Ubuntu
linux package

Some kernel modules are failing digital signature checks during boot - kernel is tainted.

Bug #1241251 reported by T3st3r
294
This bug affects 9 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Initial configuration:
 Xubuntu 13.10 64-bit, iso SHA256 is:
1862b69cffcfc41587109a971a8fe72b2dc26dbd762cdb4704965d668514fa95 *xubuntu-13.10-desktop-amd64.iso

To reproduce:
1) Verify that SHA256 of iso image is correct. I also checked GPG signature to make sure these are proper SHA256 hashes.
2) Put ISO to USB flash stick. I used dd to put iso to 2Gb flash drive.
3) Boot from USB flash and verify CD image using boot option to be extra sure ISO is not damaged.
4) Make sure ISO checks are OK.
5) Now boot USB flash to live OS session ("Try ... without installing").
6) Launch terminal.
7) dmesg | grep -i taint
8) Make sure kernel is getting tainted due to problems with some modules signatures.

Result:
* On my desktop PC I'm getting kernel taint due to missing signature or key in module "mii" (used by RTL8169 driver).
* On my notebook I'm getting kernel taint due to missing signature or key for "video" module (used by Intel GPU driver?)

What's going up? Are your ISO images are okay? Or they were tampered with and some kernel modules are fakes? Please check ASAP.

Revision history for this message
T3st3r (t3st3r) wrote :
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1241251/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Seth Arnold (seth-arnold)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1241251

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

This could be a duplicate of bug 1237394

Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key saucy
Revision history for this message
Pavel Melkozerov (melky) wrote : apport information

ApportVersion: 2.12.5-0ubuntu2
Architecture: i386
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: melky 1235 F.... pulseaudio
DistroRelease: Ubuntu 13.10
HibernationDevice: RESUME=UUID=7cc4a089-9fe8-4c7d-b0d0-a9feb391f6bf
InstallationDate: Installed on 2013-10-18 (0 days ago)
InstallationMedia: Xubuntu 13.10 "Saucy Salamander" - Release i386 (20131016)
Lsusb:
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: ASUSTeK Computer Inc. A6JC
MarkForUpload: True
Package: linux (not installed)
PccardctlIdent:
 Socket 0:
   no product info available
PccardctlStatus:
 Socket 0:
   no card
ProcFB: 0 nouveaufb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.11.0-12-generic root=UUID=b1b0e52c-3519-4d81-9607-e164297cd8c2 ro
ProcVersionSignature: Ubuntu 3.11.0-12.19-generic 3.11.3
RelatedPackageVersions:
 linux-restricted-modules-3.11.0-12-generic N/A
 linux-backports-modules-3.11.0-12-generic N/A
 linux-firmware 1.116
RfKill:
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
Tags: saucy
Uname: Linux 3.11.0-12-generic i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
dmi.bios.date: 10/04/2006
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: A6JCMAS.220
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: A6JC
dmi.board.vendor: ASUSTeK Computer Inc.
dmi.board.version: 1.0
dmi.chassis.type: 10
dmi.chassis.vendor: ASUSTeK Computer Inc.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrA6JCMAS.220:bd10/04/2006:svnASUSTeKComputerInc.:pnA6JC:pvr1.0:rvnASUSTeKComputerInc.:rnA6JC:rvr1.0:cvnASUSTeKComputerInc.:ct10:cvr:
dmi.product.name: A6JC
dmi.product.version: 1.0
dmi.sys.vendor: ASUSTeK Computer Inc.

tags: added: apport-collected
Revision history for this message
Pavel Melkozerov (melky) wrote : AlsaInfo.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : BootDmesg.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : CRDA.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : CurrentDmesg.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : IwConfig.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : Lspci.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : ProcEnviron.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : ProcModules.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : PulseList.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : UdevDb.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : UdevLog.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote : WifiSyslog.txt

apport information

Revision history for this message
Pavel Melkozerov (melky) wrote :

I't likely to be the same problem I faced:
    1.167264] Write protecting the kernel read-only data: 2644k
[ 1.167270] NX-protecting the kernel data: 5932k
[ 1.185530] systemd-udevd[105]: starting version 204
[ 1.228700] mii: module verification failed: signature and/or required key missing - tainting kernel
[ 1.241574] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[ 1.241600] r8169 0000:02:00.0: can't disable ASPM; OS doesn't have ASPM control
[ 1.241868] r8169 0000:02:00.0: irq 43 for MSI/MSI-X

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Pasi Tarhonen (pasi-tarhonen) wrote :

I am also facing the same problem, dmesg from last boot is just like Pavel's:

[ 0.626201] Write protecting the kernel read-only data: 12288k
[ 0.627546] Freeing unused kernel memory: 1040K (ffff88000e6fc000 - ffff88000e800000)
[ 0.628512] Freeing unused kernel memory: 836K (ffff88000eb2f000 - ffff88000ec00000)
[ 0.634382] systemd-udevd[114]: starting version 204
[ 0.643713] mii: module verification failed: signature and/or required key missing - tainting kernel
[ 0.644296] ahci 0000:00:1f.2: version 3.0
[ 0.644381] ahci 0000:00:1f.2: irq 42 for MSI/MSI-X
[ 0.644778] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[ 0.644783] r8169 0000:03:00.0: can't disable ASPM; OS doesn't have ASPM control
[ 0.644981] r8169 0000:03:00.0: irq 43 for MSI/MSI-X

Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Medium → High
tags: added: kernel-key
Joseph Salisbury (jsalisbury)
tags: removed: kernel-key
Changed in linux (Ubuntu):
importance: High → Medium
Revision history for this message
Pasi Tarhonen (pasi-tarhonen) wrote :

For some unknown reason (propably some update is fixed that) module "mii" is not anymore causing kernel to be tainted, but the quilty one is now module "video".

[ 0.716249] Write protecting the kernel read-only data: 12288k
[ 0.717529] Freeing unused kernel memory: 1040K (ffff88000e6fc000 - ffff88000e800000)
[ 0.718478] Freeing unused kernel memory: 836K (ffff88000eb2f000 - ffff88000ec00000)
[ 0.749207] wmi: Mapper loaded
[ 0.749573] video: module verification failed: signature and/or required key missing - tainting kernel
[ 0.752443] ahci 0000:00:1f.2: version 3.0
[ 0.752527] ahci 0000:00:1f.2: irq 42 for MSI/MSI-X
[ 0.754388] [drm] Initialized drm 1.1.0 20060810
[ 0.754606] 3c59x 0000:05:01.0: enabling device (0000 -> 0003)
[ 0.754643] 3c59x: Donald Becker and others.
[ 0.754646] 0000:05:01.0: 3Com PCI 3c905B Cyclone 100baseTx at ffffc9000003e000.
[ 0.754953] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[ 0.754958] r8169 0000:03:00.0: can't disable ASPM; OS doesn't have ASPM control
[ 0.755150] r8169 0000:03:00.0: irq 43 for MSI/MSI-X

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

This is fixed by bug 1253155

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.