Bug#1012741: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service

To: 1012741@bugs.debian.org
Subject: Bug#1012741: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 16 Jun 2022 01:28:41 +0200
Message-id: <[🔎] 4b3a65d604f01e435b58d469b0ea8a46fb3338dd.camel@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 1012741@bugs.debian.org
In-reply-to: <[🔎] afc8d12b177c4bb8bfbf8cbd59224afaca9f4446.camel@decadent.org.uk>
References: <165510108027.13973.10383758976508782069.reportbug@coffee.vetmed.illinois.edu> <[🔎] afc8d12b177c4bb8bfbf8cbd59224afaca9f4446.camel@decadent.org.uk> <165510108027.13973.10383758976508782069.reportbug@coffee.vetmed.illinois.edu>

On Mon, 2022-06-13 at 18:23 +0200, Ben Hutchings wrote:
[...]
> I can confirm that this module does not load, and this means it has an
> invalid signature.  The detached signature present in the source
> package seems to be truncated (408 bytes long, where for all other
> modules the detached signature is 411 bytes long).
> 
> The amd64 kernel package is also affected, but for a different module
> (xt_l2tp).
> 
> Since the truncated signatures are in the source packages, this is a
> problem introduced by the code signing service and will need to be
> fixed there.

I wrote a script to check for short signatures (and other unexpected
things) in detached signature files:
https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/scripts/benh/check-sig-params

I've now run that over all linux-signed-* packages available on
snapshot.debian.org.  It found short signatures (in all cases, a raw
signature length of 254 bytes rather than 256 bytes) for the following
binary packages, versions, and files:

