Re: [CentOS] signing modules
On 16/03/2020 20:23, Jerry Geis wrote: Ok I tried signing a module... Did not work. + openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/' Generating a 2048 bit RSA private key ..+++ ..+++ writing new private key to 'MOK.priv' - ++ uname -r ++ modinfo -n dahdi + /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko service dahdi restart Restarting dahdi (via systemctl): Job for dahdi.service failed because the control process exited with error code. See "systemctl status dahdi.service" and "journalctl -xe" for details. [FAILED] Mar 16 16:20:12 dahdi[12787]: Loading DAHDI hardware modules: Mar 16 16:20:12 dahdi[12787]: modprobe: ERROR: could not insert 'dahdi': Required key not available Mar 16 16:20:12 kernel: Request for unknown module key 'dahdi Modules: 3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11 Did I miss something ? Looks like you did not enroll your signing key in the MOK list as the kernel is telling you it can not find your key to verify the signing of the module? Read the two links I posted earlier, and links therein. That is the best documentation that exists AFAIK. Phil ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
Ok I tried signing a module... Did not work. + openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj '/CN=dahdi Modules/' Generating a 2048 bit RSA private key ..+++ ..+++ writing new private key to 'MOK.priv' - ++ uname -r ++ modinfo -n dahdi + /usr/src/kernels/3.10.0-1062.12.1.el7.x86_64/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/3.10.0-1062.12.1.el7.x86_64/dahdi/dahdi.ko service dahdi restart Restarting dahdi (via systemctl): Job for dahdi.service failed because the control process exited with error code. See "systemctl status dahdi.service" and "journalctl -xe" for details. [FAILED] Mar 16 16:20:12 dahdi[12787]: Loading DAHDI hardware modules: Mar 16 16:20:12 dahdi[12787]: modprobe: ERROR: could not insert 'dahdi': Required key not available Mar 16 16:20:12 kernel: Request for unknown module key 'dahdi Modules: 3e93f14b19188e27f6dbfaf5ad47474abb9606fc' err -11 Did I miss something ? Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
HI all- Thanks for the comments. However -I'm getting no where. Let me start again. My 'hardware" does not have the ability to turn off secure boot. Its an Intel NUC7C - not possible. SO instead of my generic "image" i have that I copy to physical disk (has all my install,setup etc... everything ready). I created a new UEFI disk that again has everything setup and ready. All works on teh image. Then when I copy to the image and boot up - I noticed things are not quite right. This one module is one example. I think there are others I have not noticed yet. So "how" can I create an image for UEFI that has everything setup - and then copy that image to a physical disk and expect everything to still be the same and working? Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
On 16/03/2020 16:42, Jerry Geis wrote: You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules. Thanks - so is that command line to run ? Config file to edit ? I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ? After rebooting my module still does not load. Rather than disabling a security feature, why don't you generate a Secure Boot signing key and sign your module? Please see the RHEL documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html Elrepo has a guide here on how to import your Secure Boot signing key once you have signed your module: http://elrepo.org/tiki/SecureBootKey Phil ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
On Mon, 2020-03-16 at 12:42 -0400, Jerry Geis wrote: > > You need to turn off secure booting - you can still boot using UEFI, > > but if secure booting is turned on the kernel doesn't allow unsigned > > modules. > > Thanks - so is that command line to run ? Config file to edit ? > It's a BIOS setting. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS rpm versioning
So there is no way to automatically compare RHEL and CentOS rpms. Why CentOS can't user versions like "10.3.17-1.module+el8.1.0+3974+90eded8-cento+257+48736ea"? They would be both consistent with rhel and have all needed hashes. пн, 16 мар. 2020 г. в 17:37, Stephen John Smoogen : > On Mon, 16 Mar 2020 at 12:17, koka miptpatriot > wrote: > > > Hello > > > > Clair vulnerability scanner considers the latest version of CentOS > mariadb > > vulnerable, because of RHSA-2019:3708 > > It states, that mariadb must be updated at least to the version > > "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is > > "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' > version > > older, than RHEL's. > > > > % rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 > 3:10.3.17-1.module+ > > el8.1.0+3974+90eded84 > > 3:10.3.17-1.module_el8.1.0+257+48736ea6 < > 3:10.3.17-1.module+el8.1.0+3974+ > > 90eded84 > > > > That's why Clair considers it's vulnerable. Is there any way to fix it? > > > > > The issue is that you can not get equivalent versions of CentOS modules to > Red Hat modules because the MBS versioning system uses some sort of hash to > separate builds apart. You also can not compare CentOS to Red Hat > Enterprise Linux packages using rpmdev-vercmp but have to do your own > auditing to see if they are equivalent. > > > > > -- > > skype: miptpatriot > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > -- > Stephen J Smoogen. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- skype: miptpatriot ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
On Mon, 16 Mar 2020 at 12:43, Jerry Geis wrote: > >You need to turn off secure booting - you can still boot using UEFI, > >but if secure booting is turned on the kernel doesn't allow unsigned > >modules. > > Thanks - so is that command line to run ? Config file to edit ? > > secure boot is in your hardware UEFI/BIOS setup. Basically ring -1 or -2 on the hardware. Nothing in the OS can turn this on or off as that is the purpose of this control to make sure a virus can not fool the hardware into using bad kernel level code. > I ran mokutil --disable-verification and rebooted > I dont desire that MOK management screen to show - how do you get rid of > that ? > > After rebooting my module still does not load. > > Jerry > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
>You need to turn off secure booting - you can still boot using UEFI, >but if secure booting is turned on the kernel doesn't allow unsigned >modules. Thanks - so is that command line to run ? Config file to edit ? I ran mokutil --disable-verification and rebooted I dont desire that MOK management screen to show - how do you get rid of that ? After rebooting my module still does not load. Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS rpm versioning
On Mon, 16 Mar 2020 at 12:17, koka miptpatriot wrote: > Hello > > Clair vulnerability scanner considers the latest version of CentOS mariadb > vulnerable, because of RHSA-2019:3708 > It states, that mariadb must be updated at least to the version > "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is > "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' version > older, than RHEL's. > > % rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 3:10.3.17-1.module+ > el8.1.0+3974+90eded84 > 3:10.3.17-1.module_el8.1.0+257+48736ea6 < 3:10.3.17-1.module+el8.1.0+3974+ > 90eded84 > > That's why Clair considers it's vulnerable. Is there any way to fix it? > > The issue is that you can not get equivalent versions of CentOS modules to Red Hat modules because the MBS versioning system uses some sort of hash to separate builds apart. You also can not compare CentOS to Red Hat Enterprise Linux packages using rpmdev-vercmp but have to do your own auditing to see if they are equivalent. > -- > skype: miptpatriot > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] signing modules
> > I'm getting an error about a module not being signed so not loading. > CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow > it). > You need to turn off secure booting - you can still boot using UEFI, but if secure booting is turned on the kernel doesn't allow unsigned modules. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] signing modules
Is there an "easy" way to just sign all kernel modules in the /lib/modules directory ? I'm getting an error about a module not being signed so not loading. CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow it). Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS rpm versioning
Hello Clair vulnerability scanner considers the latest version of CentOS mariadb vulnerable, because of RHSA-2019:3708 It states, that mariadb must be updated at least to the version "10.3.17-1.module+el8.1.0+3974+90eded84". CentOS' last version is "10.3.17-1.module_el8.1.0+257+48736ea6". Rpm/yum considers CentOS' version older, than RHEL's. % rpmdev-vercmp 3:10.3.17-1.module_el8.1.0+257+48736ea6 3:10.3.17-1.module+ el8.1.0+3974+90eded84 3:10.3.17-1.module_el8.1.0+257+48736ea6 < 3:10.3.17-1.module+el8.1.0+3974+ 90eded84 That's why Clair considers it's vulnerable. Is there any way to fix it? -- skype: miptpatriot ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Slightly OT : where is Cipherli.st ?
Hi, not exactly your question but it might help you anyway. Mozilla provides an great config generator for many commonly used applications for multiple application and openssl versions [1]. You can choose between 3 security levels. They reflect how old/out- dated your clients you need to support are. best regards, Markus [1] https://ssl-config.mozilla.org/ -- IT 2.3 Tel: +49 69 1525 - 1786 On Mon, 2020-03-16 at 14:53 +0100, Nicolas Kovacs wrote: > Hi, > > Up until recently, I've been using the excellent https://cipherli.st > resource > to configure SSL on my servers. > > I tried to take a look again today, but the site seems to have > vanished. > > Anybody knows what's happened ? Has it moved ? > > Cheers, > > Niki ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Slightly OT : where is Cipherli.st ?
Hi, Up until recently, I've been using the excellent https://cipherli.st resource to configure SSL on my servers. I tried to take a look again today, but the site seems to have vanished. Anybody knows what's happened ? Has it moved ? Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
