| View previous topic :: View next topic |
| Author |
Message |
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
 Posted: Tue Dec 26, 2023 8:42 am Post subject: [SOLVED] Dist Kernel fails to build with own signing key |
 |
|
I am building currently building sys-kernel/gentoo-kernel version 6.1.67-gentoo and enabled module signing as stated in /etc/kernel/config.d/001-kernel-module-signing.config
| Code: |
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="/usr/src/linux/certs/kernel_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
|
I created my own signing key using the instructions here: https://www.kernel.org/doc/html/v4.18/admin-guide/module-signing.html but I replaced the hash algo to sha512. I also made sure my /etc/portage/make.conf contains the following:
| Code: |
USE="secureboot modules-sign system-llvm bluetooth gnome-shell cups grub dist-kernel X vpx screencast -gnome-online-accounts"
# Module signing
MODULES_SIGN_KEY="certs/kernel_key.pem"
MODULES_SIGN_CERT="certs/kernel_key.pem"
MODULES_SIGN_HASH="sha512"
|
It builds fine when I let the build system generate its own signing key using the default CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" but generates an error code 2 when I change the key file. Reading the logs, I'm still not sure what the problem is, given that I just did exactly what the Gentoo secure boot documentation and Linux kernel admin guide said. I also tried the absolute path /usr/src/linux/certs/kernel_key.pem but it also didn't work.
I think I need the absolute path option later on so I can recompile the kernel with the key existing in a flash drive but the build fails 
Any idea what had gone wrong?
Here are some information about the build:
emerge --info '=sys-kernel/gentoo-kernel-6.1.67::gentoo'
| Code: |
Portage 3.0.57 (python 3.11.7-final-0, default/linux/amd64/17.1/desktop/gnome, gcc-13, glibc-2.37-r7, 6.1.67-gentoo-dist x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-6.1.67-gentoo-dist-x86_64-Intel-R-_Core-TM-_i7-9750H_CPU_@_2.60GHz-with-glibc2.37
KiB Mem: 16212312 total, 10530992 free
KiB Swap: 0 total, 0 free
Timestamp of repository gentoo: Mon, 25 Dec 2023 04:30:01 +0000
Head commit of repository gentoo: 6cad605bfeb1596ecb0bfd5f60cc64a496a2c74e
Timestamp of repository steam-overlay: Sat, 23 Dec 2023 18:17:41 +0000
Head commit of repository steam-overlay: 26a33e53dad30deb9a82e962be39ab280a55720d
sh bash 5.1_p16-r6
ld GNU ld (Gentoo 2.41 p2) 2.41.0
app-misc/pax-utils: 1.3.5::gentoo
app-shells/bash: 5.1_p16-r6::gentoo
dev-lang/perl: 5.38.2-r1::gentoo
dev-lang/python: 3.11.7::gentoo, 3.12.1::gentoo
dev-lang/rust-bin: 1.71.1::gentoo
dev-util/cmake: 3.27.7::gentoo
dev-util/meson: 1.2.3::gentoo
sys-apps/baselayout: 2.14-r1::gentoo
sys-apps/openrc: 0.48::gentoo
sys-apps/sandbox: 2.38::gentoo
sys-devel/autoconf: 2.13-r7::gentoo, 2.71-r6::gentoo
sys-devel/automake: 1.16.5-r1::gentoo
sys-devel/binutils: 2.41-r2::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/clang: 16.0.6::gentoo
sys-devel/gcc: 13.2.1_p20230826::gentoo
sys-devel/gcc-config: 2.11::gentoo
sys-devel/libtool: 2.4.7-r1::gentoo
sys-devel/lld: 16.0.6::gentoo
sys-devel/llvm: 15.0.7-r3::gentoo, 16.0.6::gentoo
sys-devel/make: 4.4.1-r1::gentoo
sys-kernel/linux-headers: 6.1::gentoo (virtual/os-headers)
sys-libs/glibc: 2.37-r7::gentoo
Repositories:
gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
volatile: False
sync-rsync-extra-opts:
sync-rsync-verify-jobs: 1
sync-rsync-verify-max-age: 3
sync-rsync-verify-metamanifest: yes
steam-overlay
location: /var/db/repos/steam-overlay
sync-type: git
sync-uri: https://github.com/gentoo-mirror/steam-overlay.git
masters: gentoo
volatile: False
Binary Repositories:
gentoobinhost
priority: 1
sync-uri: https://gentoo.osuosl.org/releases/amd64/binpackages/17.1/x86-64
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE @FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LEX="flex"
MAKEOPTS="-j8 -l8"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/zsh"
