* Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
@ 2021-10-13 9:34 Karolina Drobnik
2021-10-13 9:37 ` [Outreachy kernel] " Julia Lawall
2021-10-13 10:53 ` Mike Rapoport
0 siblings, 2 replies; 6+ messages in thread
From: Karolina Drobnik @ 2021-10-13 9:34 UTC (permalink / raw)
To: outreachy-kernel
[-- Attachment #1.1: Type: text/plain, Size: 995 bytes --]
Hi everyone,
I tried to compile a kernel using my system config file (Debian 11,
5.10.0-9-amd64). Unfortunately, when I run `sudo make modules_install
install`, I got this:
```
At main.c:160:
- SSL error:02001002:system library:fopen:No such file or directory:
../crypto/bio/bss_file.c:69
- SSL error:2006D080:BIO routines:BIO_new_file:no such file:
../crypto/bio/bss_file.c:76
sign-file: : No such file or directory
```
After a bit of a research, I found out that the solution is to comment out
the `CONFIG_SYSTEM_TRUSTED_KEYS` flag. Mine was set to
"debian/certs/debian-uefi-certs.pem", a file that’s clearly absent from the
kernel tree.
I’m not quite sure if this is the right way of going about it. Is it fine
to leave this one out when I'm working on a kernel or not?
Bonus question: What happens if TRUSTED_KEYS is commented out? Will the
*.pem file be generated automatically or does it turn the module signing
off?
Many thanks,
Karolina
[-- Attachment #1.2: Type: text/html, Size: 1086 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Outreachy kernel] Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
2021-10-13 9:34 Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set Karolina Drobnik
@ 2021-10-13 9:37 ` Julia Lawall
2021-10-13 19:57 ` Matthew Wilcox
2021-10-13 10:53 ` Mike Rapoport
1 sibling, 1 reply; 6+ messages in thread
From: Julia Lawall @ 2021-10-13 9:37 UTC (permalink / raw)
To: Karolina Drobnik; +Cc: outreachy-kernel
[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]
On Wed, 13 Oct 2021, Karolina Drobnik wrote:
> Hi everyone,
>
> I tried to compile a kernel using my system config file (Debian 11,
> 5.10.0-9-amd64). Unfortunately, when I run `sudo make modules_install
> install`, I got this:
>
> ```
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory:
> ../crypto/bio/bss_file.c:69
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> ../crypto/bio/bss_file.c:76
> sign-file: : No such file or directory
> ```
>
> After a bit of a research, I found out that the solution is to comment out
> the `CONFIG_SYSTEM_TRUSTED_KEYS` flag. Mine was set to
> "debian/certs/debian-uefi-certs.pem", a file that’s clearly absent from the
> kernel tree.
>
> I’m not quite sure if this is the right way of going about it. Is it fine to
> leave this one out when I'm working on a kernel or not?
>
> Bonus question: What happens if TRUSTED_KEYS is commented out? Will the
> *.pem file be generated automatically or does it turn the module signing
> off?
I often receive complaints about this file, and I have just replaced
"debian/certs/debian-uefi-certs.pem" by "", rather than removing the
configuration option. No other changes to the configuration inherited
from my debian installation.
julia
>
>
> Many thanks,
> Karolina
>
> --
> You received this message because you are subscribed to the Google Groups
> "outreachy-kernel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to outreachy-kernel+unsubscribe@googlegroups.com.
> To view this discussion on the web visithttps://groups.google.com/d/msgid/outreachy-kernel/d89839a7-c1c6-4768-9f5c-
> c9001b1239a2n%40googlegroups.com.
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Outreachy kernel] Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
2021-10-13 9:34 Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set Karolina Drobnik
2021-10-13 9:37 ` [Outreachy kernel] " Julia Lawall
@ 2021-10-13 10:53 ` Mike Rapoport
2021-10-13 11:53 ` Karolina Drobnik
1 sibling, 1 reply; 6+ messages in thread
From: Mike Rapoport @ 2021-10-13 10:53 UTC (permalink / raw)
To: Karolina Drobnik; +Cc: outreachy-kernel
Hi,
On Wed, Oct 13, 2021 at 02:34:42AM -0700, Karolina Drobnik wrote:
> Hi everyone,
>
> I tried to compile a kernel using my system config file (Debian 11,
> 5.10.0-9-amd64). Unfortunately, when I run `sudo make modules_install install`,
> I got this:
>
> ```
> At main.c:160:
> - SSL error:02001002:system library:fopen:No such file or directory: ../crypto/
> bio/bss_file.c:69
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/
> bss_file.c:76
> sign-file: : No such file or directory
> ```
>
> After a bit of a research, I found out that the solution is to comment out the
> `CONFIG_SYSTEM_TRUSTED_KEYS` flag. Mine was set to "debian/certs/
> debian-uefi-certs.pem", a file that’s clearly absent from the kernel tree.
>
> I’m not quite sure if this is the right way of going about it. Is it fine to
> leave this one out when I'm working on a kernel or not?
It should be fine unless you work on key management and some other security
features that require this option.
> Bonus question: What happens if TRUSTED_KEYS is commented out? Will the *.pem
> file be generated automatically or does it turn the module signing off?
