[Canonical-ubuntu-qa] [Bug 2092274] [NEW] CONFIG_MODULE_SIG_FORCE can make tests fail

Po-Hsu Lin Fri, 20 Dec 2024 02:14:19 -0800

Public bug reported:

Issue found on linux-ein.


With CONFIG_MODULE_SIG_FORCE=y, it will check the module signature. So
the module we build when running the test will be rejected.

The following tests will fail:
  * ubuntu_ltp_kernel_misc
    - fw_load ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - block_dev ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - tpci ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - ltp_acpi ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    - uaccess ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
  * ubuntu_ltp_stable/commands
    - insmod01_sh (insmod: ERROR: could not insert module ltp_insmod01.ko: Key 
was rejected by service)
  * ubuntu_ltp_syscalls
    - delete_module01 (insmod: ERROR: could not insert module dummy_del_mod.ko: 
Key was rejected by service)
    - delete_module03 (insmod: ERROR: could not insert module dummy_del_mod.ko: 
Key was rejected by service)
    - finit_module01 (TFAIL: finit_module(fd, "status=valid", 0) failed: 
EKEYREJECTED (129))
    - finit_module02 (insmod: ERROR: could not insert module 
/opt/ltp/testcases/bin/finit_module.ko: Key was rejected by service)
    - init_module01 (TFAIL: init_module(buf, sb.st_size, "status=valid") 
failed: EKEYREJECTED (129))
    - init_module02 (insmod: ERROR: could not insert module init_module.ko: Key 
was rejected by service)
  * ubuntu_lttng_smoke_test
    - lttng-smoke-test (Error: Event sched_switch: Kernel tracer not available 
(channel channel0, session test-kernel-session))
  * ubuntu_qrt_kernel_security
    - KernelSecurityTest.test_072_strict_devmem (insmod: ERROR: could not 
insert module signpost/signpost.ko: Key was rejected by service)

Note that for the ubuntu_ltp_syscalls tests failure, they just check the 
/proc/cmdline to see if the module.sig_enforce was added there. As we don't 
have it in /proc/cmdline, it's expecting the test to pass.
    
I think azure-fde is affected as well.

It's better to add corresponding config check, and prints an user-
friendly error message to make reviewers' life easier.

** Affects: ubuntu-kernel-tests
     Importance: Undecided
         Status: New


** Tags: focal ubuntu-ltp-kernel-misc ubuntu-ltp-stable ubuntu-ltp-syscalls 
ubuntu-lttng-smoke-test ubuntu-qrt-kernel-security

-- 
You received this bug notification because you are a member of Canonical
Platform QA Team, which is subscribed to ubuntu-kernel-tests.
https://bugs.launchpad.net/bugs/2092274

Title:
  CONFIG_MODULE_SIG_FORCE can make tests fail

Status in ubuntu-kernel-tests:
  New

Bug description:
  Issue found on linux-ein.

  With CONFIG_MODULE_SIG_FORCE=y, it will check the module signature. So
  the module we build when running the test will be rejected.

  The following tests will fail:
    * ubuntu_ltp_kernel_misc
      - fw_load ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
      - block_dev ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
      - tpci ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
      - ltp_acpi ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
      - uaccess ('insmod' exited with a non-zero code 1 at tst_cmd.c:121)
    * ubuntu_ltp_stable/commands
      - insmod01_sh (insmod: ERROR: could not insert module ltp_insmod01.ko: 
Key was rejected by service)
    * ubuntu_ltp_syscalls
      - delete_module01 (insmod: ERROR: could not insert module 
dummy_del_mod.ko: Key was rejected by service)
      - delete_module03 (insmod: ERROR: could not insert module 
dummy_del_mod.ko: Key was rejected by service)
      - finit_module01 (TFAIL: finit_module(fd, "status=valid", 0) failed: 
EKEYREJECTED (129))
      - finit_module02 (insmod: ERROR: could not insert module 
/opt/ltp/testcases/bin/finit_module.ko: Key was rejected by service)
      - init_module01 (TFAIL: init_module(buf, sb.st_size, "status=valid") 
failed: EKEYREJECTED (129))
      - init_module02 (insmod: ERROR: could not insert module init_module.ko: 
Key was rejected by service)
    * ubuntu_lttng_smoke_test
      - lttng-smoke-test (Error: Event sched_switch: Kernel tracer not 
available (channel channel0, session test-kernel-session))
    * ubuntu_qrt_kernel_security
      - KernelSecurityTest.test_072_strict_devmem (insmod: ERROR: could not 
insert module signpost/signpost.ko: Key was rejected by service)

  Note that for the ubuntu_ltp_syscalls tests failure, they just check the 
/proc/cmdline to see if the module.sig_enforce was added there. As we don't 
have it in /proc/cmdline, it's expecting the test to pass.
      
  I think azure-fde is affected as well.

  It's better to add corresponding config check, and prints an user-
  friendly error message to make reviewers' life easier.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2092274/+subscriptions


-- 
Mailing list: https://launchpad.net/~canonical-ubuntu-qa
Post to     : canonical-ubuntu-qa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~canonical-ubuntu-qa
More help   : https://help.launchpad.net/ListHelp

[Canonical-ubuntu-qa] [Bug 2092274] [NEW] CONFIG_MODULE_SIG_FORCE can make tests fail

Reply via email to