ubuntu-kernel-tests

CONFIG_MODULE_SIG_FORCE can make tests fail

Bug #2092274 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
New
Undecided
Unassigned

Bug Description

Issue found on kernel with CONFIG_MODULE_SIG_FORCE=y, it will check the module signature. So the module we build when running the test will be rejected.

The following tests will fail:
  * ubuntu_ltp_kernel_misc
    - fw_load ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - block_dev ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - tpci ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - ltp_acpi ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - uaccess ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
  * ubuntu_ltp_stable/commands
    - insmod01_sh (insmod: ERROR: could not insert module ltp_insmod01.ko: Key was rejected by service)
  * ubuntu_ltp_syscalls
    - delete_module01 (insmod: ERROR: could not insert module dummy_del_mod.ko: Key was rejected by service)
    - delete_module03 (insmod: ERROR: could not insert module dummy_del_mod.ko: Key was rejected by service)
    - finit_module01 (TFAIL: finit_module(fd, "status=valid", 0) failed: EKEYREJECTED (129))
    - finit_module02 (insmod: ERROR: could not insert module /opt/ltp/testcases/bin/finit_module.ko: Key was rejected by service)
    - init_module01 (TFAIL: init_module(buf, sb.st_size, "status=valid") failed: EKEYREJECTED (129))
    - init_module02 (insmod: ERROR: could not insert module init_module.ko: Key was rejected by service)
  * ubuntu_lttng_smoke_test
    - lttng-smoke-test (Error: Event sched_switch: Kernel tracer not available (channel channel0, session test-kernel-session))
  * ubuntu_qrt_kernel_security
    - KernelSecurityTest.test_072_strict_devmem (insmod: ERROR: could not insert module signpost/signpost.ko: Key was rejected by service)

Note that for the ubuntu_ltp_syscalls tests failure, they just check the /proc/cmdline to see if the module.sig_enforce was added there. As we don't have it in /proc/cmdline, it's expecting the test to pass.

I think azure-fde is affected as well.

It's better to add corresponding config check, and prints an user-friendly error message to make reviewers' life easier.

See original description

Related branches

~cypressyew/qa-regression-testing:mod-sig-check
Alex Murray (community): Approve
Diff: 18 lines (+7/-0)
1 file modified
scripts/test-kernel-security.py (+7/-0)
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

For LTP syscalls - https://lists.linux.it/pipermail/ltp/2024-December/041355.html

Po-Hsu Lin (cypressyew)
description: updated
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

For ubuntu_ltp_kernel_misc and ubuntu_ltp_stable/commands: https://lists.linux.it/pipermail/ltp/2024-December/041360.html

Po-Hsu Lin (cypressyew)
tags: added: 5.4
tags: added: sru-20241028
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

For ubuntu_lttng_smoke_tests:
https://kernel.ubuntu.com/gitea/tnt/autotest-client-tests/pulls/42

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.