Bug 433754

Summary: padlock-sha makes kernel module signature verifications fail
Product: [Fedora] Fedora Reporter: Andreas Jaekel <jaekel>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-23 03:50:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Andreas Jaekel 2008-02-21 09:44:19 UTC
Description of problem:

I have a VIA EPIA SN10000EG board which has a build in hardware cryptography
module that VIA calls Padlock.  It is supported by Linux via the padlock-aes and
padlock-sha modules.

Loading the padlock-sha module makes loading other modules later on fail with a
signature verification error.

Version-Release number of selected component (if applicable):

Freshly installed Fedora Core 8 with all updates applied via "yum update".

How reproducible:

Reproducing it might require the exact same model of motherboard - I suspect the
error might have show up earlier if it was a general problem with Padlock, and
the SN10000EG is fairly new.  See "Steps" below.

Steps to Reproduce:

[root@panther ~]# modprobe usb_storage
[root@panther ~]# dmesg | tail -1
USB Mass Storage support registered.
[root@panther ~]# rmmod usb_storage
[root@panther ~]# modprobe padlock-sha
[root@panther ~]# modprobe usb_storage
FATAL: Error inserting usb_storage
(/lib/modules/ Key
was rejected by service
[root@panther ~]# dmesg | tail -1
Module signature verification failed
[root@panther ~]# rmmod padlock-sha
[root@panther ~]# modprobe usb_storage
[root@panther ~]# dmesg | tail -1
usb-storage: device scan complete
[root@panther ~]#

Additional info:

I can run supplied test software on the mashine, or provide additional debugging
information.  I'm a developer, so I'm not scared of debuggers and compilers. 
Tell me what you need.

Comment 1 Andreas Jaekel 2008-02-21 09:48:38 UTC
I would like to add that the padlock-aes module works fine on the same computer.
 I have an encrypted filesystem that I can read and write with and without
padlock-aes.  The only notable difference is that using padlock-aes makes the
filesystem  I/O faster by a factor of five.  I take that to mean that the
Padlock engine is generally functional.

Comment 2 Chuck Ebbert 2008-02-22 04:36:34 UTC
This is a known problem and is "fixed" in Fedora 9 because the module signing
has been removed.

Comment 3 Chuck Ebbert 2008-02-23 03:50:05 UTC