Public bug reported:
[ SRU Justification ]
[ Impact ]
Chen-Yu Tsai took over ownership of wireless-regdb from Seth Forshee
a few years ago, which changed the signing key of future
wireless-regdb releases.
All generic Ubuntu kernels that *don't* use CRDA have the config
option CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y which requires the
wireless-regdb signing key to be present in the kernel so it can
validate the db signature. Thus, a commit (and follow-up fix) was
added to all upstream stable kernels to add the new key:
fb768d3b13ff ("wifi: cfg80211: Add my certificate")
3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file order")
This config option is also set for bionic 4.15, but these patches
were not backported, so it can't validate the db. This prevents
the db from being read, and a new regulatory domain cannot be set.
Additionally, when the cfg80211 module is loaded, it prints this:
[ 191.029155] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 191.031124] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 191.031594] PKCS#7 signature not signed with a trusted key
[ 191.033142] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
When the above patches are applied to the kernel, db file can be
validated and the domain can be set. The dmesg log no longer shows
the error message:
[ 3.638756] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 3.639242] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 3.639348] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
It should be noted that these patches were included in upstream stable
update v4.14.335 and v4.19.304, so they have been validated for similar
kernels already.
This only affects bionic because later kernels have the patches, and
earlier releases use CRDA to get the key instead of the kernel internals.
[ Test Plan ]
Steps to reproduce:
On a bionic system running generic 4.15:
1. Make sure cfg80211 module is present and wireless-regdb is installed:
$ sudo apt install linux-modules-extra-$(uname -r) wireless-regdb iw
2. If the module is not loaded automatically, load it:
$ sudo modprobe cfg80211
3. Observe the error message printed in dmesg. For additional
confirmation, you can also try (and fail) to set the domain:
$ sudo iw reg get # returns 00 domain
$ sudo iw reg set US
$ sudo iw reg get # still returns 00, failed to change to US
To test the fix, you can run these same steps, but the error message
should not be present and the `iw` commands should successfully
change the domain.
[ Where problems could occur ]
There is a low regression risk because these patches only add a new cert
key, and do not remove the existing sforshee key. Since regdb
domain setting operations may not have worked before this fix, it will
change system behaviour by allowing domains to be set, and the dmesg
log will differ.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: wireless-regdb (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: wireless-regdb (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: wireless-regdb (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
- Bionic generic kernel is missing current wireless-regdb maintainer
- (Chen-Yu Tsai) key
-
[ SRU Justification ]
[ Impact ]
Chen-Yu Tsai took over ownership of wireless-regdb from Seth Forshee
a few years ago, which changed the signing key of future
wireless-regdb releases.
All generic Ubuntu kernels that *don't* use CRDA have the config
option CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y which requires the
wireless-regdb signing key to be present in the kernel so it can
validate the db signature. Thus, a commit (and follow-up fix) was
added to all upstream stable kernels to add the new key:
fb768d3b13ff ("wifi: cfg80211: Add my certificate")
3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file order")
This config option is also set for bionic 4.15, but these patches
were not backported, so it can't validate the db. This prevents
the db from being read, and a new regulatory domain cannot be set.
Additionally, when the cfg80211 module is loaded, it prints this:
[ 191.029155] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 191.031124] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 191.031594] PKCS#7 signature not signed with a trusted key
[ 191.033142] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
When the above patches are applied to the kernel, db file can be
validated and the domain can be set. The dmesg log no longer shows
the error message:
[ 3.638756] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 3.639242] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 3.639348] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
It should be noted that these patches were included in upstream stable
update v4.14.335 and v4.19.304, so they have been validated for similar
kernels already.
This only affects bionic because later kernels have the patches, and
earlier releases use CRDA to get the key instead of the kernel internals.
