Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

sys-kernel/gentoo-kernel with signing fails to build
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 104
PostPosted: Wed Nov 06, 2024 6:24 pm    Post subject: sys-kernel/gentoo-kernel with signing fails to build Reply with quote
I am trying to build signed sys-kernel/gentoo-kernel with secureboot and modules-sign flags and it fails.

The last 300 lines of the build log; https://bpa.st/TFVPW

Probably the key part
Code:
# SIGN    /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
  scripts/sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko
At main.c:171:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password read: ../openssl-3.3.2/crypto/pem/pem_pkey.c:159
sign-file: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem
make[3]: *** [/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/work/linux-6.6/scripts/Makefile.modinst:121: /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/image/lib/modules/6.6.58-gentoo-dist/kernel/arch/x86/events/amd/power.ko] Error 1


/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem cointains my cert + encrypted key.

make.conf contains
Code:
SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt"
MODULES_SIGN_KEY="mypath/file.key"
MODULES_SIGN_CERT="mypath/file.crt"


As you can see, openssl tries to sign the kernel module and has some problem reading the password. Why? My key and cert files are ok, I have already signed UKI, grub, etc. with them. There have been no problems so far.

The command that generated my key
Code:
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my name" -keyout file.key -out file.crt -days 9999 -sha256


At the beginning of building the package before the kernel was build, I was asked to enter the password twice. There was no error, because in case of an error the installation stops. So something must be wrong with my configuration, but what?

Last edited by nxe9 on Wed Nov 06, 2024 8:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5080
Location: Bavaria
PostPosted: Wed Nov 06, 2024 7:50 pm    Post subject: Reply with quote
Look to this post: https://forums.gentoo.org/viewtopic-p-8822788.html#8822788 ;-)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
nxe9
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2021
Posts: 104
PostPosted: Wed Nov 06, 2024 8:48 pm    Post subject: Reply with quote
@pietinger: Thanks but I still don't fully understand what's wrong.

The command generating the error is, in short
Code:
sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem" certs/signing_key.x509 <kernel-module>.ko


The pem file
Code:
/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem

contains
Code:
----BEGIN CERTIFICATE----
...
----END CERTIFICATE---
----BEGIN ENCRYPTED PRIVATE KEY-----
...
----END ENCRYPTED PRIVATE KEY-----

and this file is a union of my files .key and .crt that I defined in make.conf.

The kernel config contains out of the box:
Code:
-*- Cryptographic API  --->
    Certificates for signature checking  --->
        (sign-file sha512 "/var/tmp/portage/sys-kernel/gentoo-kernel-6.6.58-r1/temp/kernel_key.pem) File name or PKCS#11 URI of module signing key


So it seems ok, but what about "certs/signing_key.x509"? Shouldn't my certificate be used here? If so, how to configure it?

EDIT:
Code:
oepnssl x509 -noout -text -in /usr/src/linux/certs/signing_key.x509

shows me "Issuer: CN=Build time autogenerated kernel key" but is /usr/src/linux/ the right path? If yes, signing_key.x509 is probably wrong in this case, right?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy