Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sys-kernel/gentoo-kernel with signing fails to build
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Wed Nov 06, 2024 6:24 pm    Post subject: sys-kernel/gentoo-kernel with signing fails to build Reply with quote

I am trying to build signed sys-kernel/gentoo-kernel with secureboot and modules-sign flags and it fails.

The last 300 lines of the build log; https://bpa.st/TFVPW

Probably the key part
Code:
# SIGN    /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
  scripts/sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159
sign-file: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/work/linux-6.6/scripts/Makefile.modinst:121: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko] Error 1


/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem cointains my cert + encrypted key.

make.conf contains
Code:
SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt"
MODULES_SIGN_KEY="mypath/file.key"
MODULES_SIGN_CERT="mypath/file.crt"


As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.

The command that generated my key
Code:
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my name" -keyout file.key -out file.crt -days 9999 -sha256


At the beginning of building the package before the kernel was build, I was asked to enter the password twice. There was no error, because in case of an error the installation stops. So something must be wrong with my configuration, but what?


Last edited by nxe9 on Wed Nov 06, 2024 8:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5136
Location: Bavaria

PostPosted: Wed Nov 06, 2024 7:50 pm    Post subject: Reply with quote

Look to this post: https://forums.gentoo.org/viewtopic-p-8822788.html#8822788 ;-)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Wed Nov 06, 2024 8:48 pm    Post subject: Reply with quote

@pietinger: Thanks but I still don't fully understand what's wrong.

The command generating the error is, in short
Code:
sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 <kernel-module>.ko


The pem file
Code:
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem

contains
Code:
----BEGIN CERTIFICATE----
...
----END CERTIFICATE---
----BEGIN ENCRYPTED PRIVATE KEY-----
...
----END ENCRYPTED PRIVATE KEY-----

and this file is a union of my files .key and .crt that I defined in make.conf.

The kernel config contains out of the box:
Code:
-*- Cryptographic API  --->
    Certificates for signature checking  --->
        (sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem) File name or PKCS#11 URI of module signing key


So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?

EDIT:
Code:
oepnssl x509 -noout -text -in /usr/src/linux/certs/signing_key.x509

shows me "Issuer: CN=Build time autogenerated kernel key" but is /usr/src/linux/ the right path? If yes, signing_key.x509 is probably wrong in this case, right?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5136
Location: Bavaria

PostPosted: Thu Nov 07, 2024 9:36 am    Post subject: Reply with quote

nxe9 wrote:
[...] So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
[...]
If yes, signing_key.x509 is probably wrong in this case, right?

I am sorry, I know all these signing stuff only when doing a manually configuration - I cannot help with these automatic routines ... maybe @Nowa (or any other user with experience for this) jumps in ?!
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 1:31 pm    Post subject: Reply with quote

Quote:
As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.


That sounds like: https://bugs.gentoo.org/935733

FEATURES=pid-sandbox interferes with the passphrase prompt, you can disable that feature as a workaround.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Thu Nov 07, 2024 2:31 pm    Post subject: Reply with quote

@Nowa: No, it must be something different. My make.conf contains FEATURES="-pid-sandbox" and it solves the prompt related issues. I can enter the password before building the kernel.

Now, I created a test textfile x.txt

Code:
/usr/src/linux/scripts/sign-file sha512 path/myfile.key /usr/src/linux/certs/signing_key.x509 x.txt

Same error.

Code:
/usr/src/linux/scripts/sign-file sha512 path/myfile.key path/myfile.crt x.txt

Same error.

Code:
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159


No prompt is shown here. Immediately an error. What is going on?
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 3:11 pm    Post subject: Reply with quote

Hmm, if you use openssl directly to sign something, does this work? If not then there is some more general problem in your openssl and the askpass.

Note though, openssl does not do pin caching so when you do get this working again then you'll have to enter the same pin about a hundred times every time the kernel compiles. You can avoid this by setting your pin with the KBUILD_SIGN_PIN variable, but this only works for the modules, not for the secureboot signature.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Thu Nov 07, 2024 3:25 pm    Post subject: Reply with quote

@Nowa;
Code:
sbsign --key=path/myfile.key --cert=path/myfile.crt testfile --output testfile.signed

works without problem, there is a pass phrase prompt.

