Bug 1490975 - kernel module signatures: use of MD4 and no key
Summary: kernel module signatures: use of MD4 and no key
Keywords:
Status: CLOSED DUPLICATE of bug 1320921
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-12 16:08 UTC by Stephan Mueller
Modified: 2018-12-13 16:33 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-31 20:38:20 UTC
Type: Bug


Attachments (Terms of Use)

Description Stephan Mueller 2017-09-12 16:08:01 UTC
Description of problem:

$ uname -r
4.12.8-300.fc26.x86_64

$ modinfo usb-storage
...
sig_key:
sig_hashalgo:   md4

Note, this applies to all kernel modules.

On RHEL 7 systems a key and SHA-256 is used. Shouldn't the Fedora kernel modules be signed with the same cryptographic mechanisms as RHEL? At least MD4 should replaced.

Comment 1 Josh Boyer 2017-09-12 16:22:55 UTC
The kernel config file has this set to SHA256:

CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"


md4 isn't even an option.  Perhaps this is a bug in modinfo?

Comment 2 Ferry 2018-01-30 15:28:27 UTC
This is quite odd, just noticed the same when building my own kernel. Did use Fedora 27's latest kernels config from /boot.

Copied the module in question to a CentOS 7 machine, and it shows no signature information at all there.

Then copied it to a gentoo machine (rebuild/updated kmod before checking) and that shows md4 as well.

It's also notable the signature is way longer than what CentOS reports on it's own modules.

On Fedora 27 (my module):
root@builder3 /home/ferry/kernel/linux-4.14.15 # modinfo /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz
filename:       /lib/modules/4.14.15/kernel/sound/soundcore.ko.xz
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
depends:        
intree:         Y
name:           soundcore
vermagic:       4.14.15 SMP mod_unload 
sig_id:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
signature:      30:82:02:18:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:09:30:
		82:02:05:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02:
		01:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:01:E2:30:82:
		01:DE:02:01:01:30:81:B8:30:81:AA:31:0B:30:09:06:03:55:04:06:
		13:02:4E:4C:31:16:30:14:06:03:55:04:08:0C:0D:4E:6F:6F:72:64:
		2D:42:72:61:62:61:6E:74:31:13:30:11:06:03:55:04:07:0C:0A:4F:
		69:73:74:65:72:77:69:6A:6B:31:1D:30:1B:06:03:55:04:0A:0C:14:
		43:69:74:72:75:73:20:53:6F:66:74:77:61:72:65:20:42:2E:56:2E:
		31:30:30:2E:06:03:55:04:03:0C:27:43:69:74:72:75:73:20:53:6F:
		66:74:77:61:72:65:20:2D:20:4B:65:72:6E:65:6C:20:4D:6F:64:75:
		6C:65:20:53:69:67:6E:69:6E:67:31:1D:30:1B:06:09:2A:86:48:86:
		F7:0D:01:09:01:16:0E:69:6E:66:6F:40:63:69:74:72:75:73:2E:6E:
		6C:02:09:00:A7:00:32:D5:AE:FB:A1:2C:30:0B:06:09:60:86:48:01:
		65:03:04:02:01:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:
		04:82:01:00:5B:89:89:2B:38:50:FD:7F:20:6D:AC:1C:3D:B8:0A:9B:
		02:3A:20:F0:49:A7:6E:4A:64:90:64:85:4B:15:93:42:41:04:16:5A:
		70:81:3D:72:19:BA:BA:C0:F5:E0:0D:16:B9:F0:96:80:A5:5D:0F:C8:
		EE:11:E3:CC:91:E8:05:0D:A6:91:D2:79:D9:34:5C:83:66:8A:C6:11:
		38:18:EB:DB:1D:9D:55:B5:5C:ED:BA:F4:A9:32:A2:C1:34:63:50:DC:
		89:D0:E5:A6:B0:C1:B3:74:49:B0:FC:C0:73:89:51:E6:C1:18:96:58:
		5C:82:83:1B:49:88:DB:4D:8E:1C:41:0A:C9:F3:2A:E4:B9:BB:42:9F:
		58:4B:E9:3D:8C:0E:0D:BF:91:26:5A:3A:9D:F7:98:06:05:1A:37:CD:
		54:32:DE:65:58:3A:99:A5:50:5E:6D:8B:D4:AB:87:36:C6:D4:01:36:
		FC:E5:A1:AB:E7:98:A8:B8:74:2B:16:8F:4F:5B:62:E1:36:1A:50:E8:
		CD:62:60:1B:C8:AA:BA:9B:23:1B:D0:2D:D7:1C:E9:01:D2:99:AE:CD:
		0E:90:78:76:FC:A4:26:F2:8B:B6:18:11:94:14:15:DD:C9:91:64:06:
		CC:84:8A:45:5E:02:F5:B3:EB:E3:43:3A:C2:39:F3:97:99:D8:2A:17
parm:           preclaim_oss:int




CentOS 7 (current kernel's module)
[root@web-01 ~]# modinfo /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko 
filename:       /lib/modules/3.10.0-514.10.2.el7.x86_64/kernel/sound/soundcore.ko
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
rhelversion:    7.3
srcversion:     5C2138EBC7579D20483929A
depends:        
intree:         Y
vermagic:       3.10.0-514.10.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        27:F2:04:85:EB:EB:3B:2D:54:AD:D6:1E:57:B3:08:FA:E0:70:F4:1F
sig_hashalgo:   sha256
parm:           preclaim_oss:int




CentOS 7 (my module - no signing info at all)
[root@web-01 ~]# modinfo /tmp/soundcore.ko.xz 
filename:       /tmp/soundcore.ko.xz
alias:          char-major-14-*
license:        GPL
author:         Alan Cox
description:    Core sound module
depends:        
intree:         Y
name:           soundcore
vermagic:       4.14.15 SMP mod_unload 
parm:           preclaim_oss:int

Gentoo shows the same output as Fedora 27 so I omitted it.

Comment 3 Yauheni Kaliuta 2018-01-31 20:38:20 UTC

*** This bug has been marked as a duplicate of bug 1320921 ***


Note You need to log in before you can comment on or make changes to this bug.