Page 1 of 3

[SOLVED] kernel module build unknown public key

Posted: 2012/01/01 18:02:18
by brcisna
Hello All,

On a fresh install of CentOS 6.2. Installed the full kernel source tree to a home directory.
kernel-2.6.32-220.2.1.el6.src.rpm
The kernel source tree is identical to the running version kernel as well as kernel-headers,and kernel-devel all match just for completeness,in this post.
I followed the instructions here:

http://wiki.centos.org/HowTos/BuildingKernelModules

I need to build one of the staging modules and the module in fact builds showing as being signed at compile time,(AKA: [M] Signed rtl8187se) as it needs to be to modprobe into CentOS 6 kernel due to the built in kernel module signing requirment.
Problem: When doing the modprobe rtl8187se I get the following error:

ksign: module signed with unknown public key.

I have went through the module-signing.txt file in the Documentation in the source tree, as there is even a scriplet there to make the keys generate as they need to be extracted and so forth. In the prep-error.log that is generated at kernel build time,it appears the keys are all generated without error as well.
One thing I have noticed is,that the gpg key that is extracted is "Red Hat linux Driver Update Program". I read sometime back in centOS5 kernel building that this should be showing CentOS.?
Here is a link that is what my kernel build tree does exactly ,although this bug post is for CentOS 5.
If i reproduce the commands given here I get the exact same results.

http://bugs.centos.org/view.php?id=5007

At any rate I have been wrangling with this problem. for two days now,with no gains.
Can anyone tell me how to approach this pgp kernel module signing problem?
Sorry for long post.

Thank you,
Barry

Re: kernel module build unknown public key

Posted: 2012/01/01 22:40:39
by pschaff
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

Have you imported the key?[code]rpm --import /path/to/RPM-GPG-KEY-your-key[/code]

Edit: One kernel expert recommends not signing the module for local use - then the kernel doesn't need to know where to find the key. ELRepo modules are not signed - just the RPM packages that deliver them.

Re: kernel module build unknown public key

Posted: 2012/01/02 14:44:46
by brcisna
Phil,

Thank You for the feedback.

1)Iif I build the required kernel module with the module signing bit unset in the menuconfig, I get an error when trying to modprobe the module stating "module is not signed". I don't know what the workaround is to let the running kernel not do a pgp kernel modulesigning/checking bit?
Also,if I do a --force at modprobe the running kernel simply does not allow the kernel to try and load,,do to the 'unknown public key' issue?

2) I am not sure when I try and look were the actual pgp key resides for the kernel module signing bit? Although at the rpmbuild of the kernel source it appears to do all the magic ,it is suppose to, I never see in the userone homedir anything in regards to the key.pub, key.sec sets?

Here is a paste of the last few lines of rpm build of source kernel that imports/exports the source gpg key(s)

+ cp /home/userone/rpmbuild/SOURCES/extrakeys.pub .
+ cat
+ gpg --homedir . --batch --gen-key /home/userone/rpmbuild/SOURCES/genkey
gpg: WARNING: unsafe permissions on homedir `.'
gpg: keyring `./secring.gpg' created
gpg: keyring `./pubring.gpg' created
+ cat
+ '[' -s /home/userone/rpmbuild/SOURCES/extrakeys.pub ']'
+ gpg --homedir . --no-default-keyring --keyring kernel.pub --import /home/userone/rpmbuild/SOURCES/extrakeys.pub
gpg: WARNING: unsafe permissions on homedir `.'
gpg: ./trustdb.gpg: trustdb created
gpg: key CD09BEDA: public key "Red Hat Enterprise Linux Driver Update Program " imported
gpg: Total number processed: 1
gpg: imported: 1
+ gpg --homedir . --export --keyring ./kernel.pub CentOS
gpg: WARNING: unsafe permissions on homedir `.'
+ gcc -o scripts/bin2c scripts/bin2c.c
+ scripts/bin2c ksign_def_public_key __initdata
+ cd ..
+ exit 0

3) One thing I do not understand is " gpg: WARNING: unsafe permissions on homedir"
I have made another rpmbuild user via the Users and Groups gui, and still get this error message. The perms on the userone homedir are 700 with no additional ACL's or such added.

4) is there some way I can run gpg against the given kernel module that i have built to try and obtain a pgp hash number. if nothing else to try and learn how this all ties together?

