modsign vs build-id
Jarod Wilson
jwilson at redhat.com
Wed Aug 15 04:02:25 UTC 2007
Jarod Wilson wrote:
> Roland McGrath wrote:
>>> The signature sections are identical. Triple-checked that I was
>>> comparing with the ext3.ko from the initrd that booted the system.
>> [...]
>>> To make it even more interesting:
>>>
>>> # cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kernel/drivers/net/e1000
>>> # insmod e1000.ko
>>> Modules signature verification failed
>>> insmod: error inserting 'e1000.ko': -1 Key was rejected by service
>>> # strip -g e1000.ko
>>> # insmod e1000.ko
>>> # lsmod |grep e1000
>>> e1000 125977 0
>> Ok. This makes me think that the signature generation and/or verification
>> are looking at something they shouldn't be. i.e., something strip changed.
>>
>>>> Also, you could try setting MODSIGN_DEBUG in kernel/module-verify-sig.c
>>>> (linux-2.6-modsign-core.patch) and booting with "debug" to see those msgs.
>>> Sure, I'll add that too.
>> Also hack modsign.sh to pass -v to mod-extract. The logs from mod-extract
>> for a given module and the printks from verification looking at that module
>> should give us something to go on.
>
> The build is just about done, but I gotta run. I'll poke at it some more
> in a few hours though...
Hrm, something appears to have gone a touch screwy with my output
redirection, but most of the good stuff (from mod-extract -v) is there:
http://people.redhat.com/jwilson/misc/buildlog
dmesg output (as much as possible) post-boot here:
http://people.redhat.com/jwilson/misc/dmesg-modsign
--
Jarod Wilson
jwilson at redhat.com
More information about the Fedora-kernel-list
mailing list