Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sys-kernel/gentoo-kernel with signing fails to build
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 107

PostPosted: Wed Nov 06, 2024 6:24 pm    Post subject: sys-kernel/gentoo-kernel with signing fails to build Reply with quote

I am trying to build signed sys-kernel/gentoo-kernel with secureboot and modules-sign flags and it fails.

The last 300 lines of the build log; https://bpa.st/TFVPW

Probably the key part
Code:
# SIGN    /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
  scripts/sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159
sign-file: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/work/linux-6.6/scripts/Makefile.modinst:121: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko] Error 1


/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem cointains my cert + encrypted key.

make.conf contains
Code:
SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt"
MODULES_SIGN_KEY="mypath/file.key"
MODULES_SIGN_CERT="mypath/file.crt"


As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.

The command that generated my key
Code:
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my name" -keyout file.key -out file.crt -days 9999 -sha256


At the beginning of building the package before the kernel was build, I was asked to enter the password twice. There was no error, because in case of an error the installation stops. So something must be wrong with my configuration, but what?


Last edited by nxe9 on Wed Nov 06, 2024 8:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5084
Location: Bavaria

PostPosted: Wed Nov 06, 2024 7:50 pm    Post subject: Reply with quote

Look to this post: https://forums.gentoo.org/viewtopic-p-8822788.html#8822788 ;-)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 107

PostPosted: Wed Nov 06, 2024 8:48 pm    Post subject: Reply with quote

@pietinger: Thanks but I still don't fully understand what's wrong.

The command generating the error is, in short
Code:
sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 <kernel-module>.ko


The pem file
Code:
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem

contains
Code:
----BEGIN CERTIFICATE----
...
----END CERTIFICATE---
----BEGIN ENCRYPTED PRIVATE KEY-----
...
----END ENCRYPTED PRIVATE KEY-----

and this file is a union of my files .key and .crt that I defined in make.conf.

The kernel config contains out of the box:
Code:
-*- Cryptographic API  --->
    Certificates for signature checking  --->
        (sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem) File name or PKCS#11 URI of module signing key


So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?

EDIT:
Code:
oepnssl x509 -noout -text -in /usr/src/linux/certs/signing_key.x509

shows me "Issuer: CN=Build time autogenerated kernel key" but is /usr/src/linux/ the right path? If yes, signing_key.x509 is probably wrong in this case, right?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5084
Location: Bavaria

PostPosted: Thu Nov 07, 2024 9:36 am    Post subject: Reply with quote

nxe9 wrote:
[...] So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?
[...]
If yes, signing_key.x509 is probably wrong in this case, right?

I am sorry, I know all these signing stuff only when doing a manually configuration - I cannot help with these automatic routines ... maybe @Nowa (or any other user with experience for this) jumps in ?!
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 426
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 1:31 pm    Post subject: Reply with quote

Quote:
As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.


That sounds like: https://bugs.gentoo.org/935733

FEATURES=pid-sandbox interferes with the passphrase prompt, you can disable that feature as a workaround.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 107

PostPosted: Thu Nov 07, 2024 2:31 pm    Post subject: Reply with quote

@Nowa: No, it must be something different. My make.conf contains FEATURES="-pid-sandbox" and it solves the prompt related issues. I can enter the password before building the kernel.

Now, I created a test textfile x.txt

Code:
/usr/src/linux/scripts/sign-file sha512 path/myfile.key /usr/src/linux/certs/signing_key.x509 x.txt

Same error.

Code:
/usr/src/linux/scripts/sign-file sha512 path/myfile.key path/myfile.crt x.txt

Same error.

Code:
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159


No prompt is shown here. Immediately an error. What is going on?
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 426
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 3:11 pm    Post subject: Reply with quote

Hmm, if you use openssl directly to sign something, does this work? If not then there is some more general problem in your openssl and the askpass.

Note though, openssl does not do pin caching so when you do get this working again then you'll have to enter the same pin about a hundred times every time the kernel compiles. You can avoid this by setting your pin with the KBUILD_SIGN_PIN variable, but this only works for the modules, not for the secureboot signature.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 107

PostPosted: Thu Nov 07, 2024 3:25 pm    Post subject: Reply with quote

@Nowa;
Code:
sbsign --key=path/myfile.key --cert=path/myfile.crt testfile --output testfile.signed

works without problem, there is a pass phrase prompt.

UKI signing through dracut (gentoo-kernel -> installkernel) works without problem with pass phrase prompt.

Grub signing with secureboot flag FEATURES="-pid-sandbox" works without problem.

The only problem I have so far is the one in this post.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 426
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 3:33 pm    Post subject: Reply with quote

Is KBUILD_SIGN_PIN maybe set in the environment? That could explain why it skips asking for the pin and immediately returns with 'wrong pin'.

The other possibility is that the key type is wrong, the kernel is a bit more constrained in terms of what is supported. There is a x509.keygen file in the certs directory of the kernel sources that is supposed to be used for generating a new module signing key, it should set all the required options: https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 107

PostPosted: Thu Nov 07, 2024 3:57 pm    Post subject: Reply with quote

Should KBUILD_SIGN_PIN be a environment variable?

"printenv" doesn't show me KBUILD_SIGN_PIN. "printenv KBUILD_SIGN_PIN" returns empty, so it is probably not set.

Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?

Sorry, I haven't read your link thoroughly yet. I'll do it later tonight.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 426
Location: Nijmegen

PostPosted: Thu Nov 07, 2024 4:22 pm    Post subject: Reply with quote

nxe9 wrote:
Should KBUILD_SIGN_PIN be a environment variable?


You can use it to pass the pin, but it should not be required.

Quote:
Does that mean I have to generate my own x509 file and put it in the cert as signing_key.x509?.


No, but you can use the keygen file as config to generate a key pair that automatically conforms to the kernels requirements, this is just a way to eliminate that your key is somehow the problem. Otherwise there maybe is some bug in the kernels sign-file.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum