[SOLVED] kernel module build unknown public key

General support questions

[SOLVED] kernel module build unknown public key

Postby brcisna » 2012/01/01 18:02:18

Hello All,

On a fresh install of CentOS 6.2. Installed the full kernel source tree to a home directory.
kernel-2.6.32-220.2.1.el6.src.rpm
The kernel source tree is identical to the running version kernel as well as kernel-headers,and kernel-devel all match just for completeness,in this post.
I followed the instructions here:

http://wiki.centos.org/HowTos/BuildingKernelModules

I need to build one of the staging modules and the module in fact builds showing as being signed at compile time,(AKA: [M] Signed rtl8187se) as it needs to be to modprobe into CentOS 6 kernel due to the built in kernel module signing requirment.
Problem: When doing the modprobe rtl8187se I get the following error:

ksign: module signed with unknown public key.

I have went through the module-signing.txt file in the Documentation in the source tree, as there is even a scriplet there to make the keys generate as they need to be extracted and so forth. In the prep-error.log that is generated at kernel build time,it appears the keys are all generated without error as well.
One thing I have noticed is,that the gpg key that is extracted is "Red Hat linux Driver Update Program". I read sometime back in centOS5 kernel building that this should be showing CentOS.?
Here is a link that is what my kernel build tree does exactly ,although this bug post is for CentOS 5.
If i reproduce the commands given here I get the exact same results.

http://bugs.centos.org/view.php?id=5007

At any rate I have been wrangling with this problem. for two days now,with no gains.
Can anyone tell me how to approach this pgp kernel module signing problem?
Sorry for long post.

Thank you,
Barry
brcisna
 
Posts: 15
Joined: 2012/01/01 17:29:02

Re: kernel module build unknown public key

Postby pschaff » 2012/01/01 22:40:39

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

Have you imported the key?
Code: Select all
rpm --import /path/to/RPM-GPG-KEY-your-key


Edit: One kernel expert recommends not signing the module for local use - then the kernel doesn't need to know where to find the key. ELRepo modules are not signed - just the RPM packages that deliver them.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: kernel module build unknown public key

Postby brcisna » 2012/01/02 14:44:46

Phil,

Thank You for the feedback.

1)Iif I build the required kernel module with the module signing bit unset in the menuconfig, I get an error when trying to modprobe the module stating "module is not signed". I don't know what the workaround is to let the running kernel not do a pgp kernel modulesigning/checking bit?
Also,if I do a --force at modprobe the running kernel simply does not allow the kernel to try and load,,do to the 'unknown public key' issue?

2) I am not sure when I try and look were the actual pgp key resides for the kernel module signing bit? Although at the rpmbuild of the kernel source it appears to do all the magic ,it is suppose to, I never see in the userone homedir anything in regards to the key.pub, key.sec sets?

Here is a paste of the last few lines of rpm build of source kernel that imports/exports the source gpg key(s)

+ cp /home/userone/rpmbuild/SOURCES/extrakeys.pub .
+ cat
+ gpg --homedir . --batch --gen-key /home/userone/rpmbuild/SOURCES/genkey
gpg: WARNING: unsafe permissions on homedir `.'
gpg: keyring `./secring.gpg' created
gpg: keyring `./pubring.gpg' created
+ cat
+ '[' -s /home/userone/rpmbuild/SOURCES/extrakeys.pub ']'
+ gpg --homedir . --no-default-keyring --keyring kernel.pub --import /home/userone/rpmbuild/SOURCES/extrakeys.pub
gpg: WARNING: unsafe permissions on homedir `.'
gpg: ./trustdb.gpg: trustdb created
gpg: key CD09BEDA: public key "Red Hat Enterprise Linux Driver Update Program " imported
gpg: Total number processed: 1
gpg: imported: 1
+ gpg --homedir . --export --keyring ./kernel.pub CentOS
gpg: WARNING: unsafe permissions on homedir `.'
+ gcc -o scripts/bin2c scripts/bin2c.c
+ scripts/bin2c ksign_def_public_key __initdata
+ cd ..
+ exit 0

3) One thing I do not understand is " gpg: WARNING: unsafe permissions on homedir"
I have made another rpmbuild user via the Users and Groups gui, and still get this error message. The perms on the userone homedir are 700 with no additional ACL's or such added.

4) is there some way I can run gpg against the given kernel module that i have built to try and obtain a pgp hash number. if nothing else to try and learn how this all ties together?

