Jump to content

SecureBoot + RHEL9.4 + ESET Server security for Linux: Unable to sign module or OS cannot boot


Recommended Posts

Posted (edited)

Environment:

  • ESET Server security for Linux version 10.2.41.0
  • RHEL version 9.4
  • SecureBoot: enabled

Problems:

  1. A compilation error occurs in the execution of script /opt/eset/efs/lib/install_scripts/sign_modules.sh.
  2. After upgrading RHEL from 9.3 to 9.4 in an environment with ESET installed, the OS froze while booting.
    (Update: This phenomenon was not reproduced.)

Is there any way to address these issues?

Details of the problem 1 (Compile Error):

The steps to reproduce the problem are as follows:

  1. Install RHEL 9.4 from DVD .iso image (In “base environment”, select “Minumal install).
  2. '$ subscription-manager register ....'
  3. '$ dnf -y upgrade'
  4. Install Server security for Linux ('$ ./efs.x86_64.bin')
  5. reboot
  6. '$ /opt/eset/efs/lib/install_scripts/sign_modules.sh'

The error message output is as follows:

Private & public key has not been given via arguments. Do you want to provide them? (recommended to provide already enrolled keys) [y/n] n
Do you want to generate new keys? [y/n] y
....+.........+......+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+...+...+...+..+.........+...+.............+...+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.................+.......+........+.......+......+...+..+...+.........................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.......+......+...+..+...+....+........+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.........+..........+......+...........+....+..................+...+.................+...+............+......+.+.....+.+.....+.......+.....+...+.........+...+.....................+.......+..+......+................+...+..+.+..+.......+.....+....+..+.............+..+....+..............+.+......+.....+..................+.........+.+......+.....+.+.....+....+..............+.........+...+.......+...........+..........+......+.....+..........+.....+...+.......+.....+.........+....+...+.....+.........+......+.......+............+......+..+.+..+....+.....................+...+..+...+......+...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
New keys have been generated.

Compiling kernel module in /lib/modules/5.14.0-427.16.1.el9_4.x86_64
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/kernel.h:8,
                 from ./include/linux/list.h:9,
                 from ./include/linux/key.h:14,
                 from ./include/linux/cred.h:13,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp.h:24,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c: In function ‘ertp_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:46: note: in expansion of macro ‘THIS_MODULE’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
In file included from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:33: error: too many arguments to function ‘class_create’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/eventd/eset_rtp] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/eventd] Error 2
make: *** [Makefile:35: modules] Error 2
At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
sign-file: /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko: No such file or directory
Kernel module /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko cannot be signed. Please check if /tmp/tmp.O3fugJ7lHP/efs_mok.priv and /tmp/tmp.O3fugJ7lHP/efs_mok.der are valid keys.

Details of the problem 2 (froze while booting):

The steps to reproduce the problem are as follows:

  1. Install RHEL 9.3 from DVD .iso image (In “base environment”, select “Minumal install).
  2. '$ subscription-manager register ....'
  3. Install Server security for Linux ('$ ./efs.x86_64.bin')
  4. reboot
  5. '$ /opt/eset/efs/lib/install_scripts/sign_modules.sh'
  6. reboot
  7. Enroll MOK
  8. reboot
  9. '$ dnf -y upgrade'
  10. reboot

The last message displayed at OS startup was as follows:

 

 

Edited by ttact
Link to comment
Share on other sites

  • Administrators

Please raise a support ticket as further logs will be needed for investigation.

Link to comment
Share on other sites

We have the same problem. The workaround is to stay on kernel version 9.3 to be able to sign modules.
RHEL and RockyLinux impacted.

Quote

ESET Server Security Error: Cannot open file /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko: No such file or directory
ESET Server Security Error: Cannot open file /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_wap.ko: No such file or directory

/opt/eset/efs/lib/install_scripts/check_start.sh
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/kernel.h:8,
                 from ./include/linux/list.h:9,
                 from ./include/linux/key.h:14,
                 from ./include/linux/cred.h:13,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp.h:24,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c: In function ‘ertp_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:46: note: in expansion of macro ‘THIS_MODULE’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
In file included from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:33: error: too many arguments to function ‘class_create’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/eventd/eset_rtp] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/eventd] Error 2
make: *** [Makefile:35: modules] Error 2
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/fs.h:5,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_path.h:24,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:25,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c: In function ‘ewap_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:63:46: note: in expansion of macro ‘THIS_MODULE’
   63 | #define ewap_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:181:23: note: in expansion of macro ‘ewap_class_create’
  181 |   ewap_device_class = ewap_class_create(EWAP_DEVICE_NAME);
      |                       ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from ./include/linux/dma-mapping.h:8,
                 from ./include/linux/skbuff.h:31,
                 from ./include/net/net_namespace.h:43,
                 from ./include/linux/netdevice.h:38,
                 from ./include/net/sock.h:46,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:28,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:63:33: error: too many arguments to function ‘class_create’
   63 | #define ewap_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:181:23: note: in expansion of macro ‘ewap_class_create’
  181 |   ewap_device_class = ewap_class_create(EWAP_DEVICE_NAME);
      |                       ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from ./include/linux/dma-mapping.h:8,
                 from ./include/linux/skbuff.h:31,
                 from ./include/net/net_namespace.h:43,
                 from ./include/linux/netdevice.h:38,
                 from ./include/net/sock.h:46,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:28,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/ewap/eset_wap/ewap_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/ewap/eset_wap] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/ewap] Error 2
make: *** [Makefile:31: modules] Error 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...