6.22.5-76.fc7/kernel/fs/xfs/xfs.ko): Key was rejected by service [machine]# /sbin/modprobe ext2 FATAL: Error inserting ext2 (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/ext2/ext2.ko): Key was rejected by service [machine]# /sbin/modprobe vfat WARNING: Error inserting fat (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/fat/fat.ko): Key was rejected by service FATAL: Error inserting vfat (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/vfat/vfat.ko): Key was rejected by service [machine]# /sbin/rmmod padlock-sha [machine]# /sbin/modprobe xfs [machine]# /sbin/modprobe ext2 [machine]# /sbin/modprobe vfat [machine]# /var/log/messages: Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: SGI XFS with ACLs, security attributes, large block numbers, no debug enabled Sep 20 thsw kernel: SGI XFS Quota Management subsystem IMHO this bug can be possibly caused by module signature checking as well: http://lkml.org/lkml/2007/2/14/169 If I have more time I try to find more exact cause... Module signature checking is enabled in Fedora, and somehow the via padlock
driver is breaking it. The latestFedora 7 test kernel has the tcrypt module
enabled; that should be able to tell if the SHA256 code in the Via driver is
broken. Can you test?
1. load the via padlock driver
2. then: modprobe tcrypt mode=303
modprobe tcrypt mode=304
kernels are at:
http://koji.fedoraproject.org/koji/buildinfo?buildID=19274
I tried what you advice with your .85 version and also with latest .91 version - still no luck: [machine]# uname -a Linux thsw 2.6.22.7-85.fc7 #1 SMP Fri Sep 21 19:53:05 EDT 2007 i686 i686 i386 GNU/Linux [machine]# /sbin/modprobe padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# [machine]# /sbin/rmmod padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Resource temporarily unavailable [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Resource temporarily unavailable [machine]# -------------------------------------------------------------- [machine]# uname -a Linux thsw 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686 i386 GNU/Linux [machine]# /sbin/modprobe padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.9-91.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.9-91.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# Jan (In reply to comment #6) > I tried what you advice with your .85 version and also with latest .91 version - > still no luck: > > [machine]# uname -a > Linux thsw 2.6.22.7-85.fc7 #1 SMP Fri Sep 21 19:53:05 EDT 2007 i686 i686 i386 > GNU/Linux > [machine]# /sbin/modprobe padlock_sha > [machine]# /sbin/modprobe tcrypt mode=303 > FATAL: Error inserting tcrypt > (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service > [machine]# /sbin/modprobe tcrypt mode=304 > FATAL: Error inserting tcrypt > (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service Yeah, we should have known the the bug itself prevents loading the module to test the bug. Hello, just an update for Kernel 2.6.23.1-10.fc7: Problem still persists... Jan We should probably not distribute that module with our kernel, since nobody can figure out why this is happening. Is it worth filing this one upstream? I think it is time to fix this bug finally...
I made some investigation about it. First of all it is not a bug in padlock
module itself, it is a conflict between digital signing of modules and
padlock_sha module. Or it is a bug in digital signing of modules which does not
count with the possibility to have additional external sha module.
The good thing is that once padlock_sha is loaded and problem occurs, it can be
unloaded and everything works as before.
Other findings:
- Fedora has its sha1.ko module compiled in the kernel by default - sha1.ko is
not loadable module - I think one reason for that is module digital signing
- This bug still persits in 2.6.23 fedora kernels as well.
- kernel/module-verify-sig.c contains:
/* grab an SHA1 transformation context
* - !!! if this tries to load the sha1.ko module, we will deadlock!!!
*/
mvdata->hash.tfm = crypto_hash_cast(crypto_alloc_tfm2("sha1", 0, 1));
I'm thinking if this deadlock isn't the problem which I experience once I try
to load padlock_sha module...
Some other thoughts:
- I also think what happens here is that padlock_sha is loaded into the kernel
and its module signature is to be checked by its own sha function...
The result of it is "disabled" sha function...
- I suggest to test if sha kernel fucntion works at all once padlock_sha is
loaded...
The module signing will be removed in Fedora 9. |