Bugzilla – Bug 1214005
Shouldn't rtl8812au-kmp-default use a signed module?
Last modified: 2023-08-11 07:23:17 UTC
For the driver in this RPM package: Name : rtl8812au-kmp-default Version : 5.9.3.2+git20210427.6ef5d8f_k5.14.21_150400.22 License : GPL-2.0-only Signature : RSA/SHA256, Do 12 Mai 2022 04:56:19 CEST, Key ID b88b2fd43dbdc284 Source RPM : rtl8812au-5.9.3.2+git20210427.6ef5d8f-lp154.2.202.src.rpm Build Date : Do 12 Mai 2022 04:56:12 CEST Build Host : build81 I get a kernel warning: Aug 05 00:23:22 pc kernel: 8812au: loading out-of-tree module taints kernel. Aug 05 00:23:22 pc kernel: 8812au: module verification failed: signature and/or required key missing - tainting kernel > sudo modinfo 8812au filename: /lib/modules/5.14.21-150500.55.12-default/weak-updates/updates/8812au.ko version: v5.13.6-15-gc40b977e2.20210629 author: Realtek Semiconductor Corp. description: Realtek Wireless Lan Driver license: GPL suserelease: SLE15-SP5 srcversion: 6D03CBD3591559FC33E0EB7 Shouldn't that module use the default build key? It also looks as if it was built using an older kernel source.
I'm also seeing a bug when the kernel complains the MAC should be all zeros (XX replaced actual address for privacy): kernel: rtl8812au 1-4:1.0 wlan0: Current addr: XX XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 kernel: rtl8812au 1-4:1.0 wlan0: Expected addr: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 kernel: ------------[ cut here ]------------ kernel: netdevice: wlan0: Incorrect netdev->dev_addr Maybe a fix would be similar to this: https://github.com/clnhub/rtl8192eu-linux/pull/59
If it's a package from OBS hardware project, it's no part of official release, hence it's never signed with the official key. You'd have to import the OBS project's cert file manually and deploy for MOK by yourself. For other issue, please open another report.
(In reply to Takashi Iwai from comment #2) > If it's a package from OBS hardware project, it's no part of official > release, hence it's never signed with the official key. You'd have to > import the OBS project's cert file manually and deploy for MOK by yourself. I'm somewhat confused, because modinfo says: > /usr/sbin/modinfo 8812au |grep sig sig_id: PKCS#7 signer: openSUSE Secure Boot CA sig_key: FA:BE:D8:BF:40:9A:5E:65 sig_hashalgo: sha256 signature: 5E:52:13:39:CB:20:83:65:41:76:DB:27:C2:65:0C:BE:63:0B:A9:9A: > /usr/sbin/modinfo xfs |grep sig sig_id: PKCS#7 signer: SUSE Linux Enterprise Secure Boot CA sig_key: CA:FC:B5:D7:5E:C5:89:82 sig_hashalgo: sha256 signature: 84:1C:86:27:25:2F:9B:D8:E8:71:7F:82:47:F4:69:DE:41:B6:EF:48: So signer "openSUSE Secure Boot CA" isn't an official key?
I wrote "If it's a package from OBS hardware project". If it's indeed from the official TW package, you'd just need to deploy the openSUSE cert to MOK. The cert should have been included in openSUSE-signkey-cert package.
(In reply to Takashi Iwai from comment #4) > If it's indeed from the official TW package "Leap" instead of "TW" in this case, of course.
(In reply to Takashi Iwai from comment #4) > I wrote "If it's a package from OBS hardware project". If it's indeed from > the official TW package, you'd just need to deploy the openSUSE cert to MOK. > The cert should have been included in openSUSE-signkey-cert package. Still confused (I know little about the Secure Boot/MOK thing): Isn't MOK for the first stage of secure boot only, and doesn't the kernel have it's own certificates (in initrd, I guess)? If so, shouldn't the needed keys be imported there automatically?
It's the nature of Leap; it takes the packages from SLE as-is, and the kernel is part of it. The kernel package is built with SLE cert key, not with openSUSE cert. Meanwhile such a 3rd party KMP is built only for Leap, hence it's signed with openSUSE cert key. There must have been some documentation mentioning it the Leap release notes (maybe for earlier releases).
OK, I created https://unix.stackexchange.com/q/753778/320598