Re: kernel modules does not have signatures, so taints kernel
On Wed, 2016-06-01 at 14:38 +0200, John Paul Adrian Glaubitz wrote: > On 06/01/2016 02:34 PM, Anatoly Pugachev wrote: > > If module signing only for Secure Boot on EFI [2], why do we have > > it on sparc64? > > Looks like an oversight to me. The kernels for the different > architectures share > some of the configuration, so it might just be a bug that this > particular option > should be set on architectures only which support SecureBoot. It should be set for all architectures for which we provide signatures. In practice that's only going to be architectures in the main archive, so excluding sparc64. As it is, the only way to avoid it is to install my patched kmod and an experimental signature package. And that actually isn't a very good idea, so in practice everyone sees this error message at the moment on all architectures. Ben. -- Ben Hutchings To err is human; to really foul things up requires a computer. signature.asc Description: This is a digitally signed message part
Bug#814648: Info received (SheLoves it)
STOP On Jun 1, 2016 12:06, "Debian Bug Tracking System"wrote: > Thank you for the additional information you have supplied regarding > this Bug report. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Debian Kernel Team > > If you wish to submit further information on this problem, please > send it to 814...@bugs.debian.org. > > Please do not send mail to ow...@bugs.debian.org unless you wish > to report a problem with the Bug-tracking system. > > -- > 814648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814648 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems >
Re: kernel modules does not have signatures, so taints kernel
On 06/01/2016 02:34 PM, Anatoly Pugachev wrote: > If module signing only for Secure Boot on EFI [2], why do we have it on > sparc64? Looks like an oversight to me. The kernels for the different architectures share some of the configuration, so it might just be a bug that this particular option should be set on architectures only which support SecureBoot. Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
kernel modules does not have signatures, so taints kernel
Ben, hello! Can you please tell, why do we have in kernel config file: CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_KEY="" so loading any kernel module (checked with sid/unstable with kernels linux-image-4.5.0-2-amd64 and linux-image-4.5.0-2-sparc64-smp ) taints kernel : on x86_64: mator@windrunner:~$ dmesg | grep -i taint [1.056795] fjes: module verification failed: signature and/or required key missing - tainting kernel root@windrunner:/home/mator# modinfo fjes filename: /lib/modules/4.5.0-2-amd64/kernel/drivers/net/fjes/fjes.ko version:1.0 license:GPL description:FUJITSU Extended Socket Network Device Driver author: Taku Izumisrcversion: C09FB90B0DA9890395D27B8 alias: acpi*:PNP0C02:* depends: intree: Y vermagic: 4.5.0-2-amd64 SMP mod_unload modversions mator@windrunner:~$ cat /proc/sys/kernel/tainted 8192 [1] states that 8192 code is for "An unsigned module has been loaded in a kernel supporting module signature." on sparc64: mator@nvg5120:~$ dmesg | grep taint [1800486.552168] aes_sparc64: module verification failed: signature and/or required key missing - tainting kernel root@nvg5120:~# modinfo aes_sparc64 filename: /lib/modules/4.5.0-2-sparc64-smp/kernel/arch/sparc/crypto/aes-sparc64.ko alias: crypto-aes alias: aes description:Rijndael (AES) Cipher Algorithm, sparc64 aes opcode accelerated license:GPL alias: of:NcpuT*Csun4vC* alias: of:NcpuT*Csun4v depends: intree: Y vermagic: 4.5.0-2-sparc64-smp SMP mod_unload modversions Looking at the output of modinfo, there's no lines like this (as example of signed module): user$ modinfo usbcore | grep '^sig' signer: Modules sig_key:B0:3B:5E:DB:57:00:F9:D5:D7:85:EB:2D:6F:3E:19:D3:4A:20:20:5B sig_hashalgo: sha512 If module signing only for Secure Boot on EFI [2], why do we have it on sparc64? Thanks. [1] https://www.kernel.org/doc/Documentation/sysctl/kernel.txt [2] https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
Processed: tagging 789266
Processing commands for cont...@bugs.debian.org: > tags 789266 + fixed-upstream Bug #789266 [src:linux] HP ZBook 15 nouveau driver doesn't work for Linux kernel >= 4.0 Added tag(s) fixed-upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 789266: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789266 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826004: linux: Update arcmsr to include support for newer controller types (ARC1203)
Source: linux Version: 3.16.7-ckt7-1 Severity: important Control: fixed -1 4.5~rc4-1~exp1 Hi, This is a request to update drivers/scsi/arcmsr to include commits up to the 4.5-rc1 commits and include support Areca's new PCIe to SATA RAID adapter ARC1203. Initial proposed patchset/debdiff for the jessie brach is attached, and review welcome. Regards, Salvatore >From 1d2a1d2899d92577e12b7b4e5839059d580a0c49 Mon Sep 17 00:00:00 2001 From: Salvatore BonaccorsoDate: Wed, 1 Jun 2016 07:20:44 +0200 Subject: [PATCH] arcmsr: Backport changes up to Linux 4.5 --- debian/changelog | 3 + ...cmsr-fix-command-timeout-under-heavy-load.patch | 5 +- ...d-code-to-support-msi-x-and-msi-interrupt.patch | 7 +- ...03-arcmsr-add-code-to-support-hibernation.patch | 7 +- ...limit-max.-number-of-scsi-command-request.patch | 5 +- ...005-arcmsr-return-status-of-abort-command.patch | 2 +- ...arcmsr-store-adapter-type-in-pci-id-table.patch | 5 +- ...se-message_isr_bh_fn-to-remove-duplicate-.patch | 5 +- ...ove-calling-arcmsr_hbb_enable_driver_mode.patch | 5 +- ...fy-printing-adapter-model-number-and-f-w-.patch | 5 +- ...clear-outbound-doorbell-buffer-completely.patch | 5 +- ...011-arcmsr-rename-functions-and-variables.patch | 5 +- ...se-allocation-of-second-dma_coherent_hand.patch | 5 +- ...ioctl-data-read-write-error-for-adapter-t.patch | 5 +- ...014-arcmsr-fix-sparse-warnings-and-errors.patch | 5 +- ...0015-arcmsr-modify-some-character-strings.patch | 5 +- ...sr-add-support-new-adapter-arc12x4-series.patch | 5 +- ...-scsi_scan_host-at-the-end-of-host-initia.patch | 5 +- ...lify-of-updating-doneq_index-and-postq_in.patch | 5 +- ...019-arcmsr-simplify-ioctl-data-read-write.patch | 5 +- ...sr-fixed-getting-wrong-configuration-data.patch | 64 + ...cmsr-fixes-not-release-allocated-resource.patch | 43 .../0022-arcmsr-make-code-more-readable.patch | 58 + ...-code-to-support-new-Areca-adapter-ARC120.patch | 113 + ...0024-arcmsr-changes-driver-version-number.patch | 31 +++ ...0025-arcmsr-more-readability-improvements.patch | 99 ...t-dma-resource-allocation-to-a-new-functi.patch | 261 + ...ge-driver-version-to-v1.30.00.22-20151126.patch | 30 +++ debian/patches/series | 10 +- 29 files changed, 786 insertions(+), 22 deletions(-) create mode 100644 debian/patches/features/all/arcmsr/0020-arcmsr-fixed-getting-wrong-configuration-data.patch create mode 100644 debian/patches/features/all/arcmsr/0021-arcmsr-fixes-not-release-allocated-resource.patch create mode 100644 debian/patches/features/all/arcmsr/0022-arcmsr-make-code-more-readable.patch create mode 100644 debian/patches/features/all/arcmsr/0023-arcmsr-adds-code-to-support-new-Areca-adapter-ARC120.patch create mode 100644 