Bug#939392: please provide kmodsign like Ubuntu does
On Mon, Sep 09, 2019 at 04:46:38PM +0100, Steve McIntyre wrote: > On Mon, Sep 09, 2019 at 04:35:44PM +0100, Steve McIntyre wrote: > >On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote: > >>Could you please provide kmodsign tool like Ubuntu package does, so that > >>we can sign Linux kernel modules with custom keys. > > > >ACK, that would be a good thing to have. > > > >Steve - would you be happy to push the ubuntu patches up into Debian? > > > >Probably worth us talking to the original kmodsign authors (David > >Howells and David Woodhouse) and the sbsigntool maintainer (James > >Bottomley) about maybe integrating things upstream too. I'll try to > >start a conversation there... > > Hmmm, hang on - it's just the "sign-file" program from the kernel > tree, renamed as "kmodsign" for some reason. Steve: the bug at > > https://bugs.launchpad.net/bugs/1526959 > > named in the patches doesn't seem all that relevant - could you > enlighten us please? :-) https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1579766 is a more relevant bug report. This was for signing things outside of the context of a kernel build, and Launchpad does that on a specially-secured signing service that ensures that keys are encrypted at rest and such. If memory serves, I asked for this to be added to sbsigntool because the alternative was that we'd have to chase kernel versions: sign-file is packaged as /usr/lib/linux-kbuild-$version/scripts/sign-file in the linux-kbuild-$version package, but that's really a pretty annoying thing for a supposedly non-kernel-version-dependent service to have to depend on! dak has a similar requirement, and it seems that they've just ended up with a dependency on "linux-kbuild-5.10 | linux-kbuild-4.19" that presumably they bump from time to time. Ugh. Now I'm no longer involved with Launchpad, but I have a pretty similar third instance of this requirement in debusine, and I'd really rather not perpetuate the same horribleness there. Is there any chance that these Ubuntu patches could be merged? Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#939392: please provide kmodsign like Ubuntu does
Same here Building module: Cleaning build area... 'make' KVER=5.19.0-2-amd64 src=/usr/src/rtl88x2bu-5.8.7.1... Signing module /var/lib/dkms/rtl88x2bu/5.8.7.1/build/88x2bu.ko /usr/sbin/dkms: line 1055: kmodsign: command not found Cleaning build area... 88x2bu.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/5.19.0-2-amd64/updates/dkms/ depmod... I see this $ dpkg -S sign-file linux-kbuild-5.19: /usr/lib/linux-kbuild-5.19/scripts/sign-file but that's not terribly useful since you can't even symlink it to kmodsign if you change kbuild versions.
Bug#939392: please provide kmodsign like Ubuntu does
Hello all, What about this issue ? No progress ?? Today update result Calcul de la mise à jour… Le paquet suivant a été installé automatiquement et n'est plus nécessaire : libmozjs-91-0 Veuillez utiliser « apt autoremove » pour le supprimer. Les NOUVEAUX paquets suivants seront installés : libmozjs-102-0 linux-headers-5.19.0-2-amd64 linux-headers-5.19.0-2-common linux-image-5.19.0-2-amd64 Les paquets suivants seront mis à jour : fonts-wine gdm3 gir1.2-gdm-1.0 gjs libgdm1 libgjs0g libvkd3d-shader1 libvkd3d-shader1:i386 libvkd3d1 libvkd3d1:i386 libwine libwine:i386 linux-compiler-gcc-11-x86 linux-headers-amd64 linux-image-amd64 linux-kbuild-5.19 linux-libc-dev wine wine32:i386 wine64 Paramétrage de linux-kbuild-5.19 (5.19.11-1) ... Paramétrage de linux-headers-5.19.0-2-common (5.19.11-1) ... Paramétrage de linux-headers-5.19.0-2-amd64 (5.19.11-1) ... /etc/kernel/header_postinst.d/dkms: dkms: running auto installation service for kernel 5.19.0-2-amd64:Sign command: /usr/lib/linux-kbuild-5.19/scripts/sign-file Signing key: /var/lib/dkms/mok.key Public certificate (MOK): /var/lib/dkms/mok.pub Building module: Cleaning build area... make -j2 KERNELRELEASE=5.19.0-2-amd64 KVER=5.19.0-2-amd64.. Signing module /var/lib/dkms/broadcom-sta/6.30.223.271/build/wl.ko /usr/sbin/dkms: ligne 1055: kmodsign : commande introuvable Cleaning build area... wl.ko: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/5.19.0-2-amd64/updates/dkms/ depmod...
Bug#939392: please provide kmodsign like Ubuntu does
On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote: >Package: sbsigntool >Version: 0.9.2-2 >Severity: normal > >Could you please provide kmodsign tool like Ubuntu package does, so that >we can sign Linux kernel modules with custom keys. ACK, that would be a good thing to have. Steve - would you be happy to push the ubuntu patches up into Debian? Probably worth us talking to the original kmodsign authors (David Howells and David Woodhouse) and the sbsigntool maintainer (James Bottomley) about maybe integrating things upstream too. I'll try to start a conversation there... -- Steve McIntyre, Cambridge, UK.st...@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
Bug#939392: please provide kmodsign like Ubuntu does
On Mon, Sep 09, 2019 at 04:35:44PM +0100, Steve McIntyre wrote: >On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote: >>Package: sbsigntool >>Version: 0.9.2-2 >>Severity: normal >> >>Could you please provide kmodsign tool like Ubuntu package does, so that >>we can sign Linux kernel modules with custom keys. > >ACK, that would be a good thing to have. > >Steve - would you be happy to push the ubuntu patches up into Debian? > >Probably worth us talking to the original kmodsign authors (David >Howells and David Woodhouse) and the sbsigntool maintainer (James >Bottomley) about maybe integrating things upstream too. I'll try to >start a conversation there... Hmmm, hang on - it's just the "sign-file" program from the kernel tree, renamed as "kmodsign" for some reason. Steve: the bug at https://bugs.launchpad.net/bugs/1526959 named in the patches doesn't seem all that relevant - could you enlighten us please? :-) -- Steve McIntyre, Cambridge, UK.st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Bug#939392: please provide kmodsign like Ubuntu does
Package: sbsigntool Version: 0.9.2-2 Severity: normal Could you please provide kmodsign tool like Ubuntu package does, so that we can sign Linux kernel modules with custom keys. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-2-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sbsigntool depends on: ii libc6 2.28-10 ii libssl1.1 1.1.1c-1 ii libuuid1 2.34-0.1 sbsigntool recommends no packages. sbsigntool suggests no packages. -- no debconf information