View previous topic :: View next topic |
Author |
Message |
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Wed Nov 06, 2024 6:24 pm Post subject: sys-kernel/gentoo-kernel with signing fails to build |
|
|
I am trying to build signed sys-kernel/gentoo-kernel with secureboot and modules-sign flags and it fails.
The last 300 lines of the build log; https://bpa.st/TFVPW
Probably the key part
Code: | # SIGN /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
scripts/sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159
sign-file: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/work/linux-6.6/scripts/Makefile.modinst:121: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko] Error 1 |
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem cointains my cert + encrypted key.
make.conf contains
Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt"
MODULES_SIGN_KEY="mypath/file.key"
MODULES_SIGN_CERT="mypath/file.crt" |
As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.
The command that generated my key
Code: | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my name" -keyout file.key -out file.crt -days 9999 -sha256 |
At the beginning of building the package before the kernel was build, I was asked to enter the password twice. There was no error, because in case of an error the installation stops. So something must be wrong with my configuration, but what?
Last edited by nxe9 on Wed Nov 06, 2024 8:42 pm; edited 1 time in total |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5121 Location: Bavaria
|
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Wed Nov 06, 2024 8:48 pm Post subject: |
|
|
@pietinger: Thanks but I still don't fully understand what's wrong.
The command generating the error is, in short
Code: | sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 <kernel-module>.ko |
The pem file
Code: | /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem |
contains
Code: | ----BEGIN CERTIFICATE----
...
----END CERTIFICATE---
----BEGIN ENCRYPTED PRIVATE KEY-----
...
----END ENCRYPTED PRIVATE KEY-----
|
and this file is a union of my files .key and .crt that I defined in make.conf.
The kernel config contains out of the box:
Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem) File name or PKCS#11 URI of module signing key |
So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
EDIT:
Code: | oepnssl x509 -noout -text -in /usr/src/linux/certs/signing_key.x509 |
shows me "Issuer: CN=Build time autogenerated kernel key" but is /usr/src/linux/ the right path? If yes, signing_key.x509 is probably wrong in this case, right? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5121 Location: Bavaria
|
Posted: Thu Nov 07, 2024 9:36 am Post subject: |
|
|
nxe9 wrote: | [...] So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
[...]
If yes, signing_key.x509 is probably wrong in this case, right? |
I am sorry, I know all these signing stuff only when doing a manually configuration - I cannot help with these automatic routines ... maybe @Nowa (or any other user with experience for this) jumps in ?! _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 1:31 pm Post subject: |
|
|
Quote: | As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far. |
That sounds like: https://bugs.gentoo.org/935733
FEATURES=pid-sandbox interferes with the passphrase prompt, you can disable that feature as a workaround. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Thu Nov 07, 2024 2:31 pm Post subject: |
|
|
@Nowa: No, it must be something different. My make.conf contains FEATURES="-pid-sandbox" and it solves the prompt related issues. I can enter the password before building the kernel.
Now, I created a test textfile x.txt
Code: | /usr/src/linux/scripts/sign-file sha512 path/myfile.key /usr/src/linux/certs/signing_key.x509 x.txt |
Same error.
Code: | /usr/src/linux/scripts/sign-file sha512 path/myfile.key path/myfile.crt x.txt |
Same error.
Code: | At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159 |
No prompt is shown here. Immediately an error. What is going on? |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 3:11 pm Post subject: |
|
|
Hmm, if you use openssl directly to sign something, does this work? If not then there is some more general problem in your openssl and the askpass.
Note though, openssl does not do pin caching so when you do get this working again then you'll have to enter the same pin about a hundred times every time the kernel compiles. You can avoid this by setting your pin with the KBUILD_SIGN_PIN variable, but this only works for the modules, not for the secureboot signature. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Thu Nov 07, 2024 3:25 pm Post subject: |
|
|
@Nowa;
Code: | sbsign --key=path/myfile.key --cert=path/myfile.crt testfile --output testfile.signed |
works without problem, there is a pass phrase prompt.
UKI signing through dracut (gentoo-kernel -> installkernel) works without problem with pass phrase prompt.
Grub signing with secureboot flag FEATURES="-pid-sandbox" works without problem.
The only problem I have so far is the one in this post. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 3:33 pm Post subject: |
|
|
Is KBUILD_SIGN_PIN maybe set in the environment? That could explain why it skips asking for the pin and immediately returns with 'wrong pin'.
The other possibility is that the key type is wrong, the kernel is a bit more constrained in terms of what is supported. There is a x509.keygen file in the certs directory of the kernel sources that is supposed to be used for generating a new module signing key, it should set all the required options: https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Thu Nov 07, 2024 3:57 pm Post subject: |
|
|
Should KBUILD_SIGN_PIN be a environment variable?
"printenv" doesn't show me KBUILD_SIGN_PIN. "printenv KBUILD_SIGN_PIN" returns empty, so it is probably not set.
Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?
Sorry, I haven't read your link thoroughly yet. I'll do it later tonight. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 4:22 pm Post subject: |
|
|
nxe9 wrote: | Should KBUILD_SIGN_PIN be a environment variable? |
You can use it to pass the pin, but it should not be required.
Quote: | Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?. |
No, but you can use the keygen file as config to generate a key pair that automatically conforms to the kernels requirements, this is just a way to eliminate that your key is somehow the problem. Otherwise there maybe is some bug in the kernels sign-file. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Fri Nov 08, 2024 12:03 am Post subject: |
|
|
@Nowa: OK, if I understand correctly I need to generate my keys based on a genkey file (-config option in openssl) which is a key generation configuration file provided with linux sources.
Gentoo handbook tells me "x509.genkey is located at /usr/src/linux/certs/x509.genkey.". But /usr/src/linux/certs contains only Kconfig, Makefile, signing_key.pem, signing_key.x509. x509.genkey is missing on my system. eselect kernel list points to "linux-6.6.58-gentoo-dist". I have also non-dist sources on my system and there is /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey.
In short, distribution kernel gentoo-kernel doesn't provide genkey file. Why? It sounds like a bug for me. I cannot generate the correct key because I do not have the genkey file. It's true that I can get this genkey file in another way, but this is just a workaround.
EDIT: I generated my key pair based based on default_x509.genkey and the command in your link. The files are different compared to my previous ones with the same password. I am building the kernel now with my new keys and let you know if it was successful. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Fri Nov 08, 2024 12:41 am Post subject: |
|
|
nxe9 wrote: |
In short, distribution kernel gentoo-kernel doesn't provide genkey file. Why? It sounds like a bug for me. I cannot generate the correct key because I do not have the genkey file. It's true that I can get this genkey file in another way, but this is just a workaround. |
Yeah this is not ideal, I'll write a little fix for the eclass tomorrow _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Fri Nov 08, 2024 1:34 am Post subject: |
|
|
New try and exactly the same error.
My new openssl command
Code: | openssl req -new -x509 -sha256 -keyout myfile.key -out myfile.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey |
The file
Code: | /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem |
contains my newly generated key and certificate, so it appears to be correct again.
I invoked the openssl command without the -nodes parameter, which gives me an encrypted key. Does module signing support an encrypted key at all? Tomorrow I will try unencrypted with the nodes option.
@Child_of_Sun_24: From what I understand, you sign the kernel and modules without using UKI, so what does this process look like for you? Maybe you can help here? |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Fri Nov 08, 2024 2:02 am Post subject: |
|
|
Some interesting things when trying to sign a test file using the sign-file script.
Code: | openssl req -new -x509 -sha256 -keyout x.key -out x.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey |
generates encrypted x.key.
Code: | openssl req -new -x509 -sha256 -keyout y.key -out y.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey -nodes |
generates unencrypted y.key.
Case 1: It works
Code: | /usr/src/linux/scripts/sign-file sha512 y.key y.crt testfile |
Case 2: It doesn't work. Error like in the thread.
Code: | /usr/src/linux/scripts/sign-file sha512 x.key x.crt testfile |
Case 3: It doesn't work. Error: x509: certificate routines::key values mistmatch:...