debian/patches/features/all/arcmsr/0024-arcmsr-changes-driver-version-number.patch create mode 100644 debian/patches/features/all/arcmsr/0025-arcmsr-more-readability-improvements.patch create mode 100644 debian/patches/features/all/arcmsr/0026-arcmsr-Split-dma-resource-allocation-to-a-new-functi.patch create mode 100644 debian/patches/features/all/arcmsr/0027-arcmsr-change-driver-version-to-v1.30.00.22-20151126.patch diff --git a/debian/changelog b/debian/changelog index 98964b3..7b444b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -327,6 +327,9 @@ linux (3.16.35-1) UNRELEASED; urgency=medium [ Aurelien Jarno ] * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions. + [ Salvatore Bonaccorso ] + * arcmsr: Backport changes up to Linux 4.5 + -- Ben Hutchings Sat, 30 Apr 2016 22:07:22 +0200 linux (3.16.7-ckt25-2) jessie; urgency=medium diff --git a/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch b/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch index 0a3cd49..37b2c93 100644 --- a/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch +++ b/debian/patches/features/all/arcmsr/0001-arcmsr-fix-command-timeout-under-heavy-load.patch @@ -1,6 +1,6 @@ From: Ching Huang Date: Tue, 19 Aug 2014 14:18:24 +0800 -Subject: [01/19] arcmsr: fix command timeout under heavy load +Subject: [01/27] arcmsr: fix command timeout under heavy load Origin: https://git.kernel.org/linus/6b3937227479e50032112faf74bd913f36dba2c6 Bug-Debian: https://bugs.debian.org/698821 @@ -279,3 +279,6 @@ index b13764c..506fe7b 100644 } static void arcmsr_iop_parking(struct AdapterControlBlock *acb) +-- +2.8.1 + diff --git a/debian/patches/features/all/arcmsr/0002-arcmsr-add-code-to-support-msi-x-and-msi-interrupt.patch b/debian/patches/features/all/arcmsr/0002-arcmsr-add-code-to-support-msi-x-and-msi-interrupt.patch index ffcebf1..31c46c2 100644 ---
Processed: linux: Update arcmsr to include support for newer controller types (ARC1203)
Processing control commands: > fixed -1 4.5~rc4-1~exp1 Bug #826004 [src:linux] linux: Update arcmsr to include support for newer controller types (ARC1203) Marked as fixed in versions linux/4.5~rc4-1~exp1. -- 826004: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#785606: linux-image-4.0.0-1-amd64: DragonRise joystick support broken in 4.0.2-1
Update: - upstream kernel 4.3.3 (most probably Debian also) and many kernels (probably all) between, at least and inclusive on both ends, versions 4.0.2 and 4.3.3 are affected by this bug; - upstream kernel 4.5.5 is *not affected*; Debian kernels 4.5.4-1 and 4.5.5-1 are *not affected* either (the axes numbers have changed since 3.16.7, I believe, but this is a minor inconvenience); - Benjamin Tissoires replied to me; - why recent kernels are not affected is still unclear, because the code from commit 79346d620e9de87912de73337f6df8b7f9a46888 is still there---I imagine that some change between 4.3.3 and 4.5.4 maybe causes the DragonRise joypad to use a code path that doesn't go through the lines added by said commit; - I offered to build a patched kernel with debug statements to clarify this point. -- Florent
Bug#814648: linux kernel backports broken
On Tue, May 31, 2016 at 10:30:53PM +0200, Christian Seiler wrote: > This is not an issue with the package build, but with pbuilder (and by > extension) cowbuilder only supprt the build profile syntax with > 0.215+nmu4, whereas Jessie only has 0.215+nmu3. So if you either use > pbuilder from testing/sid FYI: pbuilder 0.224~bpo8+1 is also available in jessie-backports. -- cheers, Holger signature.asc Description: Digital signature
Bug#814648: linux kernel backports broken
