Re: kernel modules does not have signatures, so taints kernel

[Ben Hutchings]

On Wed, 2016-06-01 at 14:38 +0200, John Paul Adrian Glaubitz wrote:
> On 06/01/2016 02:34 PM, Anatoly Pugachev wrote:
> > If module signing only for Secure Boot on EFI [2], why do we have
> > it on sparc64?
> 
> Looks like an oversight to me. The kernels for the different
> architectures share
> some of the configuration, so it might just be a bug that this
> particular option
> should be set on architectures only which support SecureBoot.

It should be set for all architectures for which we provide signatures.
In practice that's only going to be architectures in the main archive,
so excluding sparc64.

As it is, the only way to avoid it is to install my patched kmod and an
experimental signature package.  And that actually isn't a very good
idea, so in practice everyone sees this error message at the moment on
all architectures.

Ben.

-- 
Ben Hutchings
To err is human; to really foul things up requires a computer.


signature.asc
Description: This is a digitally signed message part

Bug#814648: Info received (SheLoves it)

[Kenneth W. Davis]

STOP
On Jun 1, 2016 12:06, "Debian Bug Tracking System" 
wrote:

> Thank you for the additional information you have supplied regarding
> this Bug report.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> Your message has been sent to the package maintainer(s):
>  Debian Kernel Team 
>
> If you wish to submit further information on this problem, please
> send it to 814...@bugs.debian.org.
>
> Please do not send mail to ow...@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 814648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814648
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>

Re: kernel modules does not have signatures, so taints kernel

[John Paul Adrian Glaubitz]

On 06/01/2016 02:34 PM, Anatoly Pugachev wrote:
> If module signing only for Secure Boot on EFI [2], why do we have it on 
> sparc64?

Looks like an oversight to me. The kernels for the different architectures share
some of the configuration, so it might just be a bug that this particular option
should be set on architectures only which support SecureBoot.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

kernel modules does not have signatures, so taints kernel

[Anatoly Pugachev]

Ben, hello!

Can you please tell, why do we have in kernel config file:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_KEY=""

so loading any kernel module (checked with sid/unstable with kernels
linux-image-4.5.0-2-amd64 and linux-image-4.5.0-2-sparc64-smp ) taints
kernel :

on x86_64:

mator@windrunner:~$ dmesg | grep -i taint
[1.056795] fjes: module verification failed: signature and/or
required key missing - tainting kernel
root@windrunner:/home/mator# modinfo fjes
filename:   /lib/modules/4.5.0-2-amd64/kernel/drivers/net/fjes/fjes.ko
version:1.0
license:GPL
description:FUJITSU Extended Socket Network Device Driver
author: Taku Izumi 
srcversion: C09FB90B0DA9890395D27B8
alias:  acpi*:PNP0C02:*
depends:
intree: Y
vermagic:   4.5.0-2-amd64 SMP mod_unload modversions
mator@windrunner:~$ cat /proc/sys/kernel/tainted
8192

[1] states that 8192 code is for "An unsigned module has been loaded
in a kernel supporting module signature."

on sparc64:

mator@nvg5120:~$ dmesg | grep taint
[1800486.552168] aes_sparc64: module verification failed: signature
and/or required key missing - tainting kernel
root@nvg5120:~# modinfo aes_sparc64
filename:
/lib/modules/4.5.0-2-sparc64-smp/kernel/arch/sparc/crypto/aes-sparc64.ko
alias:  crypto-aes
alias:  aes
description:Rijndael (AES) Cipher Algorithm, sparc64 aes opcode accelerated
license:GPL
alias:  of:NcpuT*Csun4vC*
alias:  of:NcpuT*Csun4v
depends:
intree: Y
vermagic:   4.5.0-2-sparc64-smp SMP mod_unload modversions

Looking at the output of modinfo, there's no lines like this (as
example of signed module):

user$ modinfo usbcore | grep '^sig'
signer: Modules
sig_key:B0:3B:5E:DB:57:00:F9:D5:D7:85:EB:2D:6F:3E:19:D3:4A:20:20:5B
sig_hashalgo:   sha512

If module signing only for Secure Boot on EFI [2], why do we have it on sparc64?

