Ubuntu
linux package

In Ubuntu 17.04 : after reboot getting message in console like Unable to open file: /etc/keys/x509_ima.der (-2)

Bug #1656908 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Tim Gardner
Yakkety
Fix Released
Undecided
Tim Gardner
Zesty
Fix Released
Medium
Tim Gardner

Bug Description

Installed Ubuntu17.04 as PowerVM/KVM or NV , after installation every reboot getting message in console

Unable to open file: /etc/keys/x509_ima.der (-2)

LOG:

Booting Linux via __start() @ 0x000000000a6c0000 ...
 -> smp_release_cpus()
spinning_secondaries = 7
 <- smp_release_cpus()
[ 0.663066] Unable to open file: /etc/keys/x509_ima.der (-2)[ 0.663129] Unable to open file: /etc/keys/x509_evm.der (-2)
[ 0.792300] sd 0:0:1:0: [sda] Assuming drive cache: write through

Ubuntu Zesty Zapus (development branch) ubuntu hvc0

ubuntu login:

Maybe this was introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1643652 ? Will mirror this over to Launchpad for Canonical to review...

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-150596 severity-medium targetmilestone-inin1704
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2017-01-17 03:23 EDT-------
*** Bug 150629 has been marked as a duplicate of this bug. ***

Revision history for this message
Tim Gardner (timg-tpi) wrote :

That is likely a correct assesment, I assume correctly functioning IMA requires some user space packages ? Especially one that will create /etc/keys/x509_ima.der and /etc/keys/x509_evm.der

Revision history for this message
Manoj Iyer (manjo) wrote :

I would assume that the keys are generated by the emvctl package. This would require evmctl tools packaged in Ubuntu. Could you please confirm that this package might be a likely candidate that we might want to carry in Ubuntu? https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/

Changed in linux (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → Steve Langasek (vorlon)
importance: Undecided → High
importance: High → Wishlist
Revision history for this message
Steve Langasek (vorlon) wrote :

This bug is not fixed by packaging the IMA tools, which would still not be configured/enabled by default. The bug here is that an error message is presented on the console, by default, about an optional feature that has not been enabled. That's a kernel bug.

Changed in linux (Ubuntu):
assignee: Steve Langasek (vorlon) → Canonical Kernel Team (canonical-kernel-team)
importance: Wishlist → Medium
Revision history for this message
Tim Gardner (timg-tpi) wrote :

This seems like a legitimate warning and not really a bug.

Changed in linux (Ubuntu):
assignee: Canonical Kernel Team (canonical-kernel-team) → nobody
status: New → Won't Fix
Revision history for this message
Breno Leitão (breno-leitao) wrote :

Unfortunately this message does not seem as a warning, but, as an error.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

https://lists.ubuntu.com/archives/kernel-team/2017-February/082526.html

Changed in linux (Ubuntu Yakkety):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Zesty):
assignee: nobody → Tim Gardner (timg-tpi)
status: Won't Fix → Fix Committed
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.10.0-9.11

---------------
linux (4.10.0-9.11) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1666214

  * linux: disable CONFIG_PCIEPORTBUS in the kernel (LP: #1665404)
    - [Config] CONFIG_PCIEPORTBUS=n for ppc64el

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * Ubuntu 17.04: "Oops: Exception in kernel mode, sig: 5 [#1]" seen during
    fadump over ssh on Alpine machine. (LP: #1655241)
    - SAUCE: powerpc/fadump: set an upper limit for boot memory size

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * Miscellaneous Ubuntu changes
    - SAUCE: (noup) Update spl to 0.6.5.9-1, zfs to 0.6.5.9-2
    - [Config] CONFIG_SCSI_HISI_SAS=m on arm64
    - d-i: Add hisi_sas_v2_hw to scsi-modules
    - d-i: Add hns_enet_drv to nic-modules
    - d-i: Add supporting modules for hns_enet_drv to nic-modules
    - rebase to v4.10

  [ Upstream Kernel Changes ]

  * rebase to v4.10

 -- Tim Gardner <email address hidden> Wed, 15 Feb 2017 11:18:07 -0700

Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.0 KiB)

This bug was fixed in the package linux - 4.8.0-40.43

---------------
linux (4.8.0-40.43) yakkety; urgency=low

  * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)

  [ Andy Whitcroft ]
  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues
    - blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
    drive (LP: #1662673)
    - percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
    - [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
    - CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in compla...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Breno Leitão (breno-leitao)
tags: added: verification-done-yakkety
removed: verification-needed-yakkety
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.