Public bug reported:
Impact: When testing patches for bug 1834476, a bug was observed whereby
modprobe was someties attempting to load the unsigned nvidia modules in
/lib/modules/$(uname -r)/kernel/nvidia-N/bits rather than the signed
modules from /lib/modules/$(uname -r)/kernel/nvidia-N. This appears to
be because depmod is not deterministic in which module will be preferred
when duplicate modules of the same name exist.
Fix: The unsigned modules are no longer needed after the signed modules
have been generated, so update the build script to remove the unsigned
modules.
Test Case: Confirm that the ko files are found in /lib/modules/$(uname
-r)/kernel/nvidia-N but not in /lib/modules/$(uname
-r)/kernel/nvidia-N/bits. Confirm that the modules are signed and
loadable by the kernel under lockdown (or when booted with
modules.sig_enforce=y), and that modprobe consistently loads the modules
from the expected path after depmod.
Regression Potential: The modules being removed are an intermediate
build artifact and not meant to be loaded, so no regressions are
expected. However, if for some reason linking the intermediate unsigned
module was successful but generation of the signed module was not, the
user would have been left with a module that could potentially be loaded
(if not booted under UEFI secure boot) and would now be left with no
modules. This is not the intended behavior and never occurred in my
testing, so it's not a case we should be concerned about.
** Affects: linux (Ubuntu)
Importance: Medium
Assignee: Seth Forshee (sforshee)
Status: Fix Committed
** Affects: linux (Ubuntu Disco)
Importance: Medium
Assignee: Seth Forshee (sforshee)
Status: In Progress
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Disco)
Status: New => In Progress
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Disco)
Assignee: (unassigned) => Seth Forshee (sforshee)
** Summary changed:
- depmod may prefer unsigne l-r-m nvidia modules to signed modules
+ depmod may prefer unsigned l-r-m nvidia modules to signed modules
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1834479
Title:
depmod may prefer unsigned l-r-m nvidia modules to signed modules
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Disco:
In Progress
Bug description:
Impact: When testing patches for bug 1834476, a bug was observed
whereby modprobe was someties attempting to load the unsigned nvidia
modules in /lib/modules/$(uname -r)/kernel/nvidia-N/bits rather than
the signed modules from /lib/modules/$(uname -r)/kernel/nvidia-N. This
appears to be because depmod is not deterministic in which module will
be preferred when duplicate modules of the same name exist.
Fix: The unsigned modules are no longer needed after the signed
modules have been generated, so update the build script to remove the
unsigned modules.
Test Case: Confirm that the ko files are found in /lib/modules/$(uname
-r)/kernel/nvidia-N but not in /lib/modules/$(uname
-r)/kernel/nvidia-N/bits. Confirm that the modules are signed and
loadable by the kernel under lockdown (or when booted with
modules.sig_enforce=y), and that modprobe consistently loads the
modules from the expected path after depmod.
Regression Potential: The modules being removed are an intermediate
build artifact and not meant to be loaded, so no regressions are
expected. However, if for some reason linking the intermediate
unsigned module was successful but generation of the signed module was
not, the user would have been left with a module that could
potentially be loaded (if not booted under UEFI secure boot) and would
now be left with no modules. This is not the intended behavior and
never occurred in my testing, so it's not a case we should be
concerned about.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1834479/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
