Bug 36383 - Test kernel modules are signed for UEFI Secure Boot
Test kernel modules are signed for UEFI Secure Boot
Status: CLOSED FIXED
Product: UCS Test
Classification: Unclassified
Component: Kernel
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Bastian Reitemeier
Philipp Hahn
:
Depends on: 36335 38214
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-03 06:53 CET by Stefan Gohmann
Modified: 2023-03-25 06:41 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-11-03 06:53:12 CET
Please add a test case if the modules are signed.


+++ This bug was initially created as a clone of Bug #36335 +++

We need at least:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_ALL=y

CONFIG_MODULE_SIG_FORCE needs to be checked.
Comment 1 Bastian Reitemeier univentionstaff 2015-09-29 16:43:38 CEST
I have added a test (tests/00_checks/70_check_kernel_module_signing_settings) to check the config file named "/boot/config-$(uname -r)"
for the configurations from stefans comment:

> CONFIG_MODULE_SIG=y
> CONFIG_MODULE_SIG_SHA512=y
> CONFIG_MODULE_SIG_HASH="sha512"
> CONFIG_MODULE_SIG_ALL=y
> 
> CONFIG_MODULE_SIG_FORCE needs to be checked.
Comment 2 Philipp Hahn univentionstaff 2015-10-14 12:20:25 CEST
Jenkins regression: fails on all configurations:
<http://jenkins.knut.univention.de:8080/job/UCS-4.0/job/UCS-4.0-3/job/Autotest%20MultiEnv/lastCompletedBuild/SambaVersion=s3,Systemrolle=member/testReport/00_checks/70_check_kernel_module_signing_settings/test/>

[2015-10-13 18:24:15.582211].missing options: CONFIG_MODULE_SIG_FORCE

Should be "# CONFIG_MODULE_SIG_FORCE is not set".

See Bug #39527 for my analysis.
Comment 3 Philipp Hahn univentionstaff 2015-10-21 17:37:30 CEST
r64700 | Bug #36383 test: Fix test for kernel module signing
 Fix Jenkins regression

Package: ucs-test
Version: 5.0.173-3.1277.201510211731
Branch: ucs_4.0-0
Scope: errata4.0-3

r64701 | Bug #36383 test: Fix test for kernel module signing
 Merge to 4.1-0

Package: ucs-test
Version: 6.0.10-8.1278.201510211734
Branch: ucs_4.1-0