kernel-packages team mailing list archive

Thread
Date

[Bug 1253155] Re: Failure to validate module signature at boot time

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Forshee <seth.forshee+lp@xxxxxxxxxxxxx>
Date: Mon, 25 Nov 2013 21:19:11 -0000
Reply-to: Bug 1253155 <1253155@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I get the "module verification failed" messages for libahci.ko. If the
module is signed, running:

  hexdump -C /path/to/module | tail -n 5

should show the string "~Module signature appended~" at the end. I see
that with i915.ko for example, but with video.ko and libahci.ko I do
not. After a little poking around I'm fairly well convinced that the
ones lacking signatures are all in the generic inclusion list. These
modules must be getting stripped in such a way that the signatures are
getting removed, or something like that.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1253155

Title:
  Failure to validate module signature at boot time

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  When booting under secureboot and using a signed kernel, it's expected
  that all modules shipped alongside the kernel should validate and load
  successfully without tainting the kernel.

  Unfortunately it doesn't seem to always be the case. Looking through
  my kernel logs, I see:

  Nov 15 10:35:24 castiana kernel: [    1.635132] video: module
  verification failed: signature and/or required key missing - tainting
  kernel

  or

  Nov 12 12:58:48 castiana kernel: [213981.753326] Request for unknown
  module key 'Magrathea: Glacier signing key:
  f440a253eb498df923d438caa09b3b5d99308405' err -11

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: linux-image-3.12.0-2-generic 3.12.0-2.7
  ProcVersionSignature: Ubuntu 3.12.0-2.7-generic 3.12.0
  Uname: Linux 3.12.0-2-generic x86_64
  ApportVersion: 2.12.7-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  stgraber   2721 F.... pulseaudio
   /dev/snd/controlC0:  stgraber   2721 F.... pulseaudio
   /dev/snd/pcmC0D0c:   stgraber   2721 F...m pulseaudio
   /dev/snd/pcmC0D0p:   stgraber   2721 F...m pulseaudio
  CurrentDesktop: Unity
  Date: Wed Nov 20 11:59:57 2013
  InstallationDate: Installed on 2013-04-21 (213 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130420)
  MachineType: LENOVO 2306CT0
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.12.0-2-generic.efi.signed root=UUID=14de4e20-b139-488e-863f-ec710f776851 ro quiet splash "acpi_osi=!Windows 2012" vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-3.12.0-2-generic N/A
   linux-backports-modules-3.12.0-2-generic  N/A
   linux-firmware                            1.117
  SourcePackage: linux
  StagingDrivers: zram
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 08/27/2013
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET96WW (2.56 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2306CT0
  dmi.board.vendor: LENOVO
  dmi.board.version: NO DPK
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET96WW(2.56):bd08/27/2013:svnLENOVO:pn2306CT0:pvrThinkPadX230:rvnLENOVO:rn2306CT0:rvrNODPK:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2306CT0
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1253155/+subscriptions

References

[Bug 1253155] [NEW] Failure to validate module signature at boot time
From: Stéphane Graber, 2013-11-20