On 17.05.2015 09:59, poma wrote: > On 16.05.2015 20:04, Sérgio Basto wrote: >> On Sáb, 2015-05-16 at 18:40 +0200, poma wrote: >>> On 13.05.2015 21:52, jd1008 wrote: >>>> >>>> >>>> On 05/13/2015 01:43 PM, Frank Mehnert wrote: >>>>> Hi Joe, >>>>> >>>>> On Wednesday 13 May 2015 13:28:03 jd1008 wrote: >>>>>> Thank you for this update. >>>>>> >>>>>> I was wondering why Oracle no longer builds VB >>>>>> for the latest release of Fedora. >>>>> >>>>> VirtualBox 4.3.28 is built in a Fedora 18 chroot. We have tested this >>>>> package works well in Fedora 21. This is also stated on the download >>>>> page and there is also a Fedora 21 repository containing that package. >>>>> The repository is not yet up-to-date, this will finish during the next >>>>> hour. Once Fedora 22 is released we will test VirtualBox on this Linux >>>>> distribution and then decide if we need to set up a F22 chroot or if >>>>> the F18 chroot will still make it. >>>>> >>>>> Kind regards, >>>>> >>>>> Frank >>>> Thank you Dr. Mehnert. >>>> I thought that every Fedora kernel is compiled to only accept >>>> modules that were compiled for the specific kernel version >>>> of the Fedora release version. >>> ... >>> >>> Fedora kernels are configured to drive in "permissive" mode, >>> e.g. >>> >>> $ grep CONFIG_MODULE_SIG_FORCE /boot/config-4.0.3-202.fc21.x86_64 >>> # CONFIG_MODULE_SIG_FORCE is not set >>> >>> therefore, properly signed *and* unsigned modules are loadable, >>> e.g. >>> >>> - unsigned: >>> >>> $ modinfo vboxdrv >>> filename: /lib/modules/4.0.3-202.fc21.x86_64/extra/vboxdrv.ko >>> version: 4.3.28 (0x001a000a) >>> license: GPL >>> description: Oracle VM VirtualBox Support Driver >>> author: Oracle Corporation >>> srcversion: CB0F241526E12BE494014CF >>> depends: >>> vermagic: 4.0.3-202.fc21.x86_64 SMP mod_unload >>> parm: force_async_tsc:force the asynchronous TSC mode (int) >>> >>> >>> # sign-file -v sha256 signing_key.priv signing_key.x509 >>> /lib/modules/4.0.3-202.fc21.x86_64/extra/vboxdrv.ko >>> Size of unsigned module: 490384 >>> Size of signer's name : 25 >>> Size of key identifier : 20 >>> Size of signature : 514 >>> Size of information : 12 >>> Size of magic number : 28 >>> Signer's name : 'Fedora kernel signing key' >>> Digest : sha256 >>> >>> - properly signed: >>> >>> $ modinfo vboxdrv >>> filename: /lib/modules/4.0.3-202.fc21.x86_64/extra/vboxdrv.ko >>> version: 4.3.28 (0x001a000a) >>> license: GPL >>> description: Oracle VM VirtualBox Support Driver >>> author: Oracle Corporation >>> srcversion: CB0F241526E12BE494014CF >>> depends: >>> vermagic: 4.0.3-202.fc21.x86_64 SMP mod_unload >>> signer: Fedora kernel signing key >>> sig_key: 95:7D:C8:E5:9F:5D:E6:03:71:49:1A:D0:9A:C6:8F:85:16:6C:B3:94 >>> sig_hashalgo: sha256 >>> parm: force_async_tsc:force the asynchronous TSC mode (int) >>> >>> >>> $ dmesg -t | grep -i X.*509 >>> Asymmetric key parser 'x509' registered >>> Loading compiled-in X.509 certificates >>> Loaded X.509 cert 'Fedora kernel signing key: >>> 957dc8e59f5de60371491ad09ac68f85166cb394' >>> >>> >>> Ref. >>> https://www.kernel.org/doc/Documentation/module-signing.txt >> >> I have to check this, "therefore, properly signed *and* unsigned modules >> are loadable" seems not totally correct : >> > > It is totally correct here, on the BIOS machine. > > >> https://ask.fedoraproject.org/en/question/65473/virtualbox-error/ >> >> "Virtualbox will not work with secure boot enabled >> because it relies on its own kernel modules being loaded, which they >> cannot due to secure boot" >> >> I have to check If we can sign kmod on RPMFusion , if it is >> packageable ? Have you any clue on this matter ? >> >> Thanks, >> > > I can not comment UEFI/Secure boot. > > Take into account, this is a Fedora kernel (additional patches) *rebuild*, > so the files required for signing process are *regenerated*. > > ... > ### > ### Now generating an X.509 key pair to be used for signing modules. > ### > ### If this takes a long time, you might wish to run rngd in the > ### background to keep the supply of entropy topped up. It > ### needs to be run as root, and uses a hardware random > ### number generator if one is available. > ### > Generating a 4096 bit RSA private key > .....................++ > ...........................................................................................................++ > writing new private key to 'signing_key.priv' > ----- > ### > ### Key pair generated. > ### > ... > >
For the sake of clarity, engaged key generation configuration file is the one shipped within Fedora kernel source package: http://pkgs.fedoraproject.org/cgit/kernel.git/tree/x509.genkey Ref. https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Building_the_kernel_with_proper_keys ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ VBox-users-community mailing list VBox-users-community@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vbox-users-community _______________________________________________ Unsubscribe: mailto:vbox-users-community-requ...@lists.sourceforge.net?subject=unsubscribe
