On Wed, 23 Oct 2019 17:24:22 +0200 Tomas Janousek <t...@nomi.cz> wrote: > Hi all, > > On Wed, Oct 23, 2019 at 09:24:50AM +0200, Tomas Janousek wrote: > > And there's something horribly wrong with the Debian build of modules, it > > seems. I wonder what else is broken on this system because of a badly signed > > module... :-/ > > I tried to investigate what's wrong with the module signature with some help > from https://unix.stackexchange.com/a/496800/11549:
Thanks for taking the time to investigate this! [...] > $ /usr/src/linux-2.6/scripts/extract-module-sig.pl -s > /lib/modules/5.3.0-1-amd64/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko > >snd-hda-codec-hdmi.sig > Read 133153 bytes from module file > Found magic number at 133153 > Found PKCS#7/CMS encapsulation > Found 393 bytes of signature [3082018506092a864886f70d010702a0] > $ openssl asn1parse -inform der -in snd-hda-codec-hdmi.sig | tail -1 > 136:d=5 hl=3 l= 254 prim: OCTET STRING [HEX > DUMP]:8204A68D4EDDC44A0FB89998D7D0FF2A37351C3E9A76D42C015BD868E7A579F95F95C145D61C73F3EC54B314A297DA7E9AE9CACFBD01C0E489E35A3D05F882B01FCEA25754D704F83672841416B69C52760C758A60AF2A38B5706FC02CBEA8AAB1D6F4E82B3C9F0E163B41C0F06E9DFDC166531BBB25BECBFCD3F01097C4ABD32D90A84F3F07DDE5C508F6CCD56CA5BB5467C4D70BB5AC64D432478C4454654F4D77F9DB6EC957F3A70CF818268643F84C64E49DE88624D588B6ED6CCFF2AE8DBF1D8D724BE5EBFCFCAB96E0E47B7B70553268A5BAAC41CBA8AFA8E4A65B5F229038283D99CD2A2D13931D891DF911EF298F8BDC9488E4D07A29AD810330 [...] You can also find the detached signatures in the source package, linux-signed-amd64. For this module, the signature is: debian/signatures/linux-image-5.3.0-1-amd64-unsigned/lib/modules/5.3.0-1-amd64/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko.sig and the content of that seems to match the final signed module. So the error occurred during creation of that source package by our code signing service, not during the following build process. The code signing service logs every file it signs, along with a hash of the detached signature, but I don't know where the logs are so I can't comapre with that. So far as I can see, all file I/O in the code signing process is checked so an error would cause the source package creation to fail. My suspicion is that something may have gone wrong in communication with the HSM which wasn't caught by the driver. It might be worth adding verification to the code signing service so we can catch this if it happens again. We could alternately verify signatures at the point we attach them to binaries, but that would need to be implemented in multiple places. Ben. -- Ben Hutchings Humans are not rational beings; they are rationalising beings.
signature.asc
Description: This is a digitally signed message part
