On Fri, Dec 08, 2023 at 11:14:35AM +0000, Tom Cook wrote: > I'm trying to build a signed .deb kernel package of > https://github.com/torvalds/linux/tree/v6.6. I've copied > certs/default_x509.genkey to certs/x509.genkey. The .config is the > one from Ubuntu 23.10's default kernel with all new options accepted > at their default and CONFIG_SYSTEM_TRUSTED_KEYS="" and > CONFIG_SYSTEM_REVOCATION_KEYS="". > > This builds the kernel and modules, signs the modules, compresses the > modules and then attempts to sign the modules again. That fails, > because the .ko module files are now .ko.zst files and the file it's > trying to sign isn't there. Full failure is pasted below. > > Unsetting CONFIG_MODULE_COMPRESS_ZSTD is a workaround (ie disable > module compression). > Seriously? Unrelated option becomes a workaround? > Is there a way to build a .deb of a signed kernel with compressed modules? > > Thanks for any help, > Tom > > INSTALL debian/linux-libc-dev/usr/include > SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/amd/amd-uncore.ko > SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/intel/intel-cstate.ko > At main.c:298: > - SSL error:FFFFFFFF80000002:system library::No such file or > directory: ../crypto/bio/bss_file.c:67 Above means that you don't have a valid certificate/keypair set in CONFIG_MODULE_SIG_KEY. If you keep the option value on `certs/signing_key.pem` (which is the default), the key should be automatically generated (with your observation, only if `certs/x509.genkey` doesn't already exist). After building the kernel with `make all`, you should check if the certificate pointed in CONFIG_MODULE_SIG_KEY is present or not. If it isn't the case, you have to generate the certificate yourself. For more information, see Documentation/admin-guide/module.signing.rst in the kernel sources. Thanks. -- An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature
