← Back to team overview

kernel-packages team mailing list archive

[Bug 1253155] Re: Failure to validate module signature at boot time

 

This bug was fixed in the package linux-lts-raring -
3.8.0-38.56~precise1

---------------
linux-lts-raring (3.8.0-38.56~precise1) precise; urgency=low

  [ Andy Whitcroft ]

  * module signature does not use hash type in older releases

linux-lts-raring (3.8.0-38.55~precise1) precise; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1290512

  [ Tim Gardner ]

  * [Debian] Re-sign modules after debug objcopy
    - LP: #1253155

linux-lts-raring (3.8.0-38.54~precise1) precise; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1290512

  [ Upstream Kernel Changes ]

  * netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
    - LP: #1274684
    - CVE-2014-1690
  * crypto: ansi_cprng - Fix off by one error in non-block size request
    - LP: #1229981
    - CVE-2013-4345
  * xfs: underflow bug in xfs_attrlist_by_handle()
    - LP: #1256091
    - CVE-2013-6382
  * crypto: s390 - fix concurrency issue in aes-ctr mode
    - LP: #1289439
  * crypto: s390 - fix des and des3_ede cbc concurrency issue
    - LP: #1289439
  * crypto: s390 - fix des and des3_ede ctr concurrency issue
    - LP: #1289439
  * [media] mxl111sf: Fix unintentional garbage stack read
    - LP: #1289439
  * [media] mxl111sf: Fix compile when CONFIG_DVB_USB_MXL111SF is unset
    - LP: #1289439
  * [media] af9035: add ID [2040:f900] Hauppauge WinTV-MiniStick 2
    - LP: #1289439
  * arm64: vdso: prevent ld from aligning PT_LOAD segments to 64k
    - LP: #1289439
  * arm64: add DSB after icache flush in __flush_icache_all()
    - LP: #1289439
  * arm64: Invalidate the TLB when replacing pmd entries during boot
    - LP: #1289439
  * arm64: vdso: fix coarse clock handling
    - LP: #1289439
  * arm64: vdso: update wtm fields for CLOCK_MONOTONIC_COARSE
    - LP: #1289439
  * drm/mgag200,ast,cirrus: fix regression with drm_can_sleep conversion
    - LP: #1289439
  * x86, hweight: Fix BUG when booting with CONFIG_GCOV_PROFILE_ALL=y
    - LP: #1289439
  * mm/swap: fix race on swap_info reuse between swapoff and swapon
    - LP: #1289439
  * mm: __set_page_dirty_nobuffers() uses spin_lock_irqsave() instead of
    spin_lock_irq()
    - LP: #1289439
  * mm: __set_page_dirty uses spin_lock_irqsave instead of spin_lock_irq
    - LP: #1289439
  * staging:iio:ad799x fix error_free_irq which was freeing an irq that may
    not have been requested
    - LP: #1289439
  * KVM: return an error code in kvm_vm_ioctl_register_coalesced_mmio()
    - LP: #1289439
  * block: __elv_next_request() shouldn't call into the elevator if
    bypassing
    - LP: #1289439
  * power: max17040: Fix NULL pointer dereference when there is no
    platform_data
    - LP: #1289439
  * s390/dump: Fix dump memory detection
    - LP: #1289439
  * ath9k_htc: make ->sta_rc_update atomic for most calls
    - LP: #1289439
  * ath9k_htc: Do not support PowerSave by default
    - LP: #1289439
  * ar5523: fix usb id for Gigaset.
    - LP: #1289439
  * ath9k: Do not support PowerSave by default
    - LP: #1289439
  * spi: nuc900: Set SPI_LSB_FIRST for master->mode_bits if hw->pdata->lsb
    is true
    - LP: #1289439
  * usb: ftdi_sio: add Mindstorms EV3 console adapter
    - LP: #1289439
  * usb-storage: restrict bcdDevice range for Super Top in Cypress ATACB
    - LP: #1289439
  * usb-storage: add unusual-devs entry for BlackBerry 9000
    - LP: #1289439
  * usb-storage: enable multi-LUN scanning when needed
    - LP: #1289439
  * of: Fix address decoding on Bimini and js2x machines
    - LP: #1289439
  * of: fix PCI bus match for PCIe slots
    - LP: #1289439
  * usb: qcserial: add Netgear Aircard 340U
    - LP: #1289439
  * USB: ftdi_sio: add Tagsys RFID Reader IDs
    - LP: #1289439
  * mac80211: move roc cookie assignment earlier
    - LP: #1289439
  * mac80211: release the channel in error path in start_ap
    - LP: #1289439
  * mac80211: Fix IBSS disconnect
    - LP: #1289439
  * mac80211: fix fragmentation code, particularly for encryption
    - LP: #1289439
  * time: Fix overflow when HZ is smaller than 60
    - LP: #1289439
  * ALSA: hda - Fix mic capture on Sony VAIO Pro 11
    - LP: #1289439
  * VME: Correct read/write alignment algorithm
    - LP: #1289439
  * Drivers: hv: vmbus: Don't timeout during the initial connection with
    host
    - LP: #1289439
  * raw: test against runtime value of max_raw_minors
    - LP: #1289439
  * tty: n_gsm: Fix for modems with brk in modem status control
    - LP: #1289439
  * staging: comedi: adv_pci1710: fix analog output readback value
    - LP: #1289439
  * xen-blkfront: handle backend CLOSED without CLOSING
    - LP: #1289439
  * Modpost: fixed USB alias generation for ranges including 0x9 and 0xA
    - LP: #1289439
  * fs/file.c:fdtable: avoid triggering OOMs from alloc_fdmem
    - LP: #1289439
  * genirq: Add missing irq_to_desc export for CONFIG_SPARSE_IRQ=n
    - LP: #1289439
  * xen: install xen/gntdev.h and xen/gntalloc.h
    - LP: #1289439
  * ring-buffer: Fix first commit on sub-buffer having non-zero delta
    - LP: #1289439
  * usb: option: blacklist ZTE MF667 net interface
    - LP: #1289439
  * ftrace/x86: Use breakpoints for converting function graph caller
    - LP: #1289439
  * block: add cond_resched() to potentially long running ioctl discard
    loop
    - LP: #1289439
  * md/raid5: Fix CPU hotplug callback registration
    - LP: #1289439
  * compiler/gcc4: Make quirk for asm_volatile_goto() unconditional
    - LP: #1289439
  * x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled
    - LP: #1289439
  * x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off
    - LP: #1289439
  * lockd: send correct lock when granting a delayed lock.
    - LP: #1289439
  * IB/qib: Add missing serdes init sequence
    - LP: #1289439
  * EDAC: Poll timeout cannot be zero, p2
    - LP: #1289439
  * EDAC: Correct workqueue setup path
    - LP: #1289439
  * kvm: x86: fix apic_base enable check
    - LP: #1289439
  * Linux 3.8.13.19
    - LP: #1289439
 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>   Thu, 13 Mar 2014 08:42:48 -0700

** Changed in: linux-lts-raring (Ubuntu Precise)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4345

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-6382

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1690

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1253155

Title:
  Failure to validate module signature at boot time

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux” source package in Precise:
  Invalid
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux” source package in Quantal:
  Invalid
Status in “linux-lts-raring” source package in Quantal:
  Invalid
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-lts-raring” source package in Trusty:
  Invalid

Bug description:
  When booting under secureboot and using a signed kernel, it's expected
  that all modules shipped alongside the kernel should validate and load
  successfully without tainting the kernel.

  Unfortunately it doesn't seem to always be the case. Looking through
  my kernel logs, I see:

  Nov 15 10:35:24 castiana kernel: [    1.635132] video: module
  verification failed: signature and/or required key missing - tainting
  kernel

  or

  Nov 12 12:58:48 castiana kernel: [213981.753326] Request for unknown
  module key 'Magrathea: Glacier signing key:
  f440a253eb498df923d438caa09b3b5d99308405' err -11

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: linux-image-3.12.0-2-generic 3.12.0-2.7
  ProcVersionSignature: Ubuntu 3.12.0-2.7-generic 3.12.0
  Uname: Linux 3.12.0-2-generic x86_64
  ApportVersion: 2.12.7-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  stgraber   2721 F.... pulseaudio
   /dev/snd/controlC0:  stgraber   2721 F.... pulseaudio
   /dev/snd/pcmC0D0c:   stgraber   2721 F...m pulseaudio
   /dev/snd/pcmC0D0p:   stgraber   2721 F...m pulseaudio
  CurrentDesktop: Unity
  Date: Wed Nov 20 11:59:57 2013
  InstallationDate: Installed on 2013-04-21 (213 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130420)
  MachineType: LENOVO 2306CT0
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.12.0-2-generic.efi.signed root=UUID=14de4e20-b139-488e-863f-ec710f776851 ro quiet splash "acpi_osi=!Windows 2012" vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-3.12.0-2-generic N/A
   linux-backports-modules-3.12.0-2-generic  N/A
   linux-firmware                            1.117
  SourcePackage: linux
  StagingDrivers: zram
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 08/27/2013
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET96WW (2.56 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2306CT0
  dmi.board.vendor: LENOVO
  dmi.board.version: NO DPK
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET96WW(2.56):bd08/27/2013:svnLENOVO:pn2306CT0:pvrThinkPadX230:rvnLENOVO:rn2306CT0:rvrNODPK:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2306CT0
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1253155/+subscriptions


References