[ Test Plan ]
Steps to reproduce:
-
+
On a bionic system running generic 4.15:
- 1. Make sure cfg80211 module is present and wireless-regdb is installed:
- $ sudo apt install linux-modules-extra-$(uname -r) wireless-regdb iw
- 2. If the module is not loaded automatically, load it:
- $ sudo modprobe cfg80211
- 3. Observe the error message printed in dmesg. For additional
- confirmation, you can also try (and fail) to set the domain:
- $ sudo iw reg get # returns 00 domain
- $ sudo iw reg set US
- $ sudo iw reg get # still returns 00, failed to change to US
+ 1. Make sure cfg80211 module is present and wireless-regdb is installed:
+ $ sudo apt install linux-modules-extra-$(uname -r) wireless-regdb iw
+ 2. If the module is not loaded automatically, load it:
+ $ sudo modprobe cfg80211
+ 3. Observe the error message printed in dmesg. For additional
+ confirmation, you can also try (and fail) to set the domain:
+ $ sudo iw reg get # returns 00 domain
+ $ sudo iw reg set US
+ $ sudo iw reg get # still returns 00, failed to change to US
To test the fix, you can run these same steps, but the error message
should not be present and the `iw` commands should successfully
change the domain.
[ Where problems could occur ]
There is a low regression risk because these patches only add a new cert
key, and do not remove the existing sforshee key. Since regdb
domain setting operations may not have worked before this fix, it will
change system behaviour by allowing domains to be set, and the dmesg
log will differ.
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2140602
Title:
Bionic generic kernel is missing current wireless-regdb maintainer
(Chen-Yu Tsai) key
Status in linux package in Ubuntu:
New
Status in wireless-regdb package in Ubuntu:
New
Status in linux source package in Bionic:
New
Status in wireless-regdb source package in Bionic:
New
Bug description:
[ SRU Justification ]
[ Impact ]
Chen-Yu Tsai took over ownership of wireless-regdb from Seth Forshee
a few years ago, which changed the signing key of future
wireless-regdb releases.
All generic Ubuntu kernels that *don't* use CRDA have the config
option CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y which requires the
wireless-regdb signing key to be present in the kernel so it can
validate the db signature. Thus, a commit (and follow-up fix) was
added to all upstream stable kernels to add the new key:
fb768d3b13ff ("wifi: cfg80211: Add my certificate")
3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file order")
This config option is also set for bionic 4.15, but these patches
were not backported, so it can't validate the db. This prevents
the db from being read, and a new regulatory domain cannot be set.
Additionally, when the cfg80211 module is loaded, it prints this:
[ 191.029155] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 191.031124] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 191.031594] PKCS#7 signature not signed with a trusted key
[ 191.033142] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
When the above patches are applied to the kernel, db file can be
validated and the domain can be set. The dmesg log no longer shows
the error message:
[ 3.638756] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 3.639242] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 3.639348] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
It should be noted that these patches were included in upstream stable
update v4.14.335 and v4.19.304, so they have been validated for similar
kernels already.
This only affects bionic because later kernels have the patches, and
earlier releases use CRDA to get the key instead of the kernel internals.
[ Test Plan ]
Steps to reproduce:
On a bionic system running generic 4.15:
1. Make sure cfg80211 module is present and wireless-regdb is installed:
$ sudo apt install linux-modules-extra-$(uname -r) wireless-regdb iw
2. If the module is not loaded automatically, load it:
$ sudo modprobe cfg80211
3. Observe the error message printed in dmesg. For additional
confirmation, you can also try (and fail) to set the domain:
$ sudo iw reg get # returns 00 domain
$ sudo iw reg set US
$ sudo iw reg get # still returns 00, failed to change to US
To test the fix, you can run these same steps, but the error message
should not be present and the `iw` commands should successfully
change the domain.
[ Where problems could occur ]
There is a low regression risk because these patches only add a new cert
key, and do not remove the existing sforshee key. Since regdb
domain setting operations may not have worked before this fix, it will
change system behaviour by allowing domains to be set, and the dmesg
log will differ.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2140602/+subscriptions
Комментариев нет:
Отправить комментарий