[BUILD] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[BUILD] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[Mirsad Goran Todorovac]

Hi Bagas,

I seem to have run into a dead end with this.

OpenSSL 3.0.2 refuses to cooperate, despite enabling legacy ciphers:

   BTF [M] net/nsh/nsh.ko
   BTF [M] net/hsr/hsr.ko
make -f ./Makefile ARCH=x86     KERNELRELEASE=6.3.0+ intdeb-pkg
sh ./scripts/package/builddeb
   INSTALL 
debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
   SIGN 
debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
At main.c:170:
- SSL error:1E08010C:DECODER routines::unsupported: 
../crypto/encode_decode/decoder_lib.c:101
sign-file: ./
make[6]: *** [scripts/Makefile.modinst:87: 
debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko] 
Error 1
make[6]: *** Deleting file 
'debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko'
make[5]: *** [Makefile:1955: modules_install] Error 2
make[4]: *** [scripts/Makefile.package:150: intdeb-pkg] Error 2
make[3]: *** [Makefile:1657: intdeb-pkg] Error 2
make[2]: *** [debian/rules:16: binary-arch] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit 
status 2
make[1]: *** [scripts/Makefile.package:139: bindeb-pkg] Error 2
make: *** [Makefile:1657: bindeb-pkg] Error 2

I have tried to enable NEXT crypto mode:

% sudo update-crypto-policies --set NEXT

and rebooted, but no use.

Google also doesn't give a clue.
I have been able to compile kernels on Ubuntu 22.04 LTS on my laptop 
just about a year ago.

Thank you.

Mirsad

Re: [BUILD] [FOUND WORKAROUND] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[Mirsad Goran Todorovac]

On 4.5.2023. 19:02, Mirsad Goran Todorovac wrote:
> Hi Bagas,
> 
> I seem to have run into a dead end with this.
> 
> OpenSSL 3.0.2 refuses to cooperate, despite enabling legacy ciphers:
> 
>    BTF [M] net/nsh/nsh.ko
>    BTF [M] net/hsr/hsr.ko
> make -f ./Makefile ARCH=x86     KERNELRELEASE=6.3.0+ intdeb-pkg
> sh ./scripts/package/builddeb
>    INSTALL debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
>    SIGN debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
> At main.c:170:
> - SSL error:1E08010C:DECODER routines::unsupported: ../crypto/encode_decode/decoder_lib.c:101
> sign-file: ./
> make[6]: *** [scripts/Makefile.modinst:87: debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko] Error 1
> make[6]: *** Deleting file 'debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko'
> make[5]: *** [Makefile:1955: modules_install] Error 2
> make[4]: *** [scripts/Makefile.package:150: intdeb-pkg] Error 2
> make[3]: *** [Makefile:1657: intdeb-pkg] Error 2
> make[2]: *** [debian/rules:16: binary-arch] Error 2
> dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
> make[1]: *** [scripts/Makefile.package:139: bindeb-pkg] Error 2
> make: *** