kernel modules does not have signatures, so taints kernel
Ben, hello!
Can you please tell, why do we have in kernel config file:
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_KEY=""
so loading any kernel module (checked with sid/unstable with kernels
linux-image-4.5.0-2-amd64 and linux-image-4.5.0-2-sparc64-smp ) taints
kernel :
on x86_64:
mator@windrunner:~$ dmesg | grep -i taint
[ 1.056795] fjes: module verification failed: signature and/or
required key missing - tainting kernel
root@windrunner:/home/mator# modinfo fjes
filename: /lib/modules/4.5.0-2-amd64/kernel/drivers/net/fjes/fjes.ko
version: 1.0
license: GPL
description: FUJITSU Extended Socket Network Device Driver
author: Taku Izumi <izumi.taku@jp.fujitsu.com>
srcversion: C09FB90B0DA9890395D27B8
alias: acpi*:PNP0C02:*
depends:
intree: Y
vermagic: 4.5.0-2-amd64 SMP mod_unload modversions
mator@windrunner:~$ cat /proc/sys/kernel/tainted
8192
[1] states that 8192 code is for "An unsigned module has been loaded
in a kernel supporting module signature."
on sparc64:
mator@nvg5120:~$ dmesg | grep taint
[1800486.552168] aes_sparc64: module verification failed: signature
and/or required key missing - tainting kernel
root@nvg5120:~# modinfo aes_sparc64
filename:
/lib/modules/4.5.0-2-sparc64-smp/kernel/arch/sparc/crypto/aes-sparc64.ko
alias: crypto-aes
alias: aes
description: Rijndael (AES) Cipher Algorithm, sparc64 aes opcode accelerated
license: GPL
alias: of:NcpuT*Csun4vC*
alias: of:NcpuT*Csun4v
depends:
intree: Y
vermagic: 4.5.0-2-sparc64-smp SMP mod_unload modversions
Looking at the output of modinfo, there's no lines like this (as
example of signed module):
user$ modinfo usbcore | grep '^sig'
signer: Modules
sig_key: B0:3B:5E:DB:57:00:F9:D5:D7:85:EB:2D:6F:3E:19:D3:4A:20:20:5B
sig_hashalgo: sha512
If module signing only for Secure Boot on EFI [2], why do we have it on sparc64?
Thanks.
[1] https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
[2] https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
Reply to: