ILD

ubuntu编译内核模块后,运行告警module verification failed
作者:Yuan Jianpeng 邮箱:yuanjp89@163.com
发布时间:2023-5-27 站点:Inside Linux Development

编译内核模块的时候,也报告警:

1
2
3
4
At main.c:160:                                                                                         
- SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:69                                                                                                              
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:76               
sign-file: certs/signing_key.pem: No such file or directory


运行的时候,报错:

1
2
# insmod ./sfp.ko
insmod: ERROR: could not insert module ./sfp.ko: Unknown symbol in module


dmesg查看日志:

1
2
3
[ 4778.602001] sfp: loading out-of-tree module taints kernel.                
[ 4778.602056] sfp: module verification failed: signature and/or required key missing - tainting kernel 
[ 4778.602149] sfp: Unknown symbol nf_conntrack_in (err -2)


搜索后发现,是没有签名,创建签名文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ cat > x509.genkey
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
 
[ req_distinguished_name ]
CN = Modules
 
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
 
$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER \
    -out signing_key.x509 -keyout signing_key.pem


将签名文件,拷贝到linux编译源码下的certs目录,并为所有用户加上可读权限

1
2
$ sudo chmod +r signing_key.pem signing_key.x509 

$ sudo cp signing_key.pem signing_key.x509 /lib/modules/`uname -r`/build/certs


再次编译内核,没有签名的告警了,但是还是符号未找到,这个依赖的模块没安装。


Copyright © linuxdev.cc 2017-2024. Some Rights Reserved.