Bug 295581
Summary: | Module padlock-sha has a bug in kernels >= 2.6.22.4-65.fc7 (Via C7) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Andrejkovic <jandrejkovic> |
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7 | CC: | bmr, chris.brown |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-16 20:26:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Andrejkovic
2007-09-18 23:50:35 UTC
Are there any kernel messages in the system log when this happens? *** Bug 275681 has been marked as a duplicate of this bug. *** I made some additional checks on 2.6.22.5-76.fc7 - just to prove any other module is affected once padlock-sha is loaded. The error message in logs is "Module signature verification failed". Once I remove padlock-sha from memory they work fine: [machine]# /sbin/lsmod | grep cbq [machine]# /sbin/modprobe padlock-sha [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /sbin/rmmod padlock-sha [machine]# /sbin/modprobe sch_cbq [machine]# /sbin/lsmod | grep cbq sch_cbq 19521 0 [machine]# /sbin/modprobe padlock-sha [machine]# /sbin/modprobe sch_cbq [machine]# /sbin/rmmod sch_cbq [machine]# /sbin/modprobe sch_cbq FATAL: Error inserting sch_cbq (/lib/modules/2.6.22.5- 76.fc7/kernel/net/sched/sch_cbq.ko): Key was rejected by service [machine]# /var/log/messages: Sep 20 machine kernel: padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms. Sep 20 machine kernel: Module signature verification failed Sep 20 machine kernel: Module signature verification failed Sep 20 machine kernel: padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms. Sep 20 machine kernel: Module signature verification failed [machine]# /sbin/modprobe xfs FATAL: Error inserting xfs (/lib/modules/2.6.22.5-76.fc7/kernel/fs/xfs/xfs.ko): Key was rejected by service [machine]# /sbin/modprobe ext2 FATAL: Error inserting ext2 (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/ext2/ext2.ko): Key was rejected by service [machine]# /sbin/modprobe vfat WARNING: Error inserting fat (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/fat/fat.ko): Key was rejected by service FATAL: Error inserting vfat (/lib/modules/2.6.22.5- 76.fc7/kernel/fs/vfat/vfat.ko): Key was rejected by service [machine]# /sbin/rmmod padlock-sha [machine]# /sbin/modprobe xfs [machine]# /sbin/modprobe ext2 [machine]# /sbin/modprobe vfat [machine]# /var/log/messages: Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: Module signature verification failed Sep 20 thsw kernel: SGI XFS with ACLs, security attributes, large block numbers, no debug enabled Sep 20 thsw kernel: SGI XFS Quota Management subsystem IMHO this bug can be possibly caused by module signature checking as well: http://lkml.org/lkml/2007/2/14/169 If I have more time I try to find more exact cause... Module signature checking is enabled in Fedora, and somehow the via padlock driver is breaking it. The latestFedora 7 test kernel has the tcrypt module enabled; that should be able to tell if the SHA256 code in the Via driver is broken. Can you test? 1. load the via padlock driver 2. then: modprobe tcrypt mode=303 modprobe tcrypt mode=304 kernels are at: http://koji.fedoraproject.org/koji/buildinfo?buildID=19274 I tried what you advice with your .85 version and also with latest .91 version - still no luck: [machine]# uname -a Linux thsw 2.6.22.7-85.fc7 #1 SMP Fri Sep 21 19:53:05 EDT 2007 i686 i686 i386 GNU/Linux [machine]# /sbin/modprobe padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# [machine]# /sbin/rmmod padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Resource temporarily unavailable [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Resource temporarily unavailable [machine]# -------------------------------------------------------------- [machine]# uname -a Linux thsw 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686 i386 GNU/Linux [machine]# /sbin/modprobe padlock_sha [machine]# /sbin/modprobe tcrypt mode=303 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.9-91.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# /sbin/modprobe tcrypt mode=304 FATAL: Error inserting tcrypt (/lib/modules/2.6.22.9-91.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service [machine]# Jan (In reply to comment #6) > I tried what you advice with your .85 version and also with latest .91 version - > still no luck: > > [machine]# uname -a > Linux thsw 2.6.22.7-85.fc7 #1 SMP Fri Sep 21 19:53:05 EDT 2007 i686 i686 i386 > GNU/Linux > [machine]# /sbin/modprobe padlock_sha > [machine]# /sbin/modprobe tcrypt mode=303 > FATAL: Error inserting tcrypt > (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service > [machine]# /sbin/modprobe tcrypt mode=304 > FATAL: Error inserting tcrypt > (/lib/modules/2.6.22.7-85.fc7/kernel/crypto/tcrypt.ko): Key was rejected by service Yeah, we should have known the the bug itself prevents loading the module to test the bug. Hello, just an update for Kernel 2.6.23.1-10.fc7: Problem still persists... Jan We should probably not distribute that module with our kernel, since nobody can figure out why this is happening. Is it worth filing this one upstream? I think it is time to fix this bug finally... I made some investigation about it. First of all it is not a bug in padlock module itself, it is a conflict between digital signing of modules and padlock_sha module. Or it is a bug in digital signing of modules which does not count with the possibility to have additional external sha module. The good thing is that once padlock_sha is loaded and problem occurs, it can be unloaded and everything works as before. Other findings: - Fedora has its sha1.ko module compiled in the kernel by default - sha1.ko is not loadable module - I think one reason for that is module digital signing - This bug still persits in 2.6.23 fedora kernels as well. - kernel/module-verify-sig.c contains: /* grab an SHA1 transformation context * - !!! if this tries to load the sha1.ko module, we will deadlock!!! */ mvdata->hash.tfm = crypto_hash_cast(crypto_alloc_tfm2("sha1", 0, 1)); I'm thinking if this deadlock isn't the problem which I experience once I try to load padlock_sha module... Some other thoughts: - I also think what happens here is that padlock_sha is loaded into the kernel and its module signature is to be checked by its own sha function... The result of it is "disabled" sha function... - I suggest to test if sha kernel fucntion works at all once padlock_sha is loaded... The module signing will be removed in Fedora 9. |