On Wed, 2023-04-12 at 06:54 -0400, Genes Lists wrote:
> On 4/12/23 03:55, Ralf Mardorf wrote
> Bit hard to say from above - clearly these need 2 different keys
> (right?) also you dont say what CONFIG_MODULE_COMPRESS_xx are set to
> either since you have 2 different module compressions as well as keys
> being different.
Hi,
thank you. I try to post complete logs via pastebin or something else
soon, but for the next hours I need to shut down the machine, to do some
work, among other things I'll copy the Arch install from the original
SATA SSD to a NVMe SSD.
[rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/4.19.271-
rt120-0.300-cornflower/build/.config
CONFIG_MODULE_COMPRESS=y
# CONFIG_MODULE_COMPRESS_GZIP is not set
CONFIG_MODULE_COMPRESS_XZ=y
[rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/6.2.10-
arch1-1/build/.config
# CONFIG_MODULE_COMPRESS_NONE is not set
# CONFIG_MODULE_COMPRESS_GZIP is not set
# CONFIG_MODULE_COMPRESS_XZ is not set
CONFIG_MODULE_COMPRESS_ZSTD=y
> Maybe post the actual fatal kernel error exactly - is it possible the
> error you printed was non-fatal and something else kiilled boot?
That's possible. At the moment I've got 4 Arch Linux kernels that fail
to boot. 3 were build by me, 1 is from an official Arch repo.
[rocketmouse@archlinux ~]$ grep -ePKCS -eunknown
/mnt/m1.xubu20.04/boot/grub/grub.cfg
menuentry " Arch Linux Rt Cornflower, PKCS#7 signature not signed with
a trusted key" {
menuentry " Arch Linux Rt Pussytoes, PKCS#7 signature not signed with
a trusted key" {
menuentry " Arch Linux Rt Securityink, PKCS#7 signature not signed with
a trusted key" {
menuentry " Arch extra/linux-rt-lts, unknown issue" {
The one from the repo doesn't spit a PKCS#7 signature error message,
just the kernels build by me do so. All 4 kernels are rt patched
kernels. However, the non-lts rt from the repos, extra/linux-rt
6.2.0.3.realtime1-3 does finish startup without a problem.
I've got a lot of way older (and other new) kernels for different Linux
distros that don't fail to boot, just two other kernels also fail to
boot, but with an "too old" error message.
The kernel parameter "module.sig_enforce=0" was just a test. At some
point after the startup hanged I pushed either Ctrl+Alt+Del or the reset
or power off button.
[rocketmouse@archlinux ~]$ journalctl -b -2
Apr 12 09:25:45 archlinux kernel: Linux version 4.19.271-rt120-0.300-cornflower
(linux-rt-cornflower@archlinux) (gcc version 12.2.1 20230111 (GCC)) #1 SMP
PREEMPT RT Sat, 04 Feb 2023 02:01:3>
Apr 12 09:25:45 archlinux kernel: Command line:
BOOT_IMAGE=/boot/vmlinuz-linux-rt-cornflower
root=/dev/disk/by-label/s3.archlinux ro module.sig_enforce=0
[snip]
Apr 12 09:25:45 archlinux kernel: Loading compiled-in X.509 certificates
Apr 12 09:25:45 archlinux kernel: Loaded X.509 cert 'Build time autogenerated
kernel key: f1c3403526458c3d1252b029fd8c628d7fa915df'
[snip]
Apr 12 09:25:47 archlinux libvirtd[422]: libvirt version: 9.2.0
Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on '1-11'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on '1-7'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on 'usb2'
Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at
offset 1
Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:01: duplicate WMI GUID
05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00)
Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:02: duplicate WMI GUID
05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00)
Apr 12 09:25:47 archlinux kernel: PKCS#7 signature not signed with a trusted key
Apr 12 09:25:47 archlinux kernel: r8125: loading out-of-tree module taints
kernel.
Apr 12 09:25:47 archlinux kernel: r8125: module verification failed: signature
and/or required key missing - tainting kernel
Apr 12 09:25:47 archlinux kernel: r8125 2.5Gigabit Ethernet driver
9.011.00-NAPI loaded
Apr 12 09:25:47 archlinux kernel: r8125: This product is covered by one or more
of the following patents: US6,570,884, US6,115,776, and US6,327,625.
Apr 12 09:25:47 archlinux kernel: r8125 Copyright (C) 2022 Realtek NIC
software team <[email protected]>
This program comes with ABSOLUTELY NO
WARRANTY; for details, please see <http://www.gnu.org/licenses/>.
This is free software, and you are welcome
to redistribute it under certain conditions; see
<http://www.gnu.org/licenses/>.