linux-image-4.19.0-0.bpo.4-686-pae 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-686-pae/kernel/drivers/usb/storage/ums-realtek.ko
linux-image-4.19.0-0.bpo.4-amd64 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-amd64/kernel/drivers/iio/gyro/bmg160_i2c.ko
linux-image-4.19.0-0.bpo.4-rt-amd64 4.19.28-2~bpo9+1 lib/modules/4.19.0-0.bpo.4-rt-amd64/kernel/drivers/mtd/chips/map_ram.ko
linux-image-4.19.0-0.bpo.5-amd64 4.19.37-4~bpo9+1 lib/modules/4.19.0-0.bpo.5-amd64/kernel/drivers/video/fbdev/via/viafb.ko
linux-image-4.19.0-0.bpo.6-686 4.19.67-2+deb10u1~bpo9+1 lib/modules/4.19.0-0.bpo.6-686/kernel/drivers/media/usb/hackrf/hackrf.ko
linux-image-4.19.0-4-rt-686-pae 4.19.28-1 lib/modules/4.19.0-4-rt-686-pae/kernel/drivers/media/tuners/fc2580.ko
linux-image-4.19.0-4-rt-amd64 4.19.28-1 lib/modules/4.19.0-4-rt-amd64/kernel/drivers/vhost/vringh.ko
linux-image-4.19.0-4-rt-amd64 4.19.28-2 lib/modules/4.19.0-4-rt-amd64/kernel/drivers/vhost/vringh.ko
linux-image-4.19.0-5-686-pae 4.19.37-2 lib/modules/4.19.0-5-686-pae/kernel/drivers/bluetooth/ath3k.ko
linux-image-4.19.0-5-686-pae 4.19.37-3 lib/modules/4.19.0-5-686-pae/kernel/drivers/bluetooth/ath3k.ko
linux-image-4.19.0-5-amd64 4.19.37-1 lib/modules/4.19.0-5-amd64/kernel/drivers/net/wireless/ralink/rt2x00/rt2500usb.ko
linux-image-4.19.0-5-rt-amd64 4.19.37-5+deb10u2 lib/modules/4.19.0-5-rt-amd64/kernel/net/ipv4/tcp_hybla.ko
linux-image-4.19.0-17-686 4.19.194-1 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko
linux-image-4.19.0-17-686 4.19.194-2 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko
linux-image-4.19.0-17-686 4.19.194-3 lib/modules/4.19.0-17-686/kernel/drivers/thermal/intel_soc_dts_iosf.ko
linux-image-4.19.0-17-amd64 4.19.194-1 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
linux-image-4.19.0-17-amd64 4.19.194-2 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
linux-image-4.19.0-17-amd64 4.19.194-3 lib/modules/4.19.0-17-amd64/kernel/drivers/dma/dw/dw_dmac_core.ko
linux-image-4.19.0-18-rt-686-pae 4.19.208-1 lib/modules/4.19.0-18-rt-686-pae/kernel/drivers/staging/comedi/drivers/jr3_pci.ko
linux-image-4.19.0-19-rt-686-pae 4.19.232-1 lib/modules/4.19.0-19-rt-686-pae/kernel/fs/sysv/sysv.ko
linux-image-4.19.0-20-amd64 4.19.235-1 lib/modules/4.19.0-20-amd64/kernel/sound/pci/echoaudio/snd-indigoio.ko
linux-image-4.19.0-20-rt-arm64 4.19.235-1 lib/modules/4.19.0-20-rt-arm64/kernel/drivers/video/fbdev/arkfb.ko
linux-image-5.2.0-0.bpo.2-amd64 5.2.9-2~bpo10+1 lib/modules/5.2.0-0.bpo.2-amd64/kernel/drivers/input/keyboard/max7359_keypad.ko
linux-image-5.2.0-2-arm64 5.2.9-1 lib/modules/5.2.0-2-arm64/kernel/crypto/cast6_generic.ko
linux-image-5.2.0-2-arm64 5.2.9-2 lib/modules/5.2.0-2-arm64/kernel/crypto/cast6_generic.ko
linux-image-5.2.0-2-rt-686-pae 5.2.9-1 lib/modules/5.2.0-2-rt-686-pae/kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko
linux-image-5.2.0-2-rt-686-pae 5.2.9-2 lib/modules/5.2.0-2-rt-686-pae/kernel/drivers/net/ethernet/intel/ixgb/ixgb.ko
linux-image-5.2.0-3-cloud-amd64 5.2.17-1 lib/modules/5.2.0-3-cloud-amd64/kernel/net/sched/act_skbmod.ko
