1. Forum
  2. Usenet
  3. L.DEBIAN.DEVEL.RELEASE

  • Bug#1105164: linux-image-6.1.0-35-amd64: watchdog kernel module load er

    From Salvatore Bonaccorso@21:1/5 to Salvatore Bonaccorso on Sat May 17 09:00:01 2025
    XPost: linux.debian.bugs.dist, linux.debian.maint.boot

    Hi

    [not yet trimming the CC list to give a short update]

    On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote:
    Control: severity -1 serious

    Hi Robert,

    On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:
    Package: src:linux
    Version: 6.1.137-1
    Severity: important
    X-Debbugs-Cc: rob@graphiant.com

    rob@graph-dev-bookworm:~$ sudo modprobe watchdog
    modprobe: ERROR: could not insert 'watchdog': Bad message

    Using extract-module-sig.pl from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
    shows there is no signature present for the watchdog kernel object
    file:

    $ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
    Read 91616 bytes from module file
    Found magic number at 91616
    Found PKCS#7/CMS encapsulation

    Compared to 6.1.0-34-amd64 version:

    $ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
    Read 92027 bytes from module file
    Found magic number at 92027
    Found PKCS#7/CMS encapsulation
    Found 411 bytes of signature [3082019706092a864886f70d010702a0]
    ...

    So indeed there was likely a temporary problem when doing the signing
    of the modules for linux-signed-amd64. There is the watchdog module
    and w83977f_wdt one which have zero size signature:

    ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
    ./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig

    I checked as well linux-signed-i386 and linux-signed-arm64 but there I
    found none with a problem.

    After a short double-checking with Ansgar, the check might be
    included in https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L180
    in the sign_kmod function. And similarly in sign_efi function as well
    in https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L200

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)