This patch changed keyring name and kernel module name to run modsign test correctly.
Current kernel uses .system_keyring as keyring name so test code needs to use key name .system_keyring instead of module_sign.
Fedora project provides kernel modules as xz archived format. So, test code should extract a kernel module from an archive file. --- default/modsign/modsign_tests.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/default/modsign/modsign_tests.sh b/default/modsign/modsign_tests.sh index b0bab67..63748ad 100755 --- a/default/modsign/modsign_tests.sh +++ b/default/modsign/modsign_tests.sh @@ -7,7 +7,7 @@ modsign_check_modules() # Grab a module to mess around with. We'll pick one that is fairly # stand-alone and rarely used. - cp /lib/modules/`uname -r`/kernel/fs/minix/minix.ko . + xz -dc /lib/modules/`uname -r`/kernel/fs/minix/minix.ko.xz > minix.ko
# Make sure we have the signed module marker cat ./minix.ko | strings | grep "~Module signature appended~" &> /dev/null @@ -59,7 +59,7 @@ modsign_unsigned() { # Grab a module to mess around with. We'll pick one that is fairly # stand-alone and rarely used. - cp /lib/modules/`uname -r`/kernel/fs/minix/minix.ko . + xz -dc /lib/modules/`uname -r`/kernel/fs/minix/minix.ko.xz > minix.ko strip -g ./minix.ko # Make sure it isn't already loaded @@ -109,13 +109,13 @@ modsign_third_party() modsign=0 if [ -f /proc/keys ] then - cat /proc/keys | grep module_sign &> /dev/null + cat /proc/keys | grep .system_keyring &> /dev/null if [ $? -ne "0" ] then echo Module signing not enabled exit 3 fi - keyring=`cat /proc/keys | grep module_sign | cut -f 1 -d " "` + keyring=`cat /proc/keys | grep .system_keyring | cut -f 1 -d " "` keyctl list 0x${keyring} | grep "Fedora kernel signing key" &> /dev/null if [ $? == "0" ] then
kernel@lists.fedoraproject.org