View Issue Details

IDProjectCategoryView StatusLast Update
0014819CentOS-7kmod-kvdopublic2019-06-19 00:19
ReporterTuxHandwerker 
PriorityurgentSeveritymajorReproducibilityalways
Status assignedResolutionopen 
Platformx86_64OSCentOSOS Version7.4
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014819: The vdo kernel module looks like not signed correct.
DescriptionAn kernel error/warning is shown, because the vdo kernel module looks like not signet.

Because of missing vdo category, I put it under general.
Steps To ReproduceUse the vdo infrastructure that comes with 7.5
vdo status
Additional InformationKernel log:
[168395.362142] uds: loading out-of-tree module taints kernel.
[168395.362686] uds: module verification failed: signature and/or required key missing - tainting kernel
[168395.372627] uds: modprobe: loaded version 6.1.0.41
[168395.381378] kvdo: modprobe: loaded version 6.1.0.153

I think, on an EFI secure boot system, this will make vdo unusable, because the kernel refuse to load unsigned/wrong signet kernel modules.
TagsNo tags attached.
abrt_hash
URL

Activities

bgurney-rh

bgurney-rh

2018-05-30 20:53

reporter   ~0031965

I was about to file a similar bug, and I found this, so I'll add my information:

To reproduce, install CentOS from the minimal ISO, then run "yum groupinstall base". This will install the "kmod-kvdo" and "vdo" packages. Then run "modprobe kvdo".

Aside from the events in the kernel log mentioned above, the following lines will appear in /proc/modules:
kvdo 493161 0 - Live 0xffffffffc05cb000 (OE)
uds 274920 1 kvdo, Live 0xffffffffc0573000 (OE)

The following kernel taint flags appear:
"O": out-of-tree (this is expected, as kvdo and uds are built out-of-tree)
"E": unsigned module loaded in a kernel supporting module signature

Output of "modinfo kvdo":
filename: /lib/modules/3.10.0-862.el7.x86_64/weak-updates/kmod-kvdo/vdo/kvdo.ko
version: 6.1.0.168
license: GPL
author: Red Hat, Inc.
description: device-mapper target for transparent deduplication
retpoline: Y
rhelversion: 7.5
srcversion: B2308E3B1001CB1D9AED027
depends: uds,dm-mod
vermagic: 3.10.0-862.2.3.el7.x86_64 SMP mod_unload modversions

Output of "modinfo uds":
filename: /lib/modules/3.10.0-862.el7.x86_64/weak-updates/kmod-kvdo/uds/uds.ko
version: 6.1.0.43
license: GPL
author: Red Hat, Inc.
description: deduplication engine
retpoline: Y
rhelversion: 7.5
srcversion: E972A3C9A3F6D0EC6863501
depends:
vermagic: 3.10.0-862.2.3.el7.x86_64 SMP mod_unload modversions
toracat

toracat

2018-05-30 23:06

manager   ~0031966

I confirm the issue. Assigned to JohnnyHughes.

Also, a new category kmod-kvdo created.
TuxHandwerker

TuxHandwerker

2019-06-18 05:44

reporter   ~0034684

Same on CentOS 7.6:
modinfo kvdo
filename: /lib/modules/3.10.0-957.12.1.el7.x86_64/weak-updates/kmod-kvdo/vdo/kvdo.ko
version: 6.1.1.125
license: GPL
author: Red Hat, Inc.
description: device-mapper target for transparent deduplication
retpoline: Y
rhelversion: 7.6
srcversion: 3BE07A4D9FBE2D0BA9D2041
depends: uds,dm-mod
vermagic: 3.10.0-957.el7.x86_64 SMP mod_unload modversions
JohnnyHughes

JohnnyHughes

2019-06-18 16:59

administrator   ~0034690

Last edited: 2019-06-18 17:01

View 3 revisions

The signature is not part of the spec file (that I can see) .. and this package does not generate a key (like the normal kernel) to sign modules.

It would seem that Red Hat has a special process to sign EXTERNAL kernel modules that is external to the build process in mock. CentOS does not have a any such process or keys or external mechanism at this time.

If this is an actual problem that causes actual issues, and if someone can provide research as to how these external modules can be signed, and if we can come up with an external process to sign modules .. then we can make progress on this bug.

Here is the spec file .. am I missing a signing process: https://git.centos.org/rpms/kmod-kvdo/blob/c7/f/SPECS/kvdo.spec

NOTE: signed externally generated modules have never been provided by any version of CentOS to date.

Issue History

Date Modified Username Field Change
2018-05-16 11:35 TuxHandwerker New Issue
2018-05-30 20:53 bgurney-rh Note Added: 0031965
2018-05-30 23:00 toracat Status new => confirmed
2018-05-30 23:03 toracat Category general => kmod-kvdo
2018-05-30 23:06 toracat Note Added: 0031966
2019-06-18 05:44 TuxHandwerker Note Added: 0034684
2019-06-18 07:12 arrfab Note Added: 0034686
2019-06-18 16:59 JohnnyHughes Note Added: 0034690
2019-06-18 17:00 JohnnyHughes Note Edited: 0034690 View Revisions
2019-06-18 17:01 JohnnyHughes Status confirmed => feedback
2019-06-18 17:01 JohnnyHughes Note Edited: 0034690 View Revisions
2019-06-19 00:19 toracat Status feedback => assigned
2019-06-19 00:19 toracat Summary The vdo kernel module looks like not signet correct. => The vdo kernel module looks like not signed correct.