Apr 12 09:25:48 archlinux kernel: snd_hdspm 0000:01:00.0: enabling device (0000
-> 0002)
Apr 12 09:25:48 archlinux kernel: snd_hda_intel 0000:00:1f.3: enabling device
(0000 -> 0002)
[snip]
Apr 12 09:25:54 archlinux kernel: r8125: enp5s0: link up
Apr 12 09:25:54 archlinux kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp5s0: link
becomes ready
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: IAID 3c:26:c4:c6
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: adding address
fe80::4388:6700:a99d:1b58
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: rebinding lease of 192.168.1.2
Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: soliciting an IPv6 router
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: DHCP lease expired
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: soliciting a DHCP lease
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: Router Advertisement from fe80::1
Apr 12 09:25:59 archlinux dnsmasq[587]: reading /etc/resolv.conf
Apr 12 09:25:59 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53
Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: offered 192.168.1.2 from
192.168.1.1
Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: probing address 192.168.1.2/24
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: leased 192.168.1.2 for 604800
seconds
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding route to 192.168.1.0/24
Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding default route via
192.168.1.1
Apr 12 09:26:05 archlinux dnsmasq[587]: reading /etc/resolv.conf
Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver 192.168.1.1#53
Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53
Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: failed to request DHCPv6
information
Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:19 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information
Apr 12 09:26:21 archlinux systemd[1]: Received SIGINT.
Apr 12 09:26:21 archlinux systemd[1]: Activating special unit System Reboot...
[snip]
Apr 12 09:26:22 archlinux systemd[1]: Finished System Reboot.
Apr 12 09:26:22 archlinux systemd[1]: Reached target System Reboot.
Apr 12 09:26:22 archlinux systemd[1]: Shutting down.
Apr 12 09:26:22 archlinux systemd-shutdown[1]: Syncing filesystems and block
devices.
Apr 12 09:26:22 archlinux systemd-shutdown[1]: Sending SIGTERM to remaining
processes...
Apr 12 09:26:22 archlinux systemd-journald[312]: Received SIGTERM from PID 1
(systemd-shutdow).
Apr 12 09:26:22 archlinux haveged[311]: haveged: Stopping due to signal 15
Apr 12 09:26:22 archlinux haveged[311]: tot tests(BA8): A:1/1 B:1/1 continuous
tests(B): last entropy estimate 8.00161
Apr 12 09:26:22 archlinux haveged[311]: fills: 1, generated: 512 K bytes,
RNDADDENTROPY: 256
Apr 12 09:26:22 archlinux dnsmasq[587]: exiting on receipt of SIGTERM
Apr 12 09:26:22 archlinux haveged[311]: haveged starting up
Apr 12 09:26:22 archlinux systemd-journald[312]: Journal stopped
[rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i error -B1 -A1
Apr 12 09:25:45 archlinux kernel: mce: Using 20 MCE banks
Apr 12 09:25:45 archlinux kernel: RAS: Correctable Errors collector initialized.
Apr 12 09:25:45 archlinux kernel: microcode: sig=0xb06f5, pf=0x4, revision=0x2c
--
Apr 12 09:25:46 archlinux kernel: cfg80211: Loaded X.509 cert 'sforshee:
00b28ddf47aef9cea7'
Apr 12 09:25:46 archlinux kernel: platform regulatory.0: Direct firmware load
for regulatory.db failed with error -2
Apr 12 09:25:46 archlinux kernel: cfg80211: failed to load regulatory.db
--
Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on '1-11'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on '1-7'
Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property
'ID_VENDOR_ID' on 'usb2'
Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at
offset 1
--
Apr 12 09:25:50 archlinux systemd[1]: Manage Sound Card State (restore and
store) was skipped because of an unmet condition check
(ConditionPathExists=/etc/alsa/state-daemon.conf).
Apr 12 09:25:50 archlinux alsactl[709]: alsa-lib
main.c:1541:(snd_use_case_mgr_open) error: failed to import hw:0 use case
configuration -2
Apr 12 09:25:50 archlinux kernel: enp5s0: 0xffffbb3507400000,
74:56:3c:26:c4:c6, IRQ 18
[rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i warn -B1 -A1
Apr 12 09:25:45 archlinux kernel: Spectre V1 : Mitigation: usercopy/swapgs
barriers and __user pointer sanitization
Apr 12 09:25:45 archlinux kernel: Spectre V2 : WARNING: Unprivileged eBPF is
enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Apr 12 09:25:45 archlinux kernel: Spectre V2 : Mitigation: Enhanced IBRS
--
Apr 12 09:25:45 archlinux kernel: hw perf events fixed 4 > max(3), clipping!
Apr 12 09:25:45 archlinux kernel: WARNING: CPU: 0 PID: 1 at
arch/x86/events/intel/core.c:4515 intel_pmu_init+0x1022/0x120c
Apr 12 09:25:45 archlinux kernel: Modules linked in:
> My understanding of out of tree signed kernel modules (and some tools)
> is captured here (wiki is similar but likely bit out of date vs GH):
>
> https://github.com/gene-git/Arch-SKM
>
> That all said, it appears you've built the kernel with one cert and
> signed using a different one - maybe?
I don't understand it. If it should be a signing issue, then it does
matter when using one mobo and doesn't matter, if the same SSD holding
the Arch Linux install is connected to another mobo? It only matters
when UEFI booting (with secure boot disabled), but doesn't matter when
legacy booting is enabled by the older mobo? Isn't this signing
independent of the used boot mechanism?
Maybe the culprit is something else, but I couldn't identify something
else.
Regards,
Ralf
