Bug 196871 (signedmodules) - signed modules patches prevent booting.
Summary: signed modules patches prevent booting.
Keywords:
Status: CLOSED RAWHIDE
Alias: signedmodules
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Howells
QA Contact: Brian Brock
URL:
Whiteboard:
: 196905 197014 197071 (view as bug list)
Depends On:
Blocks: 202464
TreeView+ depends on / blocked
 
Reported: 2006-06-27 13:48 UTC by Ronald Warsow
Modified: 2007-11-30 22:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-08 18:34:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
digicam picture kernel panic (940.28 KB, image/jpeg)
2006-06-27 13:48 UTC, Ronald Warsow
no flags Details
output from kernel 2.6.17-1.2328.fc6 (1.04 MB, image/jpeg)
2006-06-29 13:15 UTC, Ronald Warsow
no flags Details

Description Ronald Warsow 2006-06-27 13:48:50 UTC
Description of problem:
kernel 2.6.17-1.2318_FC6 (i386) panics (see didicam picture)

Version-Release number of selected component (if applicable):
2.6.17-1.2318_FC6

How reproducible:
install kernel 2.6.17-1.2318_FC6

Steps to Reproduce:
1. reboot
2.
3.
  
Actual results:
panic

Expected results:
...

Additional info:
no diffs in initrd's (2.6.17-1.2307, 2.6.17-1.2318)
machine amd k8, chipset via K8T800Pro
could i debug this / provide more info ?

Comment 1 Ronald Warsow 2006-06-27 13:48:51 UTC
Created attachment 131599 [details]
digicam picture kernel panic

Comment 2 Michal Jaegermann 2006-06-27 18:22:32 UTC
On x86_64 machine I am seeing this with 2.6.17-1.2318_FC6:

.....
switchroot: mount failed: No such file or directory
Kernel panic - not syncing: Attempted to kill init!

Call Trace: <ffffffff8026e86e>{dump_stack+18}
            <ffffffff8028ffbe>{panic+134}
            <ffffffff80215555>{do_exit+141}
            <ffffffff8024c1a2>{debug_mutex_init+0}
            [<000000000053d678>]

and a power switch is the only way out.


Comment 3 Dave Jones 2006-06-28 00:20:57 UTC
The signed modules code is broken.
For some reason the modules end up signed with a different key than the one we
use at build time.


Comment 4 Dave Jones 2006-06-28 00:25:26 UTC
*** Bug 196905 has been marked as a duplicate of this bug. ***

Comment 5 Dave Jones 2006-06-28 02:18:22 UTC
*** Bug 197014 has been marked as a duplicate of this bug. ***

Comment 6 Dave Jones 2006-06-28 02:20:22 UTC
further datapoint: The FC6 kernel recompiled on FC5 also exhibits this problem,
ruling out any toolchain/gpg issues.

For now I'm disabling the signed modules patch in tomorrows rawhide.
Leave this bug open, as the patch needs fixing at some point.


Comment 7 Ronald Warsow 2006-06-29 13:15:32 UTC
Created attachment 131747 [details]
output from kernel 2.6.17-1.2328.fc6

Comment 8 Ronald Warsow 2006-06-29 13:25:02 UTC
it means ... from kernel (not enough sleep last night)


last line i could see was
starting udev....
...
(see digicam picture)
....

P.S.
- 2328.fc6
      ^^^ (tricky ?)

"- Disable the signed module patches for now, they need love."
 i can't love it ....





Comment 9 Tom Horsley 2006-06-29 13:39:26 UTC
Just for curiosity, what are the implications (orther than a new way to
screw up releases :-) of signed modules?

If I build my own kernel modules, will I be unable to load them?

If I can build a module that will load anyway, wht is the point of signed
modules, since a hacker to do the same thing (I presume the idea is
to prevent hackers from installing bogus modules)?


Comment 10 Ronald Warsow 2006-06-30 16:40:27 UTC
2.6.17-1.2336.fc6 boot & works !

Comment 11 Dave Jones 2006-07-11 05:40:08 UTC
*** Bug 197071 has been marked as a duplicate of this bug. ***

Comment 12 David Howells 2006-08-04 14:59:15 UTC
This appears to be due to the dia_update() crypto op changing its prototype, 
so that the calculation buffer appears displaced from where it ought to be in 
sha1_update().

Comment 13 Ronald Warsow 2006-08-04 15:29:05 UTC
should this bug not be closed ?
for me it is gone since 2.6.17-1.2336.fc6 and we are now at 2.6.17-1.2510.fc6.
sorry - i am not a kernel developer -, but maybe you spent a lot of time on
"old" stuff...
my "pains" are now at Bugzilla Bug 200638.
thx.

Comment 14 David Howells 2006-08-04 19:38:26 UTC
> should this bug not be closed ?

No, not yet.  The fix is not yet applied - module signing is currently 
disabled.

Comment 15 Dave Jones 2006-08-08 18:34:06 UTC
Should be fixed in todays rawhide.



Note You need to log in before you can comment on or make changes to this bug.