Thank you,
Barry
brcisna
 
Posts: 15
Joined: 2012/01/01 17:29:02

[SOLVED] kernel module build unknown public key

Postby toracat » 2012/01/02 16:17:58

Perhaps the easiest way to achieve what you are aiming at will be to look at one of the ELRepo's kmods. I would suggest the hyper-v kmod as an example. It is one of the modules found in the staging directory. You can examine the Makefile in there. As a bonus, if you use the whole package as a template, you will get a kABI-compatible module of your driver.
User avatar
toracat
Forum Moderator
 
Posts: 6687
Joined: 2006/09/03 16:37:24
Location: California, US

Re: kernel module build unknown public key

Postby pschaff » 2012/01/02 16:54:52

The inclusion of the Red Hat key seems to me to be a bug. Created Bug #5382. We'll see what the devs have to say.

The "gpg: WARNING: unsafe permissions on homedir `.'" warning is due to the permissions on the current directory where the key generation is taking place in the build tree, and can be safely ignored.

Edit: I see toracat has weighed in with good advice while I was filing the bug report. I was thinking of recommending a kmod also, but had not gotten around to coming up with a good example to cite.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: kernel module build unknown public key

Postby brcisna » 2012/01/02 21:52:01

toracat,

Thank You for the reply. unfortunately the wireless driver I am trying to build is one of the staging drivers,so there is no xyz-kmod in the elrepos.
the driver in question is rtl8187se which doesnt make any diff to anyone but I can not get the rtl8187se_coffee ,,google code,,something,,,to build on centos 6 either. this apparently built Ok,on centos 5 FWIW. this is on a Toshiba Satlitte Laptop and the wifi card was also popular on the mini notebook laptops as well.
The native rtl8187 centos6 driver is not the same for this particular card.

Take Care,
Barry
brcisna
 
Posts: 15
Joined: 2012/01/01 17:29:02

Re: kernel module build unknown public key

Postby pschaff » 2012/01/03 00:08:04

EDIT: Hold off - found some problems. Will fix and replace...

No there are no ELRepo packages. The point was to use that as a guide to create some. I have done that for you. See http://www.elrepo.org/people/pschaff/el6/

Contents:
pschaff-testing.repo

./i386:
repodata RPMS

./i386/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./i386/RPMS:
kmod-rtl8187se-0.0-1.el6.elrepo.i686.rpm

./SRPMS:
repodata rtl8187se-kmod-0.0-1.el6.elrepo.src.rpm

./SRPMS/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./x86_64:
repodata RPMS

./x86_64/repodata:
filelists.xml.gz other.xml.gz primary.xml.gz repomd.xml

./x86_64/RPMS:
kmod-rtl8187se-0.0-1.el6.elrepo.x86_64.rpm

Packages are not signed nor tested. The version ought to be something more sensible. The pschaff-testing.repo file dropped into /etc/yum.repos.d/ should make it usable with yum via:
Code: Select all
yum --enablerepo pschaff-testing install kmod-rtl8187se
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: kernel module build unknown public key

Postby brcisna » 2012/01/03 02:14:27

Thank You Phil,

When you get all corrected I will give the module a spin!

Take Care,
Barry
brcisna
 
Posts: 15
Joined: 2012/01/01 17:29:02

Re: kernel module build unknown public key

Postby pschaff » 2012/01/03 15:02:10

Thanks to debugging and correction of my error by toracat corrected packages are now at http://www.elrepo.org/people/pschaff/el6/ .

Please let us know if they work.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: kernel module build unknown public key

Postby brcisna » 2012/01/04 22:21:03

pschaff,

Thank You. The kmod-rtl8187se did work fine that you built.
One oddity. This machine/laptop has both the original 6.0 kernel on it,and has been updated to 6.2 kernel. Kernel number in above posts. When I went and installed the kmod-rtl8187se it in fact installed into the older kernel? I was doing this all remotely today as I had to be working in another school building. I was able to get the laptop rebooted into the old kernel and the module modprobed fine with no gpg key errors and brought the wifi nic to life.
I run out of time,and didn't get a chance to reboot the laptop back into the new kernel and try and copy/paste the kmod into the extras folder on it. I am very rusty on rpm building etc. I would guess there is some switches to force the kmod to install to kernel xyz...but I don't know how to do it?
I will report tomorrow on how the kmod works on the newer kernel (6.2).

thanks again for your efforts!,
Barry
brcisna
 
Posts: 15
Joined: 2012/01/01 17:29:02

Next

Return to CentOS 6 - General Support

Who is online

Users browsing this forum: No registered users and 6 guests