UKI signing through dracut (gentoo-kernel -> installkernel) works without problem with pass phrase prompt.

Grub signing with secureboot flag FEATURES="-pid-sandbox" works without problem.

The only problem I have so far is the one in this post.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 3:33 pm    Post subject: Reply with quote

Is KBUILD_SIGN_PIN maybe set in the environment? That could explain why it skips asking for the pin and immediately returns with 'wrong pin'.

The other possibility is that the key type is wrong, the kernel is a bit more constrained in terms of what is supported. There is a x509.keygen file in the certs directory of the kernel sources that is supposed to be used for generating a new module signing key, it should set all the required options: https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Thu Nov 07, 2024 3:57 pm    Post subject: Reply with quote

Should KBUILD_SIGN_PIN be a environment variable?

"printenv" doesn't show me KBUILD_SIGN_PIN. "printenv KBUILD_SIGN_PIN" returns empty, so it is probably not set.

Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?

Sorry, I haven't read your link thoroughly yet. I'll do it later tonight.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 4:22 pm    Post subject: Reply with quote

nxe9 wrote:
Should KBUILD_SIGN_PIN be a environment variable?


You can use it to pass the pin, but it should not be required.

Quote:
Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?.


No, but you can use the keygen file as config to generate a key pair that automatically conforms to the kernels requirements, this is just a way to eliminate that your key is somehow the problem. Otherwise there maybe is some bug in the kernels sign-file.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Fri Nov 08, 2024 12:03 am    Post subject: Reply with quote

@Nowa: OK, if I understand correctly I need to generate my keys based on a genkey file (-config option in openssl) which is a key generation configuration file provided with linux sources.

Gentoo handbook tells me "x509.genkey is located at /usr/src/linux/certs/x509.genkey.". But /usr/src/linux/certs contains only Kconfig, Makefile, signing_key.pem, signing_key.x509. x509.genkey is missing on my system. eselect kernel list points to "linux-6.6.58-gentoo-dist". I have also non-dist sources on my system and there is /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey.

In short, distribution kernel gentoo-kernel doesn't provide genkey file. Why? It sounds like a bug for me. I cannot generate the correct key because I do not have the genkey file. It's true that I can get this genkey file in another way, but this is just a workaround.

EDIT: I generated my key pair based based on default_x509.genkey and the command in your link. The files are different compared to my previous ones with the same password. I am building the kernel now with my new keys and let you know if it was successful.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Fri Nov 08, 2024 12:41 am    Post subject: Reply with quote

nxe9 wrote:


In short, distribution kernel gentoo-kernel doesn't provide genkey file. Why? It sounds like a bug for me. I cannot generate the correct key because I do not have the genkey file. It's true that I can get this genkey file in another way, but this is just a workaround.


Yeah this is not ideal, I'll write a little fix for the eclass tomorrow
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Fri Nov 08, 2024 1:34 am    Post subject: Reply with quote

New try and exactly the same error.

My new openssl command
Code:
openssl req -new -x509 -sha256 -keyout myfile.key -out myfile.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey


The file
Code:
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem

contains my newly generated key and certificate, so it appears to be correct again.

I invoked the openssl command without the -nodes parameter, which gives me an encrypted key. Does module signing support an encrypted key at all? Tomorrow I will try unencrypted with the nodes option.

@Child_of_Sun_24: From what I understand, you sign the kernel and modules without using UKI, so what does this process look like for you? Maybe you can help here?
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Fri Nov 08, 2024 2:02 am    Post subject: Reply with quote

Some interesting things when trying to sign a test file using the sign-file script.

Code:
openssl req -new -x509 -sha256 -keyout x.key -out x.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey

generates encrypted x.key.


Code:
openssl req -new -x509 -sha256 -keyout y.key -out y.crt -days 9999 -utf8 -batch -subj "/CN=myname" -config /usr/src/linux-6.6.52-gentoo/certs/default_x509.genkey -nodes

generates unencrypted y.key.


Case 1: It works
Code:
/usr/src/linux/scripts/sign-file sha512 y.key y.crt testfile


Case 2: It doesn't work. Error like in the thread.
Code:
/usr/src/linux/scripts/sign-file sha512 x.key x.crt testfile


Case 3: It doesn't work. Error: x509: certificate routines::key values mistmatch:...
Code:
/usr/src/linux/scripts/sign-file sha512 y.key /usr/src/linux/certs/signing_key.x509 testfile


Conslusion: My kernel signing has two problems. First of all, there is a problem with reading the encrypted key. The second problem is the certificate parameter. My certificate should be there. Perhaps it will be replaced with mine during building. I don't know I will test it later with unencrypted key. So if I set an unencrypted key in make.conf, I will probably get an error like in case 3 or the build will succeed if the certificate is replaced with mine..

This is all strange. Here's a question for people who sign kernels and modules. How do you do it? Because for now everything indicates that the gentoo-kernel package is bugged with the signing.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Fri Nov 08, 2024 8:53 am    Post subject: Reply with quote

Quote:
My certificate should be there. Perhaps it will be replaced with mine during building.


It will, the kernel build system converts the input key to DER format and puts that at certs/signing_key.x509. If you change your key without changing that certificate file then there will indeed be a mismatch

Quote:
This is all strange. Here's a question for people who sign kernels and modules. How do you do it? Because for now everything indicates that the gentoo-kernel package is bugged with the signing.


I generated my key exactly as specified on the kernel's signing facility documentation page (i.e. without a passphrase), this works fine (that is why I asked you to do so as well, this is the configuration that I know should work).

I very much doubt this is a Gentoo dist-kernel bug, have you tried using this key with any of the kernel source packages? I suspect you'll run into the same problem. It seems to me that this is either a bug in the kernels sign-file utility or the case of a key with a passphrase is simply not supported upstream.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5136
Location: Bavaria

PostPosted: Fri Nov 08, 2024 11:25 am    Post subject: Reply with quote

Nowa wrote:
[...] or the case of a key with a passphrase is simply not supported upstream.

As far as I understand it, the kernel understands keys with a passphrase as long as it is set:
https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html

@nxe9,

if you use keys WITH a passphrase you must set the environment variable KBUILD_SIGN_PIN. See more in Documentation/kbuild/kbuild.rst
Quote:
KBUILD_SIGN_PIN
---------------
This variable allows a passphrase or PIN to be passed to the sign-file
utility when signing kernel modules, if the private key requires such.

and also in scripts/sign-file.c ->
Code:
   key_pass = getenv("KBUILD_SIGN_PIN");

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Fri Nov 08, 2024 2:16 pm    Post subject: Reply with quote

Build with key without password ran without error. So the certificate is replaced correctly. Nice! Thank you.

Regarding KBUILD_SIGN_PIN, do I understand correctly that I should save my password in this variable? It's a bit ugly for me to store the password on the system in a regular variable. This approach with the option to enter it manually when signing components is much more elegant for me. So if this is the only approach to signing kernel modules, I will probably stay with UKI.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 431
Location: Nijmegen

PostPosted: Fri Nov 08, 2024 2:22 pm    Post subject: Reply with quote

nxe9 wrote:
This approach with the option to enter it manually when signing components is much more elegant for me. So if this is the only approach to signing kernel modules, I will probably stay with UKI.


Note that you'll have to enter it for every single module, and there's a lot of them.

Something that just occurred to me is that modules-install respects MAKEOPTS and that therefore openssl will be requesting the passphrase for multiple different modules simultaneously. Perhaps this is the cause of your problem, it might work with MAKEOPTS="-j1 -l1" but this will of course be slow.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22705

PostPosted: Fri Nov 08, 2024 2:52 pm    Post subject: Reply with quote

nxe9 wrote:
Regarding KBUILD_SIGN_PIN, do I understand correctly that I should save my password in this variable? It's a bit ugly for me to store the password on the system in a regular variable.
Why is this ugly? You could use a wrapper script for emerge that prompts you for the password once, records it in that environment variable, then runs regular emerge. This would avoid storing the password on the system long term, and allow you to type it only once per emerge of the affected kernel. You could choose not to use this wrapper when you are not merging the kernel.
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 120

PostPosted: Tue Nov 12, 2024 1:53 am    Post subject: Reply with quote

@Hu: Thanks. That makes sense.

Currently, I will stick to UKI, because it seems to be the easiest in the context of signing. However, thank you for your help, because the most important thing is that I understood the cause of the problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum