Jump to content

SecureBoot + RHEL9.4 + ESET Server security for Linux: Unable to sign module or OS cannot boot


Go to solution Solved by ttact,

Recommended Posts

Posted (edited)

Environment:

  • ESET Server security for Linux version 10.2.41.0
  • RHEL version 9.4
  • SecureBoot: enabled

Problems:

  1. A compilation error occurs in the execution of script /opt/eset/efs/lib/install_scripts/sign_modules.sh.
  2. After upgrading RHEL from 9.3 to 9.4 in an environment with ESET installed, the OS froze while booting.
    (Update: This phenomenon was not reproduced.)

Is there any way to address these issues?

Details of the problem 1 (Compile Error):

The steps to reproduce the problem are as follows:

  1. Install RHEL 9.4 from DVD .iso image (In “base environment”, select “Minumal install).
  2. '$ subscription-manager register ....'
  3. '$ dnf -y upgrade'
  4. Install Server security for Linux ('$ ./efs.x86_64.bin')
  5. reboot
  6. '$ /opt/eset/efs/lib/install_scripts/sign_modules.sh'

The error message output is as follows:

Private & public key has not been given via arguments. Do you want to provide them? (recommended to provide already enrolled keys) [y/n] n
Do you want to generate new keys? [y/n] y
....+.........+......+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+...+...+...+..+.........+...+.............+...+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.................+.......+........+.......+......+...+..+...+.........................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.......+......+...+..+...+....+........+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.........+..........+......+...........+....+..................+...+.................+...+............+......+.+.....+.+.....+.......+.....+...+.........+...+.....................+.......+..+......+................+...+..+.+..+.......+.....+....+..+.............+..+....+..............+.+......+.....+..................+.........+.+......+.....+.+.....+....+..............+.........+...+.......+...........+..........+......+.....+..........+.....+...+.......+.....+.........+....+...+.....+.........+......+.......+............+......+..+.+..+....+.....................+...+..+...+......+...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
New keys have been generated.

Compiling kernel module in /lib/modules/5.14.0-427.16.1.el9_4.x86_64
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/kernel.h:8,
                 from ./include/linux/list.h:9,
                 from ./include/linux/key.h:14,
                 from ./include/linux/cred.h:13,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp.h:24,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c: In function ‘ertp_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:46: note: in expansion of macro ‘THIS_MODULE’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
In file included from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:33: error: too many arguments to function ‘class_create’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/eventd/eset_rtp] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/eventd] Error 2
make: *** [Makefile:35: modules] Error 2
At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
sign-file: /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko: No such file or directory
Kernel module /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko cannot be signed. Please check if /tmp/tmp.O3fugJ7lHP/efs_mok.priv and /tmp/tmp.O3fugJ7lHP/efs_mok.der are valid keys.

Details of the problem 2 (froze while booting):

The steps to reproduce the problem are as follows:

  1. Install RHEL 9.3 from DVD .iso image (In “base environment”, select “Minumal install).
  2. '$ subscription-manager register ....'
  3. Install Server security for Linux ('$ ./efs.x86_64.bin')
  4. reboot
  5. '$ /opt/eset/efs/lib/install_scripts/sign_modules.sh'
  6. reboot
  7. Enroll MOK
  8. reboot
  9. '$ dnf -y upgrade'
  10. reboot

The last message displayed at OS startup was as follows:

 

 

Edited by ttact
Link to comment
Share on other sites

  • Administrators

Please raise a support ticket as further logs will be needed for investigation.

Link to comment
Share on other sites

We have the same problem. The workaround is to stay on kernel version 9.3 to be able to sign modules.
RHEL and RockyLinux impacted.

Quote

ESET Server Security Error: Cannot open file /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_rtp.ko: No such file or directory
ESET Server Security Error: Cannot open file /lib/modules/5.14.0-427.16.1.el9_4.x86_64/eset/efs/eset_wap.ko: No such file or directory

/opt/eset/efs/lib/install_scripts/check_start.sh
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/kernel.h:8,
                 from ./include/linux/list.h:9,
                 from ./include/linux/key.h:14,
                 from ./include/linux/cred.h:13,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp.h:24,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c: In function ‘ertp_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:46: note: in expansion of macro ‘THIS_MODULE’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
In file included from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:21:
/var/opt/eset/efs/eventd/eset_rtp/ertp.h:90:33: error: too many arguments to function ‘class_create’
   90 | #define ertp_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:459:16: note: in expansion of macro ‘ertp_class_create’
  459 |   ertp_class = ertp_class_create(ESET_RTP);
      |                ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.c:30:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/eventd/eset_rtp/ertp_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/eventd/eset_rtp] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/eventd] Error 2
make: *** [Makefile:35: modules] Error 2
In file included from ./include/linux/linkage.h:7,
                 from ./include/linux/fs.h:5,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_path.h:24,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:25,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c: In function ‘ewap_dev_init’:
./include/linux/export.h:17:22: error: passing argument 1 of ‘class_create’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   17 | #define THIS_MODULE (&__this_module)
      |                     ~^~~~~~~~~~~~~~~
      |                      |
      |                      struct module *
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:63:46: note: in expansion of macro ‘THIS_MODULE’
   63 | #define ewap_class_create(name) class_create(THIS_MODULE, name)
      |                                              ^~~~~~~~~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:181:23: note: in expansion of macro ‘ewap_class_create’
  181 |   ewap_device_class = ewap_class_create(EWAP_DEVICE_NAME);
      |                       ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from ./include/linux/dma-mapping.h:8,
                 from ./include/linux/skbuff.h:31,
                 from ./include/net/net_namespace.h:43,
                 from ./include/linux/netdevice.h:38,
                 from ./include/net/sock.h:46,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:28,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
./include/linux/device/class.h:230:54: note: expected ‘const char *’ but argument is of type ‘struct module *’
  230 | struct class * __must_check class_create(const char *name);
      |                                          ~~~~~~~~~~~~^~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:63:33: error: too many arguments to function ‘class_create’
   63 | #define ewap_class_create(name) class_create(THIS_MODULE, name)
      |                                 ^~~~~~~~~~~~
/var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:181:23: note: in expansion of macro ‘ewap_class_create’
  181 |   ewap_device_class = ewap_class_create(EWAP_DEVICE_NAME);
      |                       ^~~~~~~~~~~~~~~~~
In file included from ./include/linux/device.h:31,
                 from ./include/linux/dma-mapping.h:8,
                 from ./include/linux/skbuff.h:31,
                 from ./include/net/net_namespace.h:43,
                 from ./include/linux/netdevice.h:38,
                 from ./include/net/sock.h:46,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_connect_data.h:28,
                 from /var/opt/eset/efs/ewap/eset_wap/ewap_dev.c:23:
./include/linux/device/class.h:230:29: note: declared here
  230 | struct class * __must_check class_create(const char *name);
      |                             ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[3]: *** [scripts/Makefile.build:299: /var/opt/eset/efs/ewap/eset_wap/ewap_dev.o] Error 1
make[2]: *** [scripts/Makefile.build:585: /var/opt/eset/efs/ewap/eset_wap] Error 2
make[1]: *** [Makefile:1934: /var/opt/eset/efs/ewap] Error 2
make: *** [Makefile:31: modules] Error 2
Link to comment
Share on other sites

@Joseph Guay

I have also tried building with 9.3 and then upgrading to 9.4. If I do so, the real-time scan function will not work.

Link to comment
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...