This has been broken for almost two years; the signature format switched to PKCS#7 and modinfo doesn't support it. It's not as simple as just patching kmod because evidently the kernel change regressed or disrespected the relevent structure in the modules in a way that makes it impossible for kmod to even make sense of. Details here: https://github.com/coreos/bugs/issues/1054
-David On Wed, Apr 11, 2018 at 4:39 PM, Ben Mezger <[email protected]> wrote: > Greetings, > > I have enabled module signature verification on my kernel, and it does > seem to be enabled upon boot: > > $ dmesg | grep -i 'x.*509' > [ 1.259988] Asymmetric key parser 'x509' registered > [ 1.811026] Loading compiled-in X.509 certificates > [ 1.813833] Loaded X.509 cert 'Build time autogenerated kernel key: > 77e716fc52a6293567d953cd24a5977e55b41a5e' > > and doing a cat /proc/keys seems to show the key enabled: > > $ cat /proc/keys > ... > 37c67374 I------ 1 perm 1f030000 0 0 asymmetri Build time > autogenerated kernel key: 77e716fc52a6293567d953cd24a5977e55b41a5e: > X509.rsa 55b41a5e [] > ... > > However, if I do a modinfo to see the key on a module, it seems empty: > > $modinfo ntfs > filename: /lib/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko > license: GPL > version: 2.1.32 > description: NTFS 1.2/3.x driver - Copyright (c) 2001-2014 Anton > Altaparmakov and Tuxera Inc. > author: Anton Altaparmakov <[email protected]> > alias: fs-ntfs > srcversion: 0D7ACE93F603E9350827FB8 > depends: > intree: Y > vermagic: 4.9.76-gentoo-r1 SMP mod_unload > signat: PKCS#7 > signer: > sig_key: > sig_hashalgo: md4 > > And hex dump does show me the digital signature appended at the end: > > $ hexdump -C /lib64/modules/4.9.76-gentoo-r1/kernel/fs/ntfs/ntfs.ko| tail > 0004e8c0 e3 dd 54 9d 5e f1 1a 12 56 47 4e 54 91 b9 fa ce > |..T.^...VGNT....| > 0004e8d0 e6 01 db 37 eb 83 f3 77 10 f0 b5 f8 11 fd 4e 86 > |...7...w......N.| > 0004e8e0 6c 81 8a 61 c2 15 6d 5a 35 93 8b 33 c0 32 2f e4 > |l..a..mZ5..3.2/.| > 0004e8f0 8c 15 71 de c8 c5 39 58 cc e8 65 e1 be 36 e6 02 > |..q...9X..e..6..| > 0004e900 b0 75 b5 a2 73 d8 4d 22 e7 2f 53 1f 42 fb ee 58 > |.u..s.M"./S.B..X| > 0004e910 f2 65 44 13 26 30 7b 31 1c 58 12 5a f2 5d b1 45 > |.eD.&0{1.X.Z.].E| > 0004e920 3a f0 a5 79 74 f4 00 00 02 00 00 00 00 00 00 00 > |:..yt...........| > 0004e930 02 9e 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 |..~Module > signat| > 0004e940 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ure > appended~.| > 0004e94e > > My question is: why doesn't modinfo show me the key fingerprint? > > -- > Kind regards, > Met een vriendelijke groet, > > Ben Mezger > https://seds.nl > PGP: C473 DDC9 D1B1 40AF 2051 1CF6 18C4 6052 1688 92F7 > >