Code: | /usr/src/linux/scripts/sign-file sha512 y.key /usr/src/linux/certs/signing_key.x509 testfile |
Conslusion: My kernel signing has two problems. First of all, there is a problem with reading the encrypted key. The second problem is the certificate parameter. My certificate should be there. Perhaps it will be replaced with mine during building. I don't know I will test it later with unencrypted key. So if I set an unencrypted key in make.conf, I will probably get an error like in case 3 or the build will succeed if the certificate is replaced with mine..
This is all strange. Here's a question for people who sign kernels and modules. How do you do it? Because for now everything indicates that the gentoo-kernel package is bugged with the signing. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Fri Nov 08, 2024 8:53 am Post subject: |
|
|
Quote: | My certificate should be there. Perhaps it will be replaced with mine during building. |
It will, the kernel build system converts the input key to DER format and puts that at certs/signing_key.x509. If you change your key without changing that certificate file then there will indeed be a mismatch
Quote: | This is all strange. Here's a question for people who sign kernels and modules. How do you do it? Because for now everything indicates that the gentoo-kernel package is bugged with the signing. |
I generated my key exactly as specified on the kernel's signing facility documentation page (i.e. without a passphrase), this works fine (that is why I asked you to do so as well, this is the configuration that I know should work).
I very much doubt this is a Gentoo dist-kernel bug, have you tried using this key with any of the kernel source packages? I suspect you'll run into the same problem. It seems to me that this is either a bug in the kernels sign-file utility or the case of a key with a passphrase is simply not supported upstream. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5121 Location: Bavaria
|
Posted: Fri Nov 08, 2024 11:25 am Post subject: |
|
|
Nowa wrote: | [...] or the case of a key with a passphrase is simply not supported upstream. |
As far as I understand it, the kernel understands keys with a passphrase as long as it is set:
https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
@nxe9,
if you use keys WITH a passphrase you must set the environment variable KBUILD_SIGN_PIN. See more in Documentation/kbuild/kbuild.rst
Quote: | KBUILD_SIGN_PIN
---------------
This variable allows a passphrase or PIN to be passed to the sign-file
utility when signing kernel modules, if the private key requires such. |
and also in scripts/sign-file.c ->
Code: | key_pass = getenv("KBUILD_SIGN_PIN"); |
_________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Fri Nov 08, 2024 2:16 pm Post subject: |
|
|
Build with key without password ran without error. So the certificate is replaced correctly. Nice! Thank you.
Regarding KBUILD_SIGN_PIN, do I understand correctly that I should save my password in this variable? It's a bit ugly for me to store the password on the system in a regular variable. This approach with the option to enter it manually when signing components is much more elegant for me. So if this is the only approach to signing kernel modules, I will probably stay with UKI. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 429 Location: Nijmegen
|
Posted: Fri Nov 08, 2024 2:22 pm Post subject: |
|
|
nxe9 wrote: | This approach with the option to enter it manually when signing components is much more elegant for me. So if this is the only approach to signing kernel modules, I will probably stay with UKI. |
Note that you'll have to enter it for every single module, and there's a lot of them.
Something that just occurred to me is that modules-install respects MAKEOPTS and that therefore openssl will be requesting the passphrase for multiple different modules simultaneously. Perhaps this is the cause of your problem, it might work with MAKEOPTS="-j1 -l1" but this will of course be slow. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22694
|
Posted: Fri Nov 08, 2024 2:52 pm Post subject: |
|
|
nxe9 wrote: | Regarding KBUILD_SIGN_PIN, do I understand correctly that I should save my password in this variable? It's a bit ugly for me to store the password on the system in a regular variable. | Why is this ugly? You could use a wrapper script for emerge that prompts you for the password once, records it in that environment variable, then runs regular emerge. This would avoid storing the password on the system long term, and allow you to type it only once per emerge of the affected kernel. You could choose not to use this wrapper when you are not merging the kernel. |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 116
|
Posted: Tue Nov 12, 2024 1:53 am Post subject: |
|
|
@Hu: Thanks. That makes sense.
Currently, I will stick to UKI, because it seems to be the easiest in the context of signing. However, thank you for your help, because the most important thing is that I understood the cause of the problem. |
|
Back to top |
|
|
|