Thanks.

[1] https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
[2] 
https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html

Processed: tagging 789266

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 789266 + fixed-upstream
Bug #789266 [src:linux] HP ZBook 15 nouveau driver doesn't work for Linux 
kernel >= 4.0
Added tag(s) fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
789266: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789266
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#826004: linux: Update arcmsr to include support for newer controller types (ARC1203)

[Salvatore Bonaccorso]

Source: linux
Version: 3.16.7-ckt7-1
Severity: important
Control: fixed -1 4.5~rc4-1~exp1

Hi,

This is a request to update drivers/scsi/arcmsr to include commits up
to the 4.5-rc1 commits and include support Areca's new PCIe to SATA
RAID adapter ARC1203.

Initial proposed patchset/debdiff for the jessie brach is attached,
and review welcome.

Regards,
Salvatore
>From 1d2a1d2899d92577e12b7b4e5839059d580a0c49 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso 
Date: Wed, 1 Jun 2016 07:20:44 +0200
Subject: [PATCH] arcmsr: Backport changes up to Linux 4.5

---
 debian/changelog   |   3 +
 ...cmsr-fix-command-timeout-under-heavy-load.patch |   5 +-
 ...d-code-to-support-msi-x-and-msi-interrupt.patch |   7 +-
 ...03-arcmsr-add-code-to-support-hibernation.patch |   7 +-
 ...limit-max.-number-of-scsi-command-request.patch |   5 +-
 ...005-arcmsr-return-status-of-abort-command.patch |   2 +-
 ...arcmsr-store-adapter-type-in-pci-id-table.patch |   5 +-
 ...se-message_isr_bh_fn-to-remove-duplicate-.patch |   5 +-
 ...ove-calling-arcmsr_hbb_enable_driver_mode.patch |   5 +-
 ...fy-printing-adapter-model-number-and-f-w-.patch |   5 +-
 ...clear-outbound-doorbell-buffer-completely.patch |   5 +-
 ...011-arcmsr-rename-functions-and-variables.patch |   5 +-
 ...se-allocation-of-second-dma_coherent_hand.patch |   5 +-
 ...ioctl-data-read-write-error-for-adapter-t.patch |   5 +-
 ...014-arcmsr-fix-sparse-warnings-and-errors.patch |   5 +-
 ...0015-arcmsr-modify-some-character-strings.patch |   5 +-
 ...sr-add-support-new-adapter-arc12x4-series.patch |   5 +-
 ...-scsi_scan_host-at-the-end-of-host-initia.patch |   5 +-
 ...lify-of-updating-doneq_index-and-postq_in.patch |   5 +-
 ...019-arcmsr-simplify-ioctl-data-read-write.patch |   5 +-
 ...sr-fixed-getting-wrong-configuration-data.patch |  64 +
 ...cmsr-fixes-not-release-allocated-resource.patch |  43 
 .../0022-arcmsr-make-code-more-readable.patch  |  58 +
 ...-code-to-support-new-Areca-adapter-ARC120.patch | 113 +
 ...0024-arcmsr-changes-driver-version-number.patch |  31 +++
 ...0025-arcmsr-more-readability-improvements.patch |  99 
 ...t-dma-resource-allocation-to-a-new-functi.patch | 261 +
 ...ge-driver-version-to-v1.30.00.22-20151126.patch |  30 +++
 debian/patches/series  |  10 +-
 29 files changed, 786 insertions(+), 22 deletions(-)
 create mode 100644 debian/patches/features/all/arcmsr/0020-arcmsr-fixed-getting-wrong-configuration-data.patch
 create mode 100644 debian/patches/features/all/arcmsr/0021-arcmsr-fixes-not-release-allocated-resource.patch
 create mode 100644 debian/patches/features/all/arcmsr/0022-arcmsr-make-code-more-readable.patch
 create mode 100644 debian/patches/features/all/arcmsr/0023-arcmsr-adds-code-to-support-new-Areca-adapter-ARC120.patch
 create mode 100644 debian/patches/features/all/arcmsr/0024-arcmsr-changes-driver-version-number.patch
 create mode 100644 debian/patches/features/all/arcmsr/0025-arcmsr-more-readability-improvements.patch
 create mode 100644 debian/patches/features/all/arcmsr/0026-arcmsr-Split-dma-resource-allocation-to-a-new-functi.patch
 create mode 100644 debian/patches/features/all/arcmsr/0027-arcmsr-change-driver-version-to-v1.30.00.22-20151126.patch

diff --git a/debian/changelog b/debian/changelog
index 98964b3..7b444b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -327,6 +327,9 @@ linux (3.16.35-1) UNRELEASED; urgency=medium
   [ Aurelien Jarno ]
   * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
 
+  [ Salvatore Bonaccorso ]
+  * arcmsr: Backport changes up to Linux 4.5
+
  -- Ben Hutchings   Sat, 30 Apr 2016 22:07:22 +0200
 
 linux (3.16.7-ckt25-2) jessie; urgency=medium
diff --git a/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch b/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch
index 0a3cd49..37b2c93 100644
--- a/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch
+++ b/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch
@@ -1,6 +1,6 @@
 From: Ching Huang 
 Date: Tue, 19 Aug 2014 14:18:24 +0800
-Subject: [01/19] arcmsr: fix command timeout under heavy load
+Subject: [01/27] arcmsr: fix command timeout under heavy load
 Origin: https://git.kernel.org/linus/6b3937227479e50032112faf74bd913f36dba2c6
 Bug-Debian: https://bugs.debian.org/698821
 
@@ -279,3 +279,6 @@ index b13764c..506fe7b 100644
  }
  
  static void arcmsr_iop_parking(struct AdapterControlBlock *acb)
+-- 
+2.8.1
+
diff --git a/debian/patches/features/all/arcmsr/0002-arcmsr-add-code-to-support-msi-x-and-msi-interrupt.patch b/debian/patches/features/all/arcmsr/0002-arcmsr-add-code-to-support-msi-x-and-msi-interrupt.patch
index ffcebf1..31c46c2 100644
--- 

Processed: linux: Update arcmsr to include support for newer controller types (ARC1203)

[Debian Bug Tracking System]

Processing control commands:

> fixed -1 4.5~rc4-1~exp1
Bug #826004 [src:linux] linux: Update arcmsr to include support for newer 
controller types (ARC1203)
Marked as fixed in versions linux/4.5~rc4-1~exp1.

-- 
826004: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826004
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#785606: linux-image-4.0.0-1-amd64: DragonRise joystick support broken in 4.0.2-1

[Florent Rougon]

Update:
  - upstream kernel 4.3.3 (most probably Debian also) and many kernels
(probably all) between, at least and inclusive on both ends, versions
4.0.2 and 4.3.3 are affected by this bug;
  - upstream kernel 4.5.5 is *not affected*; Debian kernels 4.5.4-1 and
4.5.5-1 are *not affected* either (the axes numbers have changed
since 3.16.7, I believe, but this is a minor inconvenience);
  - Benjamin Tissoires replied to me;
  - why recent kernels are not affected is still unclear, because the
code from commit 79346d620e9de87912de73337f6df8b7f9a46888 is still
there---I imagine that some change between 4.3.3 and 4.5.4 maybe
causes the DragonRise joypad to use a code path that doesn't go
through the lines added by said commit;
  - I offered to build a patched kernel with debug statements to clarify
this point.

-- 
Florent

Bug#814648: linux kernel backports broken

[Holger Levsen]

On Tue, May 31, 2016 at 10:30:53PM +0200, Christian Seiler wrote:
> This is not an issue with the package build, but with pbuilder (and by
> extension) cowbuilder only supprt the build profile syntax with
> 0.215+nmu4, whereas Jessie only has 0.215+nmu3. So if you either use
> pbuilder from testing/sid

FYI: pbuilder 0.224~bpo8+1 is also available in jessie-backports.