My understanding is that for module signing the key will be autogenerated
regardless of the value of SYSTEM_TRUSTED_KEYS and the modules will be
signed with the autogenerated key.
> Many thanks,
> Karolina
--
Sincerely yours,
Mike.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Outreachy kernel] Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
2021-10-13 10:53 ` Mike Rapoport
@ 2021-10-13 11:53 ` Karolina Drobnik
0 siblings, 0 replies; 6+ messages in thread
From: Karolina Drobnik @ 2021-10-13 11:53 UTC (permalink / raw)
To: outreachy-kernel
[-- Attachment #1.1: Type: text/plain, Size: 681 bytes --]
Hi,
Thank you both for your swift responses.
> I have just replaced "debian/certs/debian-uefi-certs.pem" by "", rather
than removing the configuration option.
Ok, will do the same, thanks.
> It should be fine unless you work on key management and some other
security features that require this option.
Thanks for confirming this, will keep that one in mind.
> My understanding is that for module signing the key will be
autogenerated regardless of the value of SYSTEM_TRUSTED_KEYS
That's what I was thinking as well, not sure why it complained when this
flag was set to something else.
I'm glad I don't need to worry about it and can leave it empty for now.
Karolina
[-- Attachment #1.2: Type: text/html, Size: 897 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Outreachy kernel] Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
2021-10-13 9:37 ` [Outreachy kernel] " Julia Lawall
@ 2021-10-13 19:57 ` Matthew Wilcox
2021-10-15 15:06 ` Karolina Drobnik
0 siblings, 1 reply; 6+ messages in thread
From: Matthew Wilcox @ 2021-10-13 19:57 UTC (permalink / raw)
To: Julia Lawall; +Cc: Karolina Drobnik, outreachy-kernel
On Wed, Oct 13, 2021 at 11:37:51AM +0200, Julia Lawall wrote:
> > After a bit of a research, I found out that the solution is to comment out
> > the `CONFIG_SYSTEM_TRUSTED_KEYS` flag. Mine was set to
> > "debian/certs/debian-uefi-certs.pem", a file that’s clearly absent from the
> > kernel tree.
> >
> > I’m not quite sure if this is the right way of going about it. Is it fine to
> > leave this one out when I'm working on a kernel or not?
> >
> > Bonus question: What happens if TRUSTED_KEYS is commented out? Will the
> > *.pem file be generated automatically or does it turn the module signing
> > off?
>
> I often receive complaints about this file, and I have just replaced
> "debian/certs/debian-uefi-certs.pem" by "", rather than removing the
> configuration option. No other changes to the configuration inherited
> from my debian installation.
I think if you have a Machine Owner Key set up, this will cause
problems. My config has:
#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="../MOK.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
# CONFIG_SYSTEM_REVOCATION_LIST is not set
# end of Certificates for signature checking
and then I also have a small patch to sign the kernel automatically
with my MOK (rather than manually going through the instructions on
the Debian wiki every time):
commit ca7cc4e6f41d
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Fri Apr 30 08:54:45 2021 -0400
builddeb: Support signing kernels with a Machine Owner Key
If the config file specifies a signing key, use it to sign
the kernel so that machines with SecureBoot enabled can boot.
See https://wiki.debian.org/SecureBoot
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 91a502bb97e8..4fa6ff2b5cac 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -147,7 +147,15 @@ else
cp System.map "$tmpdir/boot/System.map-$version"
cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
fi
-cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
+
+vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
+if is_enabled CONFIG_MODULE_SIG; then
+ cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
+ key=${cert%pem}priv
+ sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
+else
+ cp "$vmlinux" "$tmpdir/$installed_image_path"
+fi
if is_enabled CONFIG_OF_EARLY_FLATTREE; then
# Only some architectures with OF support have this target
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Outreachy kernel] Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set
2021-10-13 19:57 ` Matthew Wilcox
@ 2021-10-15 15:06 ` Karolina Drobnik
0 siblings, 0 replies; 6+ messages in thread
From: Karolina Drobnik @ 2021-10-15 15:06 UTC (permalink / raw)
To: Matthew Wilcox; +Cc: outreachy-kernel, Julia Lawall
On Wed, 2021-10-13 at 20:57 +0100, Matthew Wilcox wrote:
> On Wed, Oct 13, 2021 at 11:37:51AM +0200, Julia Lawall wrote:
> > I often receive complaints about this file, and I have just
> > replaced "debian/certs/debian-uefi-certs.pem" by "", rather than
> > removing the configuration option. No other changes to the
> > configuration inherited from my debian installation.
>
> I think if you have a Machine Owner Key set up, this will cause
> problems.
Hmm, I don't have SecureBoot enabled and no MOKs set up. Still, I'll
save your config/patch for the future reference, it's very useful.
Thanks for sharing it
Karolina
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-10-15 15:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 9:34 Can’t install kernel when CONFIG_SYSTEM_TRUSTED_KEYS is set Karolina Drobnik
2021-10-13 9:37 ` [Outreachy kernel] " Julia Lawall
2021-10-13 19:57 ` Matthew Wilcox
2021-10-15 15:06 ` Karolina Drobnik
2021-10-13 10:53 ` Mike Rapoport
2021-10-13 11:53 ` Karolina Drobnik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.