Bug 590947

Summary: debugedit vs modsign changes build ID
Product: Red Hat Enterprise Linux 6 Reporter: Roland McGrath <roland>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED CURRENTRELEASE QA Contact: Miroslav Vadkerti <mvadkert>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: dhowells, herrold, psklenar
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm-4.8.0-7.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:32:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 581965    
Attachments:
Description Flags
two patches in an mbox file, as for git am none

Description Roland McGrath 2010-05-11 03:37:21 UTC 
Created attachment 413035 [details]
two patches in an mbox file, as for git am

The debugedit phase of the rpmbuild process changes the build ID of each .ko after it gets signed.  The kernel build runs debugedit before signing to avoid this problem for this and other embedded-ELF-file kinds of cases (here it's signed, not embedded).  In the other cases, it works out OK because debugedit regenerates the same ID the second time.  With signed .ko files, it comes out different the second time.

The attached changes to debugedit make it recompute build IDs only when it actually did any material changes to the DWARF data.  This solves the problem for modsign.
Comment 1 RHEL Program Management 2010-05-11 04:38:41 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 2 Panu Matilainen 2010-05-12 07:40:52 UTC 
Thanks for the patches, they're applied upstream now and ok by me for RHEL-6.
Comment 3 David Howells 2010-05-12 08:14:46 UTC 
Will these patches appear in Fedora 12 too?
Comment 7 Panu Matilainen 2010-05-17 08:39:09 UTC 
Built into rpm-4.8.0-7.el6.

David: No plans for Fedora, but feel free to clone the bug if you think its actually needed there.
Comment 8 David Howells 2010-05-20 13:24:34 UTC 
Okay, the fixed rpm works for me, provided I manually override the debugedit program on my F12 desktop box before building the kernel RPM:

If you look in the following extract from dmesg, you'll see the GNU build ID note section included in the digest (this does require an additional kernel patch):

looking for sig section '.note.module.sig'
sig in section 25 (size 72)
ffffff8846040011020006
00000020 00 digested the .bss section, size 16
00000181 00 digested the .data section, size 320
000001cf 00 digested the .exit.text section, size 40
00000434 00 digested the .gnu.linkonce.this_module section, size 560
00000505 00 digested the .init.text section, size 171
00000629 00 digested the .modinfo section, size 256
0000067b 00 digested the .note.gnu.build-id section, size 36
00000b3e 00 digested the .rela.data section, nrels 29
00000c8d 00 digested the .rela.exit.text section, nrels 6
00000d1b 00 digested the .rela.gnu.linkonce.this_module section, nrels 2
00000f9b 00 digested the .rela.init.text section, nrels 13
00002e55 00 digested the .rela.rodata section, nrels 174
0000353c 00 digested the .rela.smp_locks section, nrels 43
00010856 00 digested the .rela.text section, nrels 1134
00010d86 00 digested the .rela__bug_table section, nrels 32
000122cf 00 digested the .rela__mcount_loc section, nrels 135
000130c5 00 digested the .rodata section, size 3539
0001365f 00 digested the .rodata.str1.1 section, size 1392
0001451d 00 digested the .rodata.str1.8 section, size 3732
0001469b 00 digested the .smp_locks section, size 344
000205c4 00 digested the .text section, size 48904
000206ab 00 digested the __bug_table section, size 192
00020b0b 00 digested the __mcount_loc section, size 1080
00023871 00 digested the __versions section, size 11584
Contributed 145521 bytes to the digest (csum 0x00)
signature keyid: 59f5d69ccc7cf163 ver=4
ksign: Signature check succeeded
verify-sig : 0
Comment 10 Miroslav Vadkerti 2010-08-13 16:26:44 UTC 
Created RHTS test for this issue:
/CoreOS/rpm/Regression/bz590947-debugedit-vs-modsign-changes-build-ID
Comment 11 Miroslav Vadkerti 2010-08-13 16:31:20 UTC 
VERIFIED as fixed in rpm-4.8.0-12.el6

rpm-4.8.0-12.el6.x86_64
:: [   PASS   ] :: Running 'ld --build-id -r -o jump.ko.unsigned jump.o'
:: [   PASS   ] :: Running '/usr/lib/rpm/debugedit -i jump.ko.unsigned > /tmp/tmp.Ph64SB8Zzu'
:: [   PASS   ] :: Running 'ld -r -o jump.ko my.note.o jump.ko.unsigned'
:: [   PASS   ] :: File '/tmp/tmp.Ph64SB8Zzu' should contain 'feb01f8a1b5e2e053dc4edb7eb9c6a31843f4279'
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: Test

rpm-4.8.0-5.el6.x86_64
:: [   PASS   ] :: Running 'ld --build-id -r -o jump.ko.unsigned jump.o'
:: [   PASS   ] :: Running '/usr/lib/rpm/debugedit -i jump.ko.unsigned > /tmp/tmp.G1c7OmSRpA'
:: [   PASS   ] :: Running 'ld -r -o jump.ko my.note.o jump.ko.unsigned'
:: [   FAIL   ] :: File '/tmp/tmp.G1c7OmSRpA' should contain '5e5ab122e1506f80cdb3f89aba28def402b775b0' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 3 good, 1 bad
:: [   FAIL   ] :: RESULT: Test
Comment 12 releng-rhel@redhat.com 2010-11-10 21:32:11 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.