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Bug#814648: linux kernel backports broken

[Hector Oron]

Hello again,

2016-05-31 22:15 GMT+02:00 Antoine Beaupré :
> On 2016-05-31 16:01:46, Hector Oron wrote:
>> El 31 may. 2016 9:56 p. m., "Antoine Beaupré"  escribió:

>>> cp: impossible d'évaluer « /boot/initrd.img-4.5.0-0.bpo.2-amd64 »: Aucun
>> fichier ou dossier de ce type

> vmlinuz(/boot/vmlinuz-4.5.0-0.bpo.2-amd64
> ) points to /boot/vmlinuz-4.5.0-0.bpo.2-amd64
>  (/boot/vmlinuz-4.5.0-0.bpo.2-amd64) -- doing nothing at 
> /var/lib/dpkg/info/linux-image-4.5.0-0.bpo.2-amd64.postinst line 256.
> cp: cannot stat '/boot/initrd.img-4.5.0-0.bpo.2-amd64': No such file or 
> directory
> Failed to copy /boot/initrd.img-4.5.0-0.bpo.2-amd64 to /initrd.img .
> dpkg: error processing package linux-image-4.5.0-0.bpo.2-amd64 (--configure):
>  subprocess installed post-installation script returned error exit status 1
> Errors were encountered while processing:
>  linux-image-4.5.0-0.bpo.2-amd64
> needrestart is being skipped since dpkg has failed
> E: Sub-process /usr/bin/dpkg returned an error code (1)

What is the space left on your boot partition, do you have enough space in it?

Regards,
--
 Héctor Orón  -.. . -... .. .- -.   -.. . ...- . .-.. --- .--. . .-.

Bug#814648: linux kernel backports broken

[Hector Oron]

Hello,

2016-05-31 22:12 GMT+02:00 Antoine Beaupré :
> Also, it seems impossible to rebuild the backport from source:
>
> [1060]anarcat@angela:dist$ sudo DIST=jessie ARCH=amd64 cowbuilder --build  
> linux_4.5.4-1~bpo8+1.dsc
[...]
>  build-dependencies of the package being currently built.
> Depends: debhelper, python3:any, quilt, cpio  [...]

> dpkg-deb: error: parsing file 
> '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy/DEBIAN/control' 
> near line 8 package 'pbuilder-satisfydepends-dummy':
>  `Depends' field, syntax error after reference to package `cpio'

I think that might be different issue, pbuilder-satisfydepends-dummy
does not seem to be able to resolve build profiles such 
pbuilder does seem to be broken.

> with dpkg-buildpackage, it's a little better, but the dependency for
> kernel-wedge is off too.

kernel-wedge needs to be installed from backports
kernel-wedge | 2.93~bpo8+1   | jessie-backports | source, all

Of course, do not expect apt update to cope with it, you'll need to
install it explicetly per backports design

Regards,
-- 
 Héctor Orón  -.. . -... .. .- -.   -.. . ...- . .-.. --- .--. . .-.

Re: LTS kernel in jessie-backports

[Ben Hutchings]

On Tue, 2016-05-31 at 23:33 -0400, Nicholas D Steeves wrote:
> On 24 May 2016 at 22:23, Ben Hutchings  wrote:
> > On Tue, 2016-05-24 at 21:51 -0400, Nicholas D Steeves wrote:
> > > Dear Debian Kernel Team,
> > > 
> > > My primary area of interest is btrfs on Debian.  The most reliable way
> > > of limiting one's risk while using this experimental file system is to
> > > run the most recent LTS kernel, and to minimize the use of exotic
> > > features, or in some cases not use them at all (eg: RAID56 which
> > > doesn't yet have proven scrub/self healing support).  In the interest
> > > of providing the most stable btrfs experience to users of Debian
> > > stable, would it be possible to fork the jessie-backport of src:linux
> > > from 4.4.6-1, update it to 4.4.11-1, and then continue to maintain the
> > > branch?
> > > 
> > > I believe I am underqualified to maintain it myself, but if it would
> > > be sufficient to learn the workflow of patch-level updates to the
> > > src:linux-derived package, then I might be able to help with the
> > > effort.
> > 
> > That's not how Debian backports suites work, sorry.
> 
> Am I correct in understanding that it's also impossible to get
> src:linux-4.4 and btrfs-progs-4.4 into jessie-updates?

Correct.

Ben.

-- 
Ben Hutchings
To err is human; to really foul things up requires a computer.


signature.asc
Description: This is a digitally signed message part