Hello again, 2016-05-31 22:15 GMT+02:00 Antoine Beaupré: > On 2016-05-31 16:01:46, Hector Oron wrote: >> El 31 may. 2016 9:56 p. m., "Antoine Beaupré" escribió: >>> cp: impossible d'évaluer « /boot/initrd.img-4.5.0-0.bpo.2-amd64 »: Aucun >> fichier ou dossier de ce type > vmlinuz(/boot/vmlinuz-4.5.0-0.bpo.2-amd64 > ) points to /boot/vmlinuz-4.5.0-0.bpo.2-amd64 > (/boot/vmlinuz-4.5.0-0.bpo.2-amd64) -- doing nothing at > /var/lib/dpkg/info/linux-image-4.5.0-0.bpo.2-amd64.postinst line 256. > cp: cannot stat '/boot/initrd.img-4.5.0-0.bpo.2-amd64': No such file or > directory > Failed to copy /boot/initrd.img-4.5.0-0.bpo.2-amd64 to /initrd.img . > dpkg: error processing package linux-image-4.5.0-0.bpo.2-amd64 (--configure): > subprocess installed post-installation script returned error exit status 1 > Errors were encountered while processing: > linux-image-4.5.0-0.bpo.2-amd64 > needrestart is being skipped since dpkg has failed > E: Sub-process /usr/bin/dpkg returned an error code (1) What is the space left on your boot partition, do you have enough space in it? Regards, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#814648: linux kernel backports broken
Hello, 2016-05-31 22:12 GMT+02:00 Antoine Beaupré: > Also, it seems impossible to rebuild the backport from source: > > [1060]anarcat@angela:dist$ sudo DIST=jessie ARCH=amd64 cowbuilder --build > linux_4.5.4-1~bpo8+1.dsc [...] > build-dependencies of the package being currently built. > Depends: debhelper, python3:any, quilt, cpio [...] > dpkg-deb: error: parsing file > '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy/DEBIAN/control' > near line 8 package 'pbuilder-satisfydepends-dummy': > `Depends' field, syntax error after reference to package `cpio' I think that might be different issue, pbuilder-satisfydepends-dummy does not seem to be able to resolve build profiles such pbuilder does seem to be broken. > with dpkg-buildpackage, it's a little better, but the dependency for > kernel-wedge is off too. kernel-wedge needs to be installed from backports kernel-wedge | 2.93~bpo8+1 | jessie-backports | source, all Of course, do not expect apt update to cope with it, you'll need to install it explicetly per backports design Regards, -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Re: LTS kernel in jessie-backports
On Tue, 2016-05-31 at 23:33 -0400, Nicholas D Steeves wrote: > On 24 May 2016 at 22:23, Ben Hutchingswrote: > > On Tue, 2016-05-24 at 21:51 -0400, Nicholas D Steeves wrote: > > > Dear Debian Kernel Team, > > > > > > My primary area of interest is btrfs on Debian. The most reliable way > > > of limiting one's risk while using this experimental file system is to > > > run the most recent LTS kernel, and to minimize the use of exotic > > > features, or in some cases not use them at all (eg: RAID56 which > > > doesn't yet have proven scrub/self healing support). In the interest > > > of providing the most stable btrfs experience to users of Debian > > > stable, would it be possible to fork the jessie-backport of src:linux > > > from 4.4.6-1, update it to 4.4.11-1, and then continue to maintain the > > > branch? > > > > > > I believe I am underqualified to maintain it myself, but if it would > > > be sufficient to learn the workflow of patch-level updates to the > > > src:linux-derived package, then I might be able to help with the > > > effort. > > > > That's not how Debian backports suites work, sorry. > > Am I correct in understanding that it's also impossible to get > src:linux-4.4 and btrfs-progs-4.4 into jessie-updates? Correct. Ben. -- Ben Hutchings To err is human; to really foul things up requires a computer. signature.asc Description: This is a digitally signed message part