Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755564AbbESLpT (ORCPT ); Tue, 19 May 2015 07:45:19 -0400 Received: from e28smtp01.in.ibm.com ([122.248.162.1]:40445 "EHLO e28smtp01.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755467AbbESLpQ (ORCPT ); Tue, 19 May 2015 07:45:16 -0400 Message-ID: <1432035900.4510.81.camel@linux.vnet.ibm.com> Subject: Re: [PATCH 1/4] modsign: Abort modules_install when signing fails From: Mimi Zohar To: "Woodhouse, David" Cc: "linux-kernel@vger.kernel.org" , "mmarek@suse.cz" , "keyrings@linux-nfs.org" , "seth.forshee@canonical.com" , "dmitry.kasatkin@gmail.com" , "rusty@rustcorp.com.au" , "dhowells@redhat.com" , "linux-security-module@vger.kernel.org" , "mcgrof@suse.com" , "mjg59@srcf.ucam.org" Date: Tue, 19 May 2015 07:45:00 -0400 In-Reply-To: <1432017624.3277.19.camel@intel.com> References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <1431708779.4727.9.camel@infradead.org> <1431998970.4510.12.camel@linux.vnet.ibm.com> <1432017624.3277.19.camel@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.10 (3.12.10-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15051911-4790-0000-0000-0000084053FA Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2568 Lines: 48 On Tue, 2015-05-19 at 06:40 +0000, Woodhouse, David wrote: > On Mon, 2015-05-18 at 21:29 -0400, Mimi Zohar wrote: > > On Fri, 2015-05-15 at 17:52 +0100, David Woodhouse wrote: > > > Signed-off-by: David Woodhouse > > With this patch, as expected the modules_install aborted on failure. Is > > there any way to capture the reason for the failure? In my case, > > dropping the '-j ' option resolved the problem. My mistake the failure was there. > Hm, was there no output from sign-file when this happened? Remember that > with a parallel make the error which stops the build might not be the > last thing it printed. Can you show the full output? /bin/sh: line 1: 22771 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/ipv6/netfilter/ip6table_filter.ko /home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/ipv6/netfilter/ip6table_filter.ko' failed make[2]: *** [net/ipv6/netfilter/ip6table_filter.ko] Error 139 make[2]: *** Waiting for unfinished jobs.... /bin/sh: line 1: 22842 Segmentation fault (core dumped) scripts/sign-file "sha256" "pkcs11:manufacturer=piv_II;id=%01" ./signing_key.x509 /lib/modules/4.1.0-rc1-test+/kernel/net/netfilter/nf_nat.ko /home/zohar/src/kernel/linux-integrity/scripts/Makefile.modinst:35: recipe for target 'net/netfilter/nf_nat.ko' failed make[2]: *** [net/netfilter/nf_nat.ko] Error 139 /home/zohar/src/kernel/linux-integrity/Makefile:1123: recipe for target '_modinst_' failed make[1]: *** [_modinst_] Error 2 make[1]: Leaving directory '/home/zohar/src/kernel/build/linux-test' Makefile:146: recipe for target 'sub-make' failed make: *** [sub-make] Error 2 > It's possible that there's a limit on the number of sessions you can > have open to the hardware token, and we are exceeding it with a parallel > build. I thought that pcscd was going to serialize the access and it > should work properly though. I can certainly do 'make -j > modules_install' with a Yubikey NEO here (although my test build only > has about 20 modules). > > Any better ideas on how to specify the key passphrase/PIN? Just put it > in a file in the top-level directory? Define a kbuild command parameter? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/