On Wed, 2023-04-12 at 06:54 -0400, Genes Lists wrote:
On 4/12/23 03:55, Ralf Mardorf wrote Bit hard to say from above - clearly these need 2 different keys (right?) also you dont say what CONFIG_MODULE_COMPRESS_xx are set to either since you have 2 different module compressions as well as keys being different.
Hi, thank you. I try to post complete logs via pastebin or something else soon, but for the next hours I need to shut down the machine, to do some work, among other things I'll copy the Arch install from the original SATA SSD to a NVMe SSD. [rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/4.19.271- rt120-0.300-cornflower/build/.config CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y [rocketmouse@archlinux ~]$ grep MODULE_COMPRESS /lib/modules/6.2.10- arch1-1/build/.config # CONFIG_MODULE_COMPRESS_NONE is not set # CONFIG_MODULE_COMPRESS_GZIP is not set # CONFIG_MODULE_COMPRESS_XZ is not set CONFIG_MODULE_COMPRESS_ZSTD=y
Maybe post the actual fatal kernel error exactly - is it possible the error you printed was non-fatal and something else kiilled boot?
That's possible. At the moment I've got 4 Arch Linux kernels that fail to boot. 3 were build by me, 1 is from an official Arch repo. [rocketmouse@archlinux ~]$ grep -ePKCS -eunknown /mnt/m1.xubu20.04/boot/grub/grub.cfg menuentry " Arch Linux Rt Cornflower, PKCS#7 signature not signed with a trusted key" { menuentry " Arch Linux Rt Pussytoes, PKCS#7 signature not signed with a trusted key" { menuentry " Arch Linux Rt Securityink, PKCS#7 signature not signed with a trusted key" { menuentry " Arch extra/linux-rt-lts, unknown issue" { The one from the repo doesn't spit a PKCS#7 signature error message, just the kernels build by me do so. All 4 kernels are rt patched kernels. However, the non-lts rt from the repos, extra/linux-rt 6.2.0.3.realtime1-3 does finish startup without a problem. I've got a lot of way older (and other new) kernels for different Linux distros that don't fail to boot, just two other kernels also fail to boot, but with an "too old" error message. The kernel parameter "module.sig_enforce=0" was just a test. At some point after the startup hanged I pushed either Ctrl+Alt+Del or the reset or power off button. [rocketmouse@archlinux ~]$ journalctl -b -2 Apr 12 09:25:45 archlinux kernel: Linux version 4.19.271-rt120-0.300-cornflower (linux-rt-cornflower@archlinux) (gcc version 12.2.1 20230111 (GCC)) #1 SMP PREEMPT RT Sat, 04 Feb 2023 02:01:3> Apr 12 09:25:45 archlinux kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-linux-rt-cornflower root=/dev/disk/by-label/s3.archlinux ro module.sig_enforce=0 [snip] Apr 12 09:25:45 archlinux kernel: Loading compiled-in X.509 certificates Apr 12 09:25:45 archlinux kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f1c3403526458c3d1252b029fd8c628d7fa915df' [snip] Apr 12 09:25:47 archlinux libvirtd[422]: libvirt version: 9.2.0 Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-11' Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-7' Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on 'usb2' Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at offset 1 Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:01: duplicate WMI GUID 05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00) Apr 12 09:25:47 archlinux kernel: acpi PNP0C14:02: duplicate WMI GUID 05901221-D566-11D1-B2F0-00A0C9062910 (first instance was on PNP0C14:00) Apr 12 09:25:47 archlinux kernel: PKCS#7 signature not signed with a trusted key Apr 12 09:25:47 archlinux kernel: r8125: loading out-of-tree module taints kernel. Apr 12 09:25:47 archlinux kernel: r8125: module verification failed: signature and/or required key missing - tainting kernel Apr 12 09:25:47 archlinux kernel: r8125 2.5Gigabit Ethernet driver 9.011.00-NAPI loaded Apr 12 09:25:47 archlinux kernel: r8125: This product is covered by one or more of the following patents: US6,570,884, US6,115,776, and US6,327,625. Apr 12 09:25:47 archlinux kernel: r8125 Copyright (C) 2022 Realtek NIC software team <nicfae@realtek.com> This program comes with ABSOLUTELY NO WARRANTY; for details, please see <http://www.gnu.org/licenses/>. This is free software, and you are welcome to redistribute it under certain conditions; see <http://www.gnu.org/licenses/>. Apr 12 09:25:48 archlinux kernel: snd_hdspm 0000:01:00.0: enabling device (0000 -> 0002) Apr 12 09:25:48 archlinux kernel: snd_hda_intel 0000:00:1f.3: enabling device (0000 -> 0002) [snip] Apr 12 09:25:54 archlinux kernel: r8125: enp5s0: link up Apr 12 09:25:54 archlinux kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp5s0: link becomes ready Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: IAID 3c:26:c4:c6 Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: adding address fe80::4388:6700:a99d:1b58 Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: rebinding lease of 192.168.1.2 Apr 12 09:25:54 archlinux dhcpcd[409]: enp5s0: soliciting an IPv6 router Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: DHCP lease expired Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: soliciting a DHCP lease Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: Router Advertisement from fe80::1 Apr 12 09:25:59 archlinux dnsmasq[587]: reading /etc/resolv.conf Apr 12 09:25:59 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53 Apr 12 09:25:59 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: offered 192.168.1.2 from 192.168.1.1 Apr 12 09:26:00 archlinux dhcpcd[409]: enp5s0: probing address 192.168.1.2/24 Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: leased 192.168.1.2 for 604800 seconds Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding route to 192.168.1.0/24 Apr 12 09:26:05 archlinux dhcpcd[409]: enp5s0: adding default route via 192.168.1.1 Apr 12 09:26:05 archlinux dnsmasq[587]: reading /etc/resolv.conf Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver 192.168.1.1#53 Apr 12 09:26:05 archlinux dnsmasq[587]: using nameserver fe80::1%enp5s0#53 Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: failed to request DHCPv6 information Apr 12 09:26:09 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information Apr 12 09:26:19 archlinux dhcpcd[409]: enp5s0: requesting DHCPv6 information Apr 12 09:26:21 archlinux systemd[1]: Received SIGINT. Apr 12 09:26:21 archlinux systemd[1]: Activating special unit System Reboot... [snip] Apr 12 09:26:22 archlinux systemd[1]: Finished System Reboot. Apr 12 09:26:22 archlinux systemd[1]: Reached target System Reboot. Apr 12 09:26:22 archlinux systemd[1]: Shutting down. Apr 12 09:26:22 archlinux systemd-shutdown[1]: Syncing filesystems and block devices. Apr 12 09:26:22 archlinux systemd-shutdown[1]: Sending SIGTERM to remaining processes... Apr 12 09:26:22 archlinux systemd-journald[312]: Received SIGTERM from PID 1 (systemd-shutdow). Apr 12 09:26:22 archlinux haveged[311]: haveged: Stopping due to signal 15 Apr 12 09:26:22 archlinux haveged[311]: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 8.00161 Apr 12 09:26:22 archlinux haveged[311]: fills: 1, generated: 512 K bytes, RNDADDENTROPY: 256 Apr 12 09:26:22 archlinux dnsmasq[587]: exiting on receipt of SIGTERM Apr 12 09:26:22 archlinux haveged[311]: haveged starting up Apr 12 09:26:22 archlinux systemd-journald[312]: Journal stopped [rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i error -B1 -A1 Apr 12 09:25:45 archlinux kernel: mce: Using 20 MCE banks Apr 12 09:25:45 archlinux kernel: RAS: Correctable Errors collector initialized. Apr 12 09:25:45 archlinux kernel: microcode: sig=0xb06f5, pf=0x4, revision=0x2c -- Apr 12 09:25:46 archlinux kernel: cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' Apr 12 09:25:46 archlinux kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 Apr 12 09:25:46 archlinux kernel: cfg80211: failed to load regulatory.db -- Apr 12 09:25:47 archlinux libvirtd[422]: hostname: archlinux Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-11' Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on '1-7' Apr 12 09:25:47 archlinux libvirtd[422]: internal error: Missing udev property 'ID_VENDOR_ID' on 'usb2' Apr 12 09:25:47 archlinux kernel: pci 0000:05:00.0: invalid short VPD tag 00 at offset 1 -- Apr 12 09:25:50 archlinux systemd[1]: Manage Sound Card State (restore and store) was skipped because of an unmet condition check (ConditionPathExists=/etc/alsa/state-daemon.conf). Apr 12 09:25:50 archlinux alsactl[709]: alsa-lib main.c:1541:(snd_use_case_mgr_open) error: failed to import hw:0 use case configuration -2 Apr 12 09:25:50 archlinux kernel: enp5s0: 0xffffbb3507400000, 74:56:3c:26:c4:c6, IRQ 18 [rocketmouse@archlinux ~]$ journalctl -b -2 | grep -i warn -B1 -A1 Apr 12 09:25:45 archlinux kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization Apr 12 09:25:45 archlinux kernel: Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks! Apr 12 09:25:45 archlinux kernel: Spectre V2 : Mitigation: Enhanced IBRS -- Apr 12 09:25:45 archlinux kernel: hw perf events fixed 4 > max(3), clipping! Apr 12 09:25:45 archlinux kernel: WARNING: CPU: 0 PID: 1 at arch/x86/events/intel/core.c:4515 intel_pmu_init+0x1022/0x120c Apr 12 09:25:45 archlinux kernel: Modules linked in:
My understanding of out of tree signed kernel modules (and some tools) is captured here (wiki is similar but likely bit out of date vs GH):
https://github.com/gene-git/Arch-SKM
That all said, it appears you've built the kernel with one cert and signed using a different one - maybe?
I don't understand it. If it should be a signing issue, then it does matter when using one mobo and doesn't matter, if the same SSD holding the Arch Linux install is connected to another mobo? It only matters when UEFI booting (with secure boot disabled), but doesn't matter when legacy booting is enabled by the older mobo? Isn't this signing independent of the used boot mechanism? Maybe the culprit is something else, but I couldn't identify something else. Regards, Ralf