modsign vs build-id
Roland McGrath
roland at redhat.com
Tue Aug 14 20:41:57 UTC 2007
> The signature sections are identical. Triple-checked that I was
> comparing with the ext3.ko from the initrd that booted the system.
[...]
> To make it even more interesting:
>
> # cd /lib/modules/2.6.23-0.104.rc3.vsc.fc8/kernel/drivers/net/e1000
> # insmod e1000.ko
> Modules signature verification failed
> insmod: error inserting 'e1000.ko': -1 Key was rejected by service
> # strip -g e1000.ko
> # insmod e1000.ko
> # lsmod |grep e1000
> e1000 125977 0
Ok. This makes me think that the signature generation and/or verification
are looking at something they shouldn't be. i.e., something strip changed.
> > Also, you could try setting MODSIGN_DEBUG in kernel/module-verify-sig.c
> > (linux-2.6-modsign-core.patch) and booting with "debug" to see those msgs.
>
> Sure, I'll add that too.
Also hack modsign.sh to pass -v to mod-extract. The logs from mod-extract
for a given module and the printks from verification looking at that module
should give us something to go on.
Thanks,
Roland
More information about the Fedora-kernel-list
mailing list