linux-image-5.3.0-1-amd64 5.3.7-1 lib/modules/5.3.0-1-amd64/kernel/sound/pci/hda/snd-hda-codec-hdmi.ko
linux-image-5.3.0-2-arm64 5.3.9-3 lib/modules/5.3.0-2-arm64/kernel/drivers/usb/gadget/function/u_ether.ko
linux-image-5.3.0-2-cloud-amd64 5.3.9-1 lib/modules/5.3.0-2-cloud-amd64/kernel/fs/nls/nls_koi8-u.ko
linux-image-5.4.0-0.bpo.2-686-pae 5.4.8-1~bpo10+1 lib/modules/5.4.0-0.bpo.2-686-pae/kernel/drivers/net/phy/aquantia.ko
linux-image-5.4.0-0.bpo.4-rt-arm64 5.4.19-1~bpo10+1 lib/modules/5.4.0-0.bpo.4-rt-arm64/kernel/drivers/hwmon/lm73.ko
linux-image-5.4.0-3-cloud-amd64 5.4.13-1 lib/modules/5.4.0-3-cloud-amd64/kernel/net/netfilter/xt_NETMAP.ko
linux-image-5.10.0-0.bpo.9-arm64 5.10.70-1~bpo10+1 lib/modules/5.10.0-0.bpo.9-arm64/kernel/sound/usb/line6/snd-usb-line6.ko
linux-image-5.10.0-0.bpo.11-rt-686-pae 5.10.92-1~bpo10+1 lib/modules/5.10.0-0.bpo.11-rt-686-pae/kernel/net/netfilter/ipset/ip_set_hash_ipmac.ko
linux-image-5.10.0-0.bpo.11-rt-arm64 5.10.92-1~bpo10+1 lib/modules/5.10.0-0.bpo.11-rt-arm64/kernel/drivers/media/pci/cx88/cx8800.ko
linux-image-5.10.0-5-amd64 5.10.24-1 lib/modules/5.10.0-5-amd64/kernel/drivers/net/phy/teranetics.ko
linux-image-5.10.0-5-amd64 5.10.26-1 lib/modules/5.10.0-5-amd64/kernel/drivers/net/phy/teranetics.ko
linux-image-5.10.0-5-rt-686-pae 5.10.24-1 lib/modules/5.10.0-5-rt-686-pae/kernel/drivers/thermal/intel/int340x_thermal/processor_thermal_device.ko
linux-image-5.10.0-5-rt-686-pae 5.10.26-1 lib/modules/5.10.0-5-rt-686-pae/kernel/drivers/thermal/intel/int340x_thermal/processor_thermal_device.ko
linux-image-5.10.0-6-amd64 5.10.28-1 lib/modules/5.10.0-6-amd64/kernel/drivers/media/usb/zr364xx/zr364xx.ko
linux-image-5.10.0-6-amd64 5.10.28-1 lib/modules/5.10.0-6-amd64/kernel/fs/nls/nls_cp852.ko
linux-image-5.10.0-6-rt-arm64 5.10.28-1 lib/modules/5.10.0-6-rt-arm64/kernel/fs/nfs/nfsv3.ko
linux-image-5.10.0-7-rt-686-pae 5.10.38-1 lib/modules/5.10.0-7-rt-686-pae/kernel/drivers/i2c/busses/i2c-pca-platform.ko
linux-image-5.10.0-7-rt-686-pae 5.10.40-1 lib/modules/5.10.0-7-rt-686-pae/kernel/drivers/i2c/busses/i2c-pca-platform.ko
linux-image-5.10.0-11-686 5.10.92-1 lib/modules/5.10.0-11-686/kernel/drivers/platform/x86/intel_int0002_vgpio.ko
linux-image-5.10.0-11-686 5.10.92-2 lib/modules/5.10.0-11-686/kernel/drivers/platform/x86/intel_int0002_vgpio.ko
linux-image-5.10.0-14-686-pae 5.10.113-1 lib/modules/5.10.0-14-686-pae/kernel/drivers/net/wan/hostess_sv11.ko
linux-image-5.10.0-15-686-pae 5.10.120-1 lib/modules/5.10.0-15-686-pae/kernel/lib/crc-itu-t.ko
linux-image-5.10.0-15-amd64 5.10.120-1 lib/modules/5.10.0-15-amd64/kernel/net/netfilter/xt_l2tp.ko
linux-image-5.14.0-0.bpo.2-686 5.14.9-2~bpo11+1 lib/modules/5.14.0-0.bpo.2-686/kernel/drivers/comedi/drivers/usbdux.ko
linux-image-5.14.0-3-686 5.14.12-1 lib/modules/5.14.0-3-686/kernel/drivers/bluetooth/bcm203x.ko
linux-image-5.15.0-0.bpo.2-arm64 5.15.5-2~bpo11+1 lib/modules/5.15.0-0.bpo.2-arm64/kernel/drivers/iio/accel/da311.ko
linux-image-5.15.0-0.bpo.3-rt-amd64 5.15.15-2~bpo11+1 lib/modules/5.15.0-0.bpo.3-rt-amd64/kernel/net/netfilter/xt_HMARK.ko
linux-image-5.15.0-2-rt-arm64 5.15.5-1 lib/modules/5.15.0-2-rt-arm64/kernel/sound/usb/snd-usb-audio.ko
