View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014819 | CentOS-7 | kmod-kvdo | public | 2018-05-16 11:35 | 2021-11-08 10:04 |
Reporter | TuxHandwerker | Assigned To | |||
Priority | urgent | Severity | major | Reproducibility | always |
Status | assigned | Resolution | open | ||
Platform | x86_64 | OS | CentOS | OS Version | 7.4 |
Product Version | 7.5.1804 | ||||
Summary | 0014819: The vdo kernel module looks like not signed correct. | ||||
Description | An kernel error/warning is shown, because the vdo kernel module looks like not signet. Because of missing vdo category, I put it under general. | ||||
Steps To Reproduce | Use the vdo infrastructure that comes with 7.5 vdo status | ||||
Additional Information | Kernel log: [168395.362142] uds: loading out-of-tree module taints kernel. [168395.362686] uds: module verification failed: signature and/or required key missing - tainting kernel [168395.372627] uds: modprobe: loaded version 6.1.0.41 [168395.381378] kvdo: modprobe: loaded version 6.1.0.153 I think, on an EFI secure boot system, this will make vdo unusable, because the kernel refuse to load unsigned/wrong signet kernel modules. | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
I was about to file a similar bug, and I found this, so I'll add my information: To reproduce, install CentOS from the minimal ISO, then run "yum groupinstall base". This will install the "kmod-kvdo" and "vdo" packages. Then run "modprobe kvdo". Aside from the events in the kernel log mentioned above, the following lines will appear in /proc/modules: kvdo 493161 0 - Live 0xffffffffc05cb000 (OE) uds 274920 1 kvdo, Live 0xffffffffc0573000 (OE) The following kernel taint flags appear: "O": out-of-tree (this is expected, as kvdo and uds are built out-of-tree) "E": unsigned module loaded in a kernel supporting module signature Output of "modinfo kvdo": filename: /lib/modules/3.10.0-862.el7.x86_64/weak-updates/kmod-kvdo/vdo/kvdo.ko version: 6.1.0.168 license: GPL author: Red Hat, Inc. description: device-mapper target for transparent deduplication retpoline: Y rhelversion: 7.5 srcversion: B2308E3B1001CB1D9AED027 depends: uds,dm-mod vermagic: 3.10.0-862.2.3.el7.x86_64 SMP mod_unload modversions Output of "modinfo uds": filename: /lib/modules/3.10.0-862.el7.x86_64/weak-updates/kmod-kvdo/uds/uds.ko version: 6.1.0.43 license: GPL author: Red Hat, Inc. description: deduplication engine retpoline: Y rhelversion: 7.5 srcversion: E972A3C9A3F6D0EC6863501 depends: vermagic: 3.10.0-862.2.3.el7.x86_64 SMP mod_unload modversions |
|
I confirm the issue. Assigned to JohnnyHughes. Also, a new category kmod-kvdo created. |
|
Same on CentOS 7.6: modinfo kvdo filename: /lib/modules/3.10.0-957.12.1.el7.x86_64/weak-updates/kmod-kvdo/vdo/kvdo.ko version: 6.1.1.125 license: GPL author: Red Hat, Inc. description: device-mapper target for transparent deduplication retpoline: Y rhelversion: 7.6 srcversion: 3BE07A4D9FBE2D0BA9D2041 depends: uds,dm-mod vermagic: 3.10.0-957.el7.x86_64 SMP mod_unload modversions |
|
Reminder sent to: JohnnyHughes |
|
The signature is not part of the spec file (that I can see) .. and this package does not generate a key (like the normal kernel) to sign modules. It would seem that Red Hat has a special process to sign EXTERNAL kernel modules that is external to the build process in mock. CentOS does not have a any such process or keys or external mechanism at this time. If this is an actual problem that causes actual issues, and if someone can provide research as to how these external modules can be signed, and if we can come up with an external process to sign modules .. then we can make progress on this bug. Here is the spec file .. am I missing a signing process: https://git.centos.org/rpms/kmod-kvdo/blob/c7/f/SPECS/kvdo.spec NOTE: signed externally generated modules have never been provided by any version of CentOS to date. |
|
Any new development? If not, this ticket must be closed as 'not fixable'. | |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-05-16 11:35 | TuxHandwerker | New Issue | |
2018-05-30 20:53 | bgurney-rh | Note Added: 0031965 | |
2018-05-30 23:00 | toracat | Status | new => confirmed |
2018-05-30 23:03 | toracat | Category | general => kmod-kvdo |
2018-05-30 23:06 | toracat | Note Added: 0031966 | |
2019-06-18 05:44 | TuxHandwerker | Note Added: 0034684 | |
2019-06-18 07:12 | arrfab | Note Added: 0034686 | |
2019-06-18 16:59 | JohnnyHughes | Note Added: 0034690 | |
2019-06-18 17:00 | JohnnyHughes | Note Edited: 0034690 | |
2019-06-18 17:01 | JohnnyHughes | Status | confirmed => feedback |
2019-06-18 17:01 | JohnnyHughes | Note Edited: 0034690 | |
2019-06-19 00:19 | toracat | Status | feedback => assigned |
2019-06-19 00:19 | toracat | Summary | The vdo kernel module looks like not signet correct. => The vdo kernel module looks like not signed correct. |
2021-11-08 10:04 | toracat | Note Added: 0038719 |