modsign vs build-id

Roland McGrath roland at redhat.com
Tue Aug 14 20:41:57 UTC 2007


> The signature sections are identical. Triple-checked that I was
> comparing with the ext3.ko from the initrd that booted the system.
[...]
> To make it even more interesting:
> 
> # cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kernel/drivers/net/e1000
> # insmod e1000.ko
> Modules signature verification failed
> insmod: error inserting 'e1000.ko': -1 Key was rejected by service
> # strip -g e1000.ko
> # insmod e1000.ko
> # lsmod |grep e1000
> e1000       125977 0

Ok.  This makes me think that the signature generation and/or verification
are looking at something they shouldn't be.  i.e., something strip changed.

> > Also, you could try setting MODSIGN_DEBUG in kernel/module-verify-sig.c
> > (linux-2.6-modsign-core.patch) and booting with "debug" to see those msgs.
> 
> Sure, I'll add that too.

Also hack modsign.sh to pass -v to mod-extract.  The logs from mod-extract
for a given module and the printks from verification looking at that module
should give us something to go on.


Thanks,
Roland




More information about the Fedora-kernel-list mailing list