Thank you,
Barry

[SOLVED] kernel module build unknown public key

Posted: 2012/01/02 16:17:58
by toracat
Perhaps the easiest way to achieve what you are aiming at will be to look at one of the ELRepo's kmods. I would suggest [url=http://elrepo.org/linux/elrepo/el6/SRPMS/hyperv-kmod-0.0-1.el6.elrepo.src.rpm]the hyper-v kmod[/url] as an example. It is one of the modules found in the staging directory. You can examine the Makefile in there. As a bonus, if you use the whole package as a template, you will get a kABI-compatible module of your driver.

Re: kernel module build unknown public key

Posted: 2012/01/02 16:54:52
by pschaff
The inclusion of the Red Hat key seems to me to be a bug. Created [url=http://bugs.centos.org/view.php?id=5382]Bug #5382[/url]. We'll see what the devs have to say.

The "gpg: WARNING: unsafe permissions on homedir `.'" warning is due to the permissions on the current directory where the key generation is taking place in the build tree, and can be safely ignored.

Edit: I see [b]toracat[/b] has weighed in with good advice while I was filing the bug report. I was thinking of recommending a kmod also, but had not gotten around to coming up with a good example to cite.

Re: kernel module build unknown public key

Posted: 2012/01/02 21:52:01
by brcisna
toracat,

Thank You for the reply. unfortunately the wireless driver I am trying to build is one of the staging drivers,so there is no xyz-kmod in the elrepos.
the driver in question is rtl8187se which doesnt make any diff to anyone but I can not get the rtl8187se_coffee ,,google code,,something,,,to build on centos 6 either. this apparently built Ok,on centos 5 FWIW. this is on a Toshiba Satlitte Laptop and the wifi card was also popular on the mini notebook laptops as well.
The native rtl8187 centos6 driver is not the same for this particular card.

Take Care,
Barry

Re: kernel module build unknown public key

Posted: 2012/01/03 00:08:04
by pschaff
EDIT: Hold off - found some problems. Will fix and replace...

No there are no ELRepo packages. The point was to use that as a guide to create some. I have done that for you. See http://www.elrepo.org/people/pschaff/el6/

Contents:
pschaff-testing.repo

./i386:
repodata RPMS

./i386/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./i386/RPMS:
kmod-rtl8187se-0.0-1.el6.elrepo.i686.rpm

./SRPMS:
repodata rtl8187se-kmod-0.0-1.el6.elrepo.src.rpm

./SRPMS/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./x86_64:
repodata RPMS

./x86_64/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./x86_64/RPMS:
kmod-rtl8187se-0.0-1.el6.elrepo.x86_64.rpm

Packages are not signed nor tested. The version ought to be something more sensible. The [url=http://www.elrepo.org/people/pschaff/el6/pschaff-testing.repo]pschaff-testing.repo[/url] file dropped into /etc/yum.repos.d/ should make it usable with yum via:[code]yum --enablerepo pschaff-testing install kmod-rtl8187se[/code]

Re: kernel module build unknown public key

Posted: 2012/01/03 02:14:27
by brcisna
Thank You Phil,

When you get all corrected I will give the module a spin!

Take Care,
Barry

Re: kernel module build unknown public key

Posted: 2012/01/03 15:02:10
by pschaff
Thanks to debugging and correction of my error by [b]toracat[/b] corrected packages are now at http://www.elrepo.org/people/pschaff/el6/ .

Please let us know if they work.

Re: kernel module build unknown public key

Posted: 2012/01/04 22:21:03
by brcisna
pschaff,

Thank You. The kmod-rtl8187se did work fine that you built.
One oddity. This machine/laptop has both the original 6.0 kernel on it,and has been updated to 6.2 kernel. Kernel number in above posts. When I went and installed the kmod-rtl8187se it in fact installed into the older kernel? I was doing this all remotely today as I had to be working in another school building. I was able to get the laptop rebooted into the old kernel and the module modprobed fine with no gpg key errors and brought the wifi nic to life.
I run out of time,and didn't get a chance to reboot the laptop back into the new kernel and try and copy/paste the kmod into the extras folder on it. I am very rusty on rpm building etc. I would guess there is some switches to force the kmod to install to kernel xyz...but I don't know how to do it?
I will report tomorrow on how the kmod works on the newer kernel (6.2).

thanks again for your efforts!,
Barry