info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#820038: Copy signatures into udebs
3 views
Skip to first unread message
Ben Hutchings
Apr 4, 2016, 7:10:02 PM4/4/16
to
Package: kernel-wedge
Version: 2.94
Severity: normal
We will probably implement module signing using detached signatures
which kmod will concatenate to the modules at load time (see #820010).
mkinitramfs will need to copy the detached signatures along with all
the modules it includes in each udeb.
It might also be necessary to add special support for signed kernel
images, although linux-signed may end up generating the udebs for
that directly.
Ben.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kernel-wedge depends on:
ii debhelper 9.20160313
ii make 4.1-9
kernel-wedge recommends no packages.
kernel-wedge suggests no packages.
-- no debconf information
Version: 2.94
Severity: normal
We will probably implement module signing using detached signatures
which kmod will concatenate to the modules at load time (see #820010).
mkinitramfs will need to copy the detached signatures along with all
the modules it includes in each udeb.
It might also be necessary to add special support for signed kernel
images, although linux-signed may end up generating the udebs for
that directly.
Ben.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kernel-wedge depends on:
ii debhelper 9.20160313
ii make 4.1-9
kernel-wedge recommends no packages.
kernel-wedge suggests no packages.
-- no debconf information
Ben Hutchings
Apr 4, 2016, 9:10:03 PM4/4/16
to
On Tue, 05 Apr 2016 00:02:46 +0100 Ben Hutchings <b...@decadent.org.uk> wrote:
> Package: kernel-wedge
> Version: 2.94
> Severity: normal
>
> We will probably implement module signing using detached signatures
> which kmod will concatenate to the modules at load time (see #820010).
> mkinitramfs will need to copy the detached signatures along with all
> the modules it includes in each udeb.
This is copypasta from the initramfs-tools bug.
> Package: kernel-wedge
> Version: 2.94
> Severity: normal
>
> We will probably implement module signing using detached signatures
> which kmod will concatenate to the modules at load time (see #820010).
> mkinitramfs will need to copy the detached signatures along with all
> the modules it includes in each udeb.
Since kernel-wedge runs as part of the kernel build process, before any
code is signed, it can't include signatures in module udebs unless we
revert to building udebs separately (which I really don't want to do).
> It might also be necessary to add special support for signed kernel
> images, although linux-signed may end up generating the udebs for
> that directly.
the module signatures. This makes a certain amount of sense because we
will otherwise end up including all detached signature files in the
installer images (bloat) or replicating some of kernel-wedge's logic
to work out which are needed (fragile).
Ben.
--
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot
Jose R R
Apr 5, 2016, 1:30:03 AM4/5/16
to
Thus, in practice it means that an out of Linux source tree module,
like Reiser4, will be a reason for Debian-Installer (d-i) to baulk at
install?
--
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Try at no charge http://b2evolution.net for http://OpenShift.com PaaS
---------------------------------------------------------------------------------------------
from our GitHub http://Nepohualtzintzin.com repository. Cloud the easy way!
---------------------------------------------------------------------------------------------
like Reiser4, will be a reason for Debian-Installer (d-i) to baulk at
install?
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Try at no charge http://b2evolution.net for http://OpenShift.com PaaS
---------------------------------------------------------------------------------------------
from our GitHub http://Nepohualtzintzin.com repository. Cloud the easy way!
---------------------------------------------------------------------------------------------
Ben Hutchings
Apr 5, 2016, 6:00:04 AM4/5/16
to
On Mon, 2016-04-04 at 22:20 -0700, Jose R R wrote:
> Thus, in practice it means that an out of Linux source tree module,
> like Reiser4, will be a reason for Debian-Installer (d-i) to baulk at
> install?
If Secure Boot is enabled, all unsigned modules will be rejected by the
> Thus, in practice it means that an out of Linux source tree module,
> like Reiser4, will be a reason for Debian-Installer (d-i) to baulk at
> install?
kernel. But this is better than the current state where we don't boot
at all - only those users that need or want OOT modules will need to
disable it.
Debian could apply a similar signing procedure to binary packages of
OOT modules - if they're in the archive. Unofficial and non-free
packages will surely not be signed by Debian.
I intend to look at and maybe include (depending on how invasive it is)
David Howells' patchset, included in Red Hat distributions, that allows
the kernel to load trusted certificates from EFI variables. That would
allow users to enrol trusted certificates for other OOT modules in the
boot loader (shim).
Debian Bug Tracking System
Jun 8, 2016, 5:40:02 PM6/8/16
to
Your message dated Wed, 08 Jun 2016 22:27:04 +0100
with message-id <1465421224.3...@decadent.org.uk>
and subject line Re: Copy signatures into udebs
has caused the Debian Bug report #820038,
regarding kernel-wedge: Copy signatures into udebs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820038: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820038
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
with message-id <1465421224.3...@decadent.org.uk>
and subject line Re: Copy signatures into udebs
has caused the Debian Bug report #820038,
regarding kernel-wedge: Copy signatures into udebs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820038: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820038
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
0 new messages