linux-image-5.15.0-2-rt-arm64 5.15.5-2 lib/modules/5.15.0-2-rt-arm64/kernel/sound/usb/snd-usb-audio.ko
linux-image-5.15.0-3-amd64 5.15.15-1 lib/modules/5.15.0-3-amd64/kernel/drivers/net/ethernet/packetengines/hamachi.ko
linux-image-5.15.0-3-amd64 5.15.15-2 lib/modules/5.15.0-3-amd64/kernel/drivers/net/ethernet/packetengines/hamachi.ko
linux-image-5.16.0-2-rt-686-pae 5.16.10-1 lib/modules/5.16.0-2-rt-686-pae/kernel/drivers/watchdog/w83977f_wdt.ko
linux-image-5.16.0-5-amd64 5.16.14-1 lib/modules/5.16.0-5-amd64/kernel/drivers/media/pci/meye/meye.ko
linux-image-5.16.0-5-cloud-arm64 5.16.14-1 lib/modules/5.16.0-5-cloud-arm64/kernel/net/mpls/mpls_iptunnel.ko
linux-image-5.16.0-6-686 5.16.18-1 lib/modules/5.16.0-6-686/kernel/drivers/input/serio/ct82c710.ko
linux-image-5.16.0-6-amd64 5.16.18-1 lib/modules/5.16.0-6-amd64/kernel/drivers/pci/hotplug/cpcihp_zt5550.ko
linux-image-5.16.0-6-rt-arm64 5.16.18-1 lib/modules/5.16.0-6-rt-arm64/kernel/drivers/gpu/drm/tiny/cirrus.ko
linux-image-5.16.0-rc3-rt-arm64 5.16~rc3-1~exp1 lib/modules/5.16.0-rc3-rt-arm64/kernel/drivers/media/dvb-frontends/dib3000mb.ko
linux-image-5.16.0-rc4-686-pae 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-686-pae/kernel/drivers/video/fbdev/matrox/matroxfb_g450.ko
linux-image-5.16.0-rc4-rt-amd64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-amd64/kernel/drivers/i2c/busses/i2c-piix4.ko
linux-image-5.16.0-rc4-rt-amd64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-amd64/kernel/drivers/tty/n_gsm.ko
linux-image-5.16.0-rc4-rt-arm64 5.16~rc4-1~exp1 lib/modules/5.16.0-rc4-rt-arm64/kernel/drivers/net/phy/marvell.ko
linux-image-5.16.0-rc5-rt-arm64 5.16~rc5-1~exp1 lib/modules/5.16.0-rc5-rt-arm64/kernel/net/sched/sch_ingress.ko
linux-image-5.16.0-trunk-rt-amd64 5.16.4-1~exp1 lib/modules/5.16.0-trunk-rt-amd64/kernel/drivers/net/usb/qmi_wwan.ko
linux-image-5.17.0-3-686-pae 5.17.11-1 lib/modules/5.17.0-3-686-pae/kernel/net/bridge/netfilter/nft_meta_bridge.ko
linux-image-5.17.0-rc5-rt-686-pae 5.17~rc5-1~exp1 lib/modules/5.17.0-rc5-rt-686-pae/kernel/drivers/ata/sata_sil.ko
linux-image-5.18.0-trunk-cloud-arm64 5.18-1~exp1 lib/modules/5.18.0-trunk-cloud-arm64/kernel/fs/nls/mac-inuit.ko

A significant pattern visible here is a short signature for the same
module in multiple consecutive versions, where the module may have
identical contents.  That implies that this is a reproducible issue for
certain inputs that cannot be worked around by re-running the signing
process.

However, I have *not* yet verified that all short signatures really are
invalid.

Ben.

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#1012741: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Bug#1012741: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: limit source to linux, tagging 1012794, tagging 1012288
Next by Date: Bug#1012829: linux-image-5.17.0-3-amd64: intel_iommu=igfx_off workaround required for graphics card
Previous by thread: Processed: Re: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service
Next by thread: Bug#1012741: modprobe: ERROR: could not insert 'crc_itu_t': Key was rejected by service
Index(es):
- Date
- Thread