Re: Building signed debs

[Bagas Sanjaya]

On Fri, Dec 08, 2023 at 11:14:35AM +0000, Tom Cook wrote:
> I'm trying to build a signed .deb kernel package of
> https://github.com/torvalds/linux/tree/v6.6.  I've copied
> certs/default_x509.genkey to certs/x509.genkey.  The .config is the
> one from Ubuntu 23.10's default kernel with all new options accepted
> at their default and CONFIG_SYSTEM_TRUSTED_KEYS="" and
> CONFIG_SYSTEM_REVOCATION_KEYS="".
> 
> This builds the kernel and modules, signs the modules, compresses the
> modules and then attempts to sign the modules again.  That fails,
> because the .ko module files are now .ko.zst files and the file it's
> trying to sign isn't there.  Full failure is pasted below.
> 
> Unsetting CONFIG_MODULE_COMPRESS_ZSTD is a workaround (ie disable
> module compression).
> 

Seriously? Unrelated option becomes a workaround?

> Is there a way to build a .deb of a signed kernel with compressed modules?
> 
> Thanks for any help,
> Tom
> 
>   INSTALL debian/linux-libc-dev/usr/include
>   SIGN    debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/amd/amd-uncore.ko
>   SIGN    debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/intel/intel-cstate.ko
> At main.c:298:
> - SSL error:FFFFFFFF80000002:system library::No such file or
> directory: ../crypto/bio/bss_file.c:67

Above means that you don't have a valid certificate/keypair set in
CONFIG_MODULE_SIG_KEY. If you keep the option value on `certs/signing_key.pem`
(which is the default), the key should be automatically generated
(with your observation, only if `certs/x509.genkey` doesn't already exist).
After building the kernel with `make all`, you should check if the certificate
pointed in CONFIG_MODULE_SIG_KEY is present or not. If it isn't the case,
you have to generate the certificate yourself. For more information, see
Documentation/admin-guide/module.signing.rst in the kernel sources.

Thanks.

-- 
An old man doll... just what I always wanted! - Clara

Attachment: signature.asc
Description: PGP signature