View previous topic :: View next topic |
Author |
Message |
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 107
|
Posted: Wed Nov 06, 2024 6:24 pm Post subject: sys-kernel/gentoo-kernel with signing fails to build |
|
|
I am trying to build signed sys-kernel/gentoo-kernel with secureboot and modules-sign flags and it fails.
The last 300 lines of the build log; https://bpa.st/TFVPW
Probably the key part
Code: | # SIGN /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
scripts/sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159
sign-file: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/work/linux-6.6/scripts/Makefile.modinst:121: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko] Error 1 |
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem cointains my cert + encrypted key.
make.conf contains
Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt"
MODULES_SIGN_KEY="mypath/file.key"
MODULES_SIGN_CERT="mypath/file.crt" |
As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.
The command that generated my key
Code: | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my name" -keyout file.key -out file.crt -days 9999 -sha256 |
At the beginning of building the package before the kernel was build, I was asked to enter the password twice. There was no error, because in case of an error the installation stops. So something must be wrong with my configuration, but what?
Last edited by nxe9 on Wed Nov 06, 2024 8:42 pm; edited 1 time in total |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5084 Location: Bavaria
|
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 107
|
Posted: Wed Nov 06, 2024 8:48 pm Post subject: |
|
|
@pietinger: Thanks but I still don't fully understand what's wrong.
The command generating the error is, in short
Code: | sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 <kernel-module>.ko |
The pem file
Code: | /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem |
contains
Code: | ----BEGIN CERTIFICATE----
...
----END CERTIFICATE---
----BEGIN ENCRYPTED PRIVATE KEY-----
...
----END ENCRYPTED PRIVATE KEY-----
|
and this file is a union of my files .key and .crt that I defined in make.conf.
The kernel config contains out of the box:
Code: | -*- Cryptographic API --->
Certificates for signature checking --->
(sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem) File name or PKCS#11 URI of module signing key |
So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
EDIT:
Code: | oepnssl x509 -noout -text -in /usr/src/linux/certs/signing_key.x509 |
shows me "Issuer: CN=Build time autogenerated kernel key" but is /usr/src/linux/ the right path? If yes, signing_key.x509 is probably wrong in this case, right? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5084 Location: Bavaria
|
Posted: Thu Nov 07, 2024 9:36 am Post subject: |
|
|
nxe9 wrote: | [...] So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
[...]
If yes, signing_key.x509 is probably wrong in this case, right? |
I am sorry, I know all these signing stuff only when doing a manually configuration - I cannot help with these automatic routines ... maybe @Nowa (or any other user with experience for this) jumps in ?! _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 426 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 1:31 pm Post subject: |
|
|
Quote: | As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far. |
That sounds like: https://bugs.gentoo.org/935733
FEATURES=pid-sandbox interferes with the passphrase prompt, you can disable that feature as a workaround. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 107
|
Posted: Thu Nov 07, 2024 2:31 pm Post subject: |
|
|
@Nowa: No, it must be something different. My make.conf contains FEATURES="-pid-sandbox" and it solves the prompt related issues. I can enter the password before building the kernel.
Now, I created a test textfile x.txt
Code: | /usr/src/linux/scripts/sign-file sha512 path/myfile.key /usr/src/linux/certs/signing_key.x509 x.txt |
Same error.
Code: | /usr/src/linux/scripts/sign-file sha512 path/myfile.key path/myfile.crt x.txt |
Same error.
Code: | At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159 |
No prompt is shown here. Immediately an error. What is going on? |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 426 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 3:11 pm Post subject: |
|
|
Hmm, if you use openssl directly to sign something, does this work? If not then there is some more general problem in your openssl and the askpass.
Note though, openssl does not do pin caching so when you do get this working again then you'll have to enter the same pin about a hundred times every time the kernel compiles. You can avoid this by setting your pin with the KBUILD_SIGN_PIN variable, but this only works for the modules, not for the secureboot signature. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 107
|
Posted: Thu Nov 07, 2024 3:25 pm Post subject: |
|
|
@Nowa;
Code: | sbsign --key=path/myfile.key --cert=path/myfile.crt testfile --output testfile.signed |
works without problem, there is a pass phrase prompt.
UKI signing through dracut (gentoo-kernel -> installkernel) works without problem with pass phrase prompt.
Grub signing with secureboot flag FEATURES="-pid-sandbox" works without problem.
The only problem I have so far is the one in this post. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 426 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 3:33 pm Post subject: |
|
|
Is KBUILD_SIGN_PIN maybe set in the environment? That could explain why it skips asking for the pin and immediately returns with 'wrong pin'.
The other possibility is that the key type is wrong, the kernel is a bit more constrained in terms of what is supported. There is a x509.keygen file in the certs directory of the kernel sources that is supposed to be used for generating a new module signing key, it should set all the required options: https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
nxe9 Tux's lil' helper
Joined: 05 Jun 2021 Posts: 107
|
Posted: Thu Nov 07, 2024 3:57 pm Post subject: |
|
|
Should KBUILD_SIGN_PIN be a environment variable?
"printenv" doesn't show me KBUILD_SIGN_PIN. "printenv KBUILD_SIGN_PIN" returns empty, so it is probably not set.
Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?
Sorry, I haven't read your link thoroughly yet. I'll do it later tonight. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 426 Location: Nijmegen
|
Posted: Thu Nov 07, 2024 4:22 pm Post subject: |
|
|
nxe9 wrote: | Should KBUILD_SIGN_PIN be a environment variable? |
You can use it to pass the pin, but it should not be required.
Quote: | Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?. |
No, but you can use the keygen file as config to generate a key pair that automatically conforms to the kernels requirements, this is just a way to eliminate that your key is somehow the problem. Otherwise there maybe is some bug in the kernels sign-file. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
|