modsign vs build-id

Jarod Wilson jwilson at redhat.com
Tue Aug 14 20:30:48 UTC 2007 

Roland McGrath wrote:
>> Ya got me, but upon unpacking the initrd, modinfo tells me the bits in
>> the initrd have the right vermagic. 
> 
> That doesn't tell you anything useful.  Compare the signature sections,
> e.g. readelf -x .module_sig on each.

The signature sections are identical. Triple-checked that I was
comparing with the ext3.ko from the initrd that booted the system.

>> However, the file sizes don't match.
>> In fact, they aren't even close.
>>
>> # (cd /tmp/initrd-104/lib; ll ext3.ko)
>> -rw------- 1 root root 189096 2007-08-14 15:31 ext3.ko
>>
>> # (cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kerne/fs/ext3; ll ext3.ko)
>> -rw-r--r-- 1 root root 2719832 2007-08-14 12:46 ext3.ko
> 
> mkinitrd runs strip -g on the modules copied to the initrd.
> I hadn't noticed that before, but it should not be a problem.
> (Its affect on the signature issue should not have changed.)

And indeed, the size matches if I manually run strip -g on the
unstripped ko.

To make it even more interesting:

# cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kernel/drivers/net/e1000
# insmod e1000.ko
Modules signature verification failed
insmod: error inserting 'e1000.ko': -1 Key was rejected by service
# strip -g e1000.ko
# insmod e1000.ko
# lsmod |grep e1000
e1000       125977 0

>> Okay, so I rebuilt the initrd and bounced the box... And there's the
>> expected kernel panic.

Only, if mkinitrd is stripping the modules, based on the above info,
this *should* have worked...

>> So now I'm thoroughly confused as to where the
>> hell the modules that at least booted the system came from...
> 
> Ok, we'll call the first experience a mysterious hiccup then.
> 
> Did you save your rpmbuild log?  Can you double-check that it has no
> debugedit or find-debuginfo.sh runs that follow the modsign.sh runs?

I didn't save it, but I can do a rebuild with the same options.

> Also, you could try setting MODSIGN_DEBUG in kernel/module-verify-sig.c
> (linux-2.6-modsign-core.patch) and booting with "debug" to see those msgs.

Sure, I'll add that too.

-- 
Jarod Wilson
jwilson at redhat.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/kernel/attachments/20070814/d2bb9011/attachment.bin

More information about the kernel mailing list