XPost: linux.debian.devel.release, linux.debian.maint.boot, linux.debian.kernel

Control: severity -1 serious

Hi Robert,

On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:

Package: src:linux
Version: 6.1.137-1
Severity: important
X-Debbugs-Cc: rob@graphiant.com

rob@graph-dev-bookworm:~$ sudo modprobe watchdog
modprobe: ERROR: could not insert 'watchdog': Bad message

Using extract-module-sig.pl from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
shows there is no signature present for the watchdog kernel object
file:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
Read 91616 bytes from module file
Found magic number at 91616
Found PKCS#7/CMS encapsulation

Compared to 6.1.0-34-amd64 version:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
Read 92027 bytes from module file
Found magic number at 92027
Found PKCS#7/CMS encapsulation
Found 411 bytes of signature [3082019706092a864886f70d010702a0]
...

So indeed there was likely a temporary problem when doing the signing
of the modules for linux-signed-amd64. There is the watchdog module
and w83977f_wdt one which have zero size signature:

./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig

I checked as well linux-signed-i386 and linux-signed-arm64 but there I
found none with a problem.

Ansgar, assuming at this point we cannot do something anymore for the
point release.

Cyril, Adam, so skip the kernel update for the upcoming point release?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release, linux.debian.maint.boot, linux.debian.kernel

On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote:

Control: severity -1 serious

Hi Robert,

On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:

Package: src:linux
Version: 6.1.137-1
Severity: important
X-Debbugs-Cc: rob@graphiant.com

rob@graph-dev-bookworm:~$ sudo modprobe watchdog
modprobe: ERROR: could not insert 'watchdog': Bad message

Using extract-module-sig.pl from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
shows there is no signature present for the watchdog kernel object
file:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
Read 91616 bytes from module file
Found magic number at 91616
Found PKCS#7/CMS encapsulation

Compared to 6.1.0-34-amd64 version:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
Read 92027 bytes from module file
Found magic number at 92027
Found PKCS#7/CMS encapsulation
Found 411 bytes of signature [3082019706092a864886f70d010702a0]
...

So indeed there was likely a temporary problem when doing the signing
of the modules for linux-signed-amd64. There is the watchdog module
and w83977f_wdt one which have zero size signature:

./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig

I checked as well linux-signed-i386 and linux-signed-arm64 but there I
found none with a problem.

Ansgar, assuming at this point we cannot do something anymore for the
point release.

Cyril, Adam, so skip the kernel update for the upcoming point release?

The alternative would be given that the "only" two modules affected
are watchdog and w83977f_wdt to proceed as planned with the point
release (testing, Cyril?) and make a nearby src:linux DSA release
including further security fixes.

6.14.7, 6.12.29 and 6.1.139 are currently beeing reviewed upstream in particular including the ITS variant of the "Training Solo" issue
(side note, to be effective the fixes will need as well a
intel-microcode update, cf. #1105172).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release, linux.debian.maint.boot, linux.debian.kernel

On Mon, May 12, 2025 at 11:02:56PM +0200, Salvatore Bonaccorso wrote:

On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote:

Control: severity -1 serious

Hi Robert,

On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:

Package: src:linux
Version: 6.1.137-1
Severity: important
X-Debbugs-Cc: rob@graphiant.com

rob@graph-dev-bookworm:~$ sudo modprobe watchdog
modprobe: ERROR: could not insert 'watchdog': Bad message

Using extract-module-sig.pl from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
shows there is no signature present for the watchdog kernel object
file:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
Read 91616 bytes from module file
Found magic number at 91616
Found PKCS#7/CMS encapsulation

Compared to 6.1.0-34-amd64 version:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
Read 92027 bytes from module file
Found magic number at 92027
Found PKCS#7/CMS encapsulation
Found 411 bytes of signature [3082019706092a864886f70d010702a0]
...

So indeed there was likely a temporary problem when doing the signing
of the modules for linux-signed-amd64. There is the watchdog module
and w83977f_wdt one which have zero size signature:

./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig

I checked as well linux-signed-i386 and linux-signed-arm64 but there I found none with a problem.

Ansgar, assuming at this point we cannot do something anymore for the
point release.

Cyril, Adam, so skip the kernel update for the upcoming point release?

The alternative would be given that the "only" two modules affected
are watchdog and w83977f_wdt to proceed as planned with the point
release (testing, Cyril?) and make a nearby src:linux DSA release
including further security fixes.

6.14.7, 6.12.29 and 6.1.139 are currently beeing reviewed upstream in particular including the ITS variant of the "Training Solo" issue
(side note, to be effective the fixes will need as well a
intel-microcode update, cf. #1105172).

Hola,

We discussed briefly just now and decided that:

- as it's "just" amd64 watchdog and w83977f_wdt modules, and
- a kernel DSA is imminent anyway, and
- deferring the point release and skipping the kernel are both major
upheavals,

we intend to continue as planned and include a warning in the announcement
on release, that affected users should disable their watchdogs or not
reboot until an updated kernel is released very soon after the point
release will be.

If there are other issues we have not considered please speak up urgently.

--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1


-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQTdFzjfLGn8URFmteMDXuYJgEtROQUCaCJlIwAKCRADXuYJgEtR OVhJAQCjh2l+nLQnRnSkoX9MXgVhQU1I+ISL+TLTztIlFm1XKQD/V/02lonJa5jy HOSkMwZ+N7lXvtcUFbY5dUO7/zQ+xAA=
=++yC
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release, linux.debian.maint.boot, linux.debian.kernel

Hi,

Jonathan Wiltshire <jmw@debian.org> (2025-05-12):

We discussed briefly just now and decided that:

- as it's "just" amd64 watchdog and w83977f_wdt modules, and

It's been a while since I last toyed with watchdogs (and those needed
explicit actions to be enabled anyway), but I'd expect those not to be
shipped or used within d-i, so probable ACK on the installer front.

A quick look through Contents-udeb-* through a reconfigured apt-file
seems to suggest they're not shipped in any udeb. Definitive ACK then.

- a kernel DSA is imminent anyway, and
- deferring the point release and skipping the kernel are both major
upheavals,

we intend to continue as planned and include a warning in the
announcement on release, that affected users should disable their
watchdogs or not reboot until an updated kernel is released very soon
after the point release will be.

If there are other issues we have not considered please speak up
urgently.

Unless you tell me otherwise I'll stick to testing then uploading d-i
with the ABI bumped to 35. (And it can still be rejected from pu-NEW
anyway?)


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgibckACgkQ/5FK8MKz VSDrvw/+MdV8S2/LuXsjIkIoNWI3t+0pPs3fTQMhCn1HlBq055ymrIzEC+89sbKh Wn1t147xzJ9BMEo6eHSlPSXRXfQd3bEaTKU3E3V2ksNki8sB9Nl81N2urXOReP8n 3q3w0DXe7FYPI0Mk9Hz/0WZ8AsImJCFhQuNXww7R/RJvtvTQZ2+NtKdakqvpw5mR ej8J+MhU8puN1fRbgdEfIMLJLX90WHLwSGY+hYhcxZKpdMKQ0KiWj9KWGxyeKn85 0MpAcwbT5Jhjs0lRtmvZUDHHYh4y4RRRC0Y7wX1Dt6jFOUU1+bM5CyyLB4izdt08 NAgb4CpGGe3uA7SN7KdKc6lKo8PoTt9m8ZSb4mv07kBBNo081uwKxTam568CZ1Nn 7LiBYEuxfAirgpJ/055gECaLFULrgoIAO25Mc9WDUfHSPWBnZ328E9q0omGJb44o 6IUIfVwrHV/+MIJlrvq8e+bCQSGo1+BJv5R1wVTnuttRmHtz+JYCTp/d04TeBVHq juw1nVsxVaxxGT5ITjY94XchFbTtn6zBW7LO6qS/hJ4XLcuRS4RI1QBpKaWW6koY vVqtSWKHM53ObOxQGL5a/GQIXKpI2h5eAkz1Vd/jpIkJqHkKsxnfEYXSRPWr6pfu V6thxTLBDkmDk6FvnrrjjpdjdFcwvP+qbvQGPN/u1rDh6oZhhek=
=37RH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.devel.release, linux.debian.maint.boot

Hi

[not yet trimming the CC list to give a short update]

On Mon, May 12, 2025 at 10:34:51PM +0200, Salvatore Bonaccorso wrote:

Control: severity -1 serious

Hi Robert,

On Mon, May 12, 2025 at 04:38:19PM +0100, Robert Shearman wrote:

Package: src:linux
Version: 6.1.137-1
Severity: important
X-Debbugs-Cc: rob@graphiant.com

rob@graph-dev-bookworm:~$ sudo modprobe watchdog
modprobe: ERROR: could not insert 'watchdog': Bad message

Using extract-module-sig.pl from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-module-sig.pl
shows there is no signature present for the watchdog kernel object
file:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko
Read 91616 bytes from module file
Found magic number at 91616
Found PKCS#7/CMS encapsulation

Compared to 6.1.0-34-amd64 version:

$ ~/Downloads/extract-module-sig.pl -s /lib/modules/6.1.0-34-amd64/kernel/drivers/watchdog/watchdog.ko
Read 92027 bytes from module file
Found magic number at 92027
Found PKCS#7/CMS encapsulation
Found 411 bytes of signature [3082019706092a864886f70d010702a0]
...

So indeed there was likely a temporary problem when doing the signing
of the modules for linux-signed-amd64. There is the watchdog module
and w83977f_wdt one which have zero size signature:

./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/watchdog.ko.sig
./linux-signed-amd64-6.1.137+1/debian/signatures/linux-image-6.1.0-35-amd64-unsigned/lib/modules/6.1.0-35-amd64/kernel/drivers/watchdog/w83977f_wdt.ko.sig

I checked as well linux-signed-i386 and linux-signed-arm64 but there I
found none with a problem.

After a short double-checking with Ansgar, the check might be
included in https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L180
in the sign_kmod function. And similarly in sign_efi function as well
in https://salsa.debian.org/ftp-team/code-signing/-/blob/master/secure-boot-code-sign.py?ref_type=heads#L200

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Sat, May 17, 2025 at 09:13:48PM +0300, Romualdas Mincevičius wrote:

Hello.

Reporting that this bug affects my bookworm amd64 system after the latest 12.11 point release. The only difference is I am trying to load w83627hf_wdt module. The error message is the same:

modprobe: ERROR: could not insert 'w83627hf_wdt': Bad message

Yes this is explained in the known issues of todays 12.11
announcement:

https://lists.debian.org/debian-announce/2025/msg00002.html

it will be resolved with a linux which we can expect soon due to other
reasons.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)