USE="X a52 aac acl acpi alsa amd64 bluetooth branding bzip2 cairo cdda cdr cli colord crypt cups dbus dist-kernel dri dts dvd dvdr eds elogind encode evo exif flac fortran gdbm gif gnome gnome-keyring gnome-shell gpm grub gstreamer gtk gui iconv icu introspection ipv6 jpeg keyring lcms libnotify libtirpc mad mng modules-sign mp3 mp4 mpeg multilib nautilus ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt5 readline screencast sdl seccomp secureboot sound spell split-usr ssl startup-notification svg sysprof system-llvm test-rust tiff tracker truetype udev udisks unicode upower usb vorbis vpx vulkan wayland wxwidgets x264 xattr xcb xft xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2021" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 f16c fma3 pclmul popcnt rdrand sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-1" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby31" VIDEO_CARDS="intel nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
=================================================================
Package Settings
=================================================================
sys-kernel/gentoo-kernel-6.1.67::gentoo was built with the following:
USE="initramfs strip -debug -hardened -savedconfig -test" ABI_X86="(64)"
FEATURES="merge-sync xattr preserve-libs unmerge-logs unknown-features-warn assume-digests ipc-sandbox sfperms pid-sandbox distlocks qa-unresolved-soname-deps fixlafiles strict binpkg-logs parallel-fetch sandbox unmerge-orphans usersandbox config-protect-if-modified binpkg-dostrip news userfetch network-sandbox protect-owned userpriv pkgdir-index-trusted binpkg-multi-instance buildpkg-live ebuild-locks multilib-strict usersync binpkg-docompress"
|
Complete build log at https://gist.github.com/karlfroldan/857173e4b3ce7d83bfd3469a83cbe712
Last edited by fireking04 on Thu Dec 28, 2023 4:51 pm; edited 1 time in total |
|
| Back to top |
|
 |
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
| Posted: Tue Dec 26, 2023 4:19 pm Post subject: |
|
|
MODULES_SIGN_KEY has to point to a file that contains both the private key and the certificate. So it should look like this:
| Code: | -----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE----- |
To do this I just did:
| Code: | | cat key.key crt.crt > combined.pem |
and provided the absolute path to combined.pem as MODULES_SIGN_KEY.[/code]
The documentation you link to gives this command for generating the keypair:
| Code: | openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
-config x509.genkey -outform PEM -out kernel_key.pem \
-keyout kernel_key.pem |
I guess by giving the same pathname for public and private key-out it makes this superfile that I created by hand. Interesting, didn't know that. Anyway if you gave two different filenames here it won't be in the format it wants: you'll just be providing the signing key (or the certificate). |
|
| Back to top |
|
|
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
| Posted: Wed Dec 27, 2023 3:16 pm Post subject: |
|
|
| As you've mentioned, doing cat private.key public.crt > combined.pem is essentially the same as the output of the openssl command in the kernel documentation. It didn't work somehow. Tried this also, but still build fails at the same exact point. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21650
|
| Posted: Wed Dec 27, 2023 3:49 pm Post subject: |
|
|
| As I read that output, this is not related to signing at all. It is some vague failure around building a module ordering list. If you switch back to the relative path, does the build work again, or is it now broken regardless of inputs? |
|
| Back to top |
|
|
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
| Posted: Wed Dec 27, 2023 7:23 pm Post subject: |
|
|
| Code: | | make[3]: *** No rule to make target 'certs/kernel_key.pem', needed by 'certs/signing_key.x509'. Stop. |
I get this exact error if I supply CONFIG_MODULE_SIG_KEY a path that doesn't exit. |
|
| Back to top |
|
|
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
| Posted: Thu Dec 28, 2023 4:43 am Post subject: |
|
|
Okay.
I found some hint. I got the same error as @sunox when I supply a relative path. The key is in `/usr/src/linux/certs/kernel_key.pem` and I set `CONFIG_MODULE_SIG_KEY=certs/kernel_key.pem`.
I moved the key somewhere to `/certs/kernel_key.pem` and set `CONFIG_MODULE_SIG_KEY=/certs/kernel_key.pem` and also updated `/etc/portage/make.conf` to this directory. I got a different error instead:
| Code: |
x86_64-pc-linux-gnu-gcc -Wp,-MMD,certs/.system_keyring.o.d -nostdinc -I/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/arch/x86/include -I./arch/x86/include/generated -I/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/include -I./include -I/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/include/uapi -I./include/generated/uapi -include /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/include/linux/compiler-version.h -include /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/include/linux/kconfig.h -include /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/include/linux/compiler_types.h -D__KERNEL__ -fmacro-prefix-map=/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/= -Wall -Wundef -Werror=strict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -fshort-wchar -fno-PIE -Werror=implicit-function-declaration -Werror=implicit-int -Werror=return-type -Wno-format-security -std=gnu11 -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fcf-protection=none -m64 -falign-jumps=1 -falign-loops=1 -mno-80387 -mno-fp-ret-in-387 -mpreferred-stack-boundary=3 -mskip-rax-setup -mtune=generic -mno-red-zone -mcmodel=kernel -Wno-sign-compare -fno-asynchronous-unwind-tables -mindirect-branch=thunk-extern -mindirect-branch-register -mindirect-branch-cs-prefix -mfunction-return=thunk-extern -fno-jump-tables -mharden-sls=all -fno-delete-null-pointer-checks -Wno-frame-address -Wno-format-truncation -Wno-format-overflow -Wno-address-of-packed-member -O2 -fno-allow-store-data-races -Wframe-larger-than=2048 -fstack-protector -Wno-main -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-dangling-pointer -ftrivial-auto-var-init=zero -fno-stack-clash-protection -pg -mrecord-mcount -mfentry -DCC_USING_FENTRY -Wdeclaration-after-statement -Wvla -Wno-pointer-sign -Wcast-function-type -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict -Wno-maybe-uninitialized -Wno-array-bounds -Wno-alloc-size-larger-than -Wimplicit-fallthrough=5 -fno-strict-overflow -fno-stack-check -fconserve-stack -Werror=date-time -Werror=incompatible-pointer-types -Werror=designated-init -Wno-packed-not-aligned -I /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/certs -I ./certs -DKBUILD_MODFILE='"certs/system_keyring"' -DKBUILD_BASENAME='"system_keyring"' -DKBUILD_MODNAME='"system_keyring"' -D__KBUILD_MODNAME=kmod_system_keyring -c -o certs/system_keyring.o /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/certs/system_keyring.c ; ./tools/objtool/objtool --hacks=jump_label --hacks=noinstr --orc --retpoline --rethunk --sls --static-call --uaccess certs/system_keyring.o
/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/scripts/check-local-export certs/system_keyring.o
{ echo ; echo 'certs/system_keyring.o: $(wildcard ./tools/objtool/objtool)' ; } >> certs/.system_keyring.o.cmd
x86_64-pc-linux-gnu-gcc -Wp,-MMD,certs/.extract-cert.d -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu11 -Wdeclaration-after-statement -march=native -O2 -pipe -I ./certs -Wl,-O1 -Wl,--as-needed -o certs/extract-cert /var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/certs/extract-cert.c -lcrypto
certs/extract-cert "" certs/x509_certificate_list
certs/extract-cert "/certs/kernel_key.pem" certs/signing_key.x509
At main.c:149:
- SSL error:FFFFFFFF8000000D:system library::Permission denied: ../openssl-3.0.11/crypto/bio/bss_file.c:67
- SSL error:10080002:BIO routines::system lib: ../openssl-3.0.11/crypto/bio/bss_file.c:77
extract-cert: /certs/kernel_key.pem: Permission denied
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/certs/Makefile:74: certs/signing_key.x509] Error 1
make[2]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/scripts/Makefile.build:500: certs] Error 2
make[1]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/linux-6.1/Makefile:2015: .] Error 2
make: *** [Makefile:238: __sub-make] Error 2
|
Not sure why it's permission denied here since my `/certs/kernel_key.pem` has `600` permissions for root. I checked `/var/tmp/portage/sys-kernel/gentoo-kernel-6.1.67/work/build/certs/{x509_certificate_list,blacklist_hash_list}`. Both files are empty. No docs say that you need to modify them manually so I'm not sure if the problem lies here.
I need to investigate further to see why this is. I tried to manually execute the command
| Code: |
certs/extract-cert "/certs/kernel_key.pem" certs/signing_key.x509"
|
and it didn't give any Permission denied error so I am not sure why it fails during kernel build. |
|
| Back to top |
|
|
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
| Posted: Thu Dec 28, 2023 5:23 am Post subject: |
|
|
x509_certificates_list is empty for me too so no need to worry about that.
Is your kernel_key.pem in "/certs"? As in a directory called certs in the root directory? That's what CONFIG_MODULE_SIG_KEY says at the moment.
If kernel_key.pem is in /usr/src/linux/certs then MODULE_SIG_KEY has to say "certs/kernel_key.pem". I would just give the absolute path to wherever your .pem is until you get things working: /usr/src/linux/certs/kernel_key.pem, or whatever it may be. I was worried about it my keys being overwritten by leaving them in the kernel source so I had them stored elsewhere, but that probably doesn't matter. |
|
| Back to top |
|
|
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
| Posted: Thu Dec 28, 2023 5:29 am Post subject: |
|
|
Yes. It's in the `/certs` directory from root and set the absolute path in both kernel config and portage make.conf. I was having permission problems so I try to chmod 660. So far, there are no build errors (I know this isn't ideal but I don't know why 600 isn't being accepted). I do plan on saving the keys in a flash drive instead of the root directory but I'm just testing building with signed modules for now.
I'll see if the kernel boots with my own signing key if the build is successful. Thanks. |
|
| Back to top |
|
|
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
| Posted: Thu Dec 28, 2023 5:46 am Post subject: |
|
|
| 600 is what I use on the keys as well. Maybe someone more knowledgeable about permissions can be better help. |
|
| Back to top |
|
|
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
| Posted: Thu Dec 28, 2023 6:04 am Post subject: [SOLVED] Distribution Kernel fails to build with my own sign |
|
|
So I managed to build the distribution kernel. Just need to set the absolute path of the key in both kernel config and portage make.conf as @sunox suggested. Checking dmesg output, it's also properly signed with my own keys.
Only problem is that I needed to set the keys with 660 permission. Not sure why.
Anyways, thanks @sunox for your help. I can start working on secure boot now  |
|
| Back to top |
|
|
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21650
|
| Posted: Thu Dec 28, 2023 4:17 pm Post subject: |
|
|
fireking04: please note that this forum does not use Markdown. It uses BBcode, which is documented in the sidebar of the post composition window. Similarly, @user has no specific meaning. It does not refer to someone by profile. It does not advise the system to draw their attention to the thread. (It may still be useful for letting readers infer that you meant a username, when the name itself is not obviously a username.)
| sunox wrote: | | Code: | | make[3]: *** No rule to make target 'certs/kernel_key.pem', needed by 'certs/signing_key.x509'. Stop. |
I get this exact error if I supply CONFIG_MODULE_SIG_KEY a path that doesn't exit. |
I see now that I missed that error in the gist, due to the lack of the literal string error: in that line, and how much extra output was generated after it. Generating a log with -j1, or calling attention to the specific lines of interest, can help readers find the right spot.
The output from Make is not definitive, but I see nothing in the build log indicating the current working directory. I also see nothing in the Gentoo eclass that I believe is used for this that would switch from the default, so the current working directory would be the default for the src_compile phase - which is not /usr/src/linux, so a relative path of certs/signing_key.x509 will not refer to /usr/src/linux/certs/signing_key.x509. | fireking04 wrote: | | I moved the key somewhere to `/certs/kernel_key.pem` and set `CONFIG_MODULE_SIG_KEY=/certs/kernel_key.pem` and also updated `/etc/portage/make.conf` to this directory. |
What did you change in /etc/portage/make.conf here? | fireking04 wrote: | I got a different error instead: | Code: | certs/extract-cert "/certs/kernel_key.pem" certs/signing_key.x509
At main.c:149:
- SSL error:FFFFFFFF8000000D:system library::Permission denied: ../openssl-3.0.11/crypto/bio/bss_file.c:67
- SSL error:10080002:BIO routines::system lib: ../openssl-3.0.11/crypto/bio/bss_file.c:77
extract-cert: /certs/kernel_key.pem: Permission denied |
Not sure why it's permission denied here since my `/certs/kernel_key.pem` has `600` permissions for root. |
That looks expected, since the permissions only allow root to read and write the file. Unless overridden, Portage builds everything as the Linux user portage, not root. | fireking04 wrote: | I tried to manually execute the command | Code: | | certs/extract-cert "/certs/kernel_key.pem" certs/signing_key.x509" |
and it didn't give any Permission denied error so I am not sure why it fails during kernel build. |
Did you su down to portage before running this?
| sunox wrote: | | I was worried about it my keys being overwritten by leaving them in the kernel source so I had them stored elsewhere, but that probably doesn't matter. |
Portage's emerge --depclean will only delete files it created. Leaving any source files in the kernel source tree is bad practice, but the keys will not be lost unless you manually rm -r the containing directory.
fireking04: if you want to mark a topic as solved, you need to edit the opening post and adjust its subject line. Posting a reply with [SOLVED] is not particularly visible. I finished writing this post before noticing you had done so. |
|
| Back to top |
|
|
sunox
Tux's lil' helper
Joined: 26 Jan 2022
Posts: 136
|
| Posted: Thu Dec 28, 2023 7:45 pm Post subject: |
|
|
| Thanks for sharing, all makes sense now. |
|
| Back to top |
|
|
fireking04
n00b
Joined: 26 Dec 2023
Posts: 6
|
| Posted: Fri Dec 29, 2023 3:04 am Post subject: |
|
|
| Hu wrote: | | fireking04: please note that this forum does not use Markdown. It uses BBcode, which is documented in the sidebar of the post composition window. Similarly, @user has no specific meaning. It does not refer to someone by profile. It does not advise the system to draw their attention to the thread. (It may still be useful for letting readers infer that you meant a username, when the name itself is not obviously a username.) |
Thanks for the advice. Will keep that. That was originally my intention on using @user.
| Hu wrote: | | Did you su down to portage before running this? |
No. I did not. I guess I should've. I didn't know this before. Thanks! Does this mean keys should be owned by portage user? https://wiki.gentoo.org/wiki/Signed_kernel_module_support only shows user $ in the openssl key generation command. |
|
| Back to top |
|
|
jazkie
n00b
Joined: 08 Apr 2024
Posts: 2
|
| Posted: Mon Apr 08, 2024 9:34 am Post subject: |
|
|
Randomly stumbled upon this, posting incase someone else does too.
The correct way to use pre-generated module signing key with dist-kernel is to remove CONFIG_MODULE_SIG_KEY altogether from /etc/kernel/config.d/*, then add MODULES_SIGN_KEY in make.conf.
During sys-kernel/gentoo-kernel compilation, portage will merge configs from /etc/kernel/config.d _AFTER_ secureboot.config, which is generated by portage from variables in make.conf. If you configure the key in /etc/kernel/config.d, it will override the configuration generated by portage. Same goes for other CONFIG_MODULE_SIG variables, such as HASH.
You can observe this with | Code: | | grep -i "redundant by fragment" /var/tmp/portage/sys-kernel/gentoo-kernel-<version>/temp/build.log |
during build. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
I just set up secure boot myself and found the guide really helpful: