Re: Building signed debs
From: Bagas Sanjaya
Date: Fri Dec 08 2023 - 07:06:16 EST
On Fri, Dec 08, 2023 at 11:14:35AM +0000, Tom Cook wrote:
> I'm trying to build a signed .deb kernel package of
> https://github.com/torvalds/linux/tree/v6.6. I've copied
> certs/default_x509.genkey to certs/x509.genkey. The .config is the
> one from Ubuntu 23.10's default kernel with all new options accepted
> at their default and CONFIG_SYSTEM_TRUSTED_KEYS="" and
> CONFIG_SYSTEM_REVOCATION_KEYS="".
>
> This builds the kernel and modules, signs the modules, compresses the
> modules and then attempts to sign the modules again. That fails,
> because the .ko module files are now .ko.zst files and the file it's
> trying to sign isn't there. Full failure is pasted below.
>
> Unsetting CONFIG_MODULE_COMPRESS_ZSTD is a workaround (ie disable
> module compression).
>
Seriously? Unrelated option becomes a workaround?
> Is there a way to build a .deb of a signed kernel with compressed modules?
>
> Thanks for any help,
> Tom
>
> INSTALL debian/linux-libc-dev/usr/include
> SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/amd/amd-uncore.ko
> SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/intel/intel-cstate.ko
> At main.c:298:
> - SSL error:FFFFFFFF80000002:system library::No such file or
> directory: ../crypto/bio/bss_file.c:67
Above means that you don't have a valid certificate/keypair set in
CONFIG_MODULE_SIG_KEY. If you keep the option value on `certs/signing_key.pem`
(which is the default), the key should be automatically generated
(with your observation, only if `certs/x509.genkey` doesn't already exist).
After building the kernel with `make all`, you should check if the certificate
pointed in CONFIG_MODULE_SIG_KEY is present or not. If it isn't the case,
you have to generate the certificate yourself. For more information, see
Documentation/admin-guide/module.signing.rst in the kernel sources.
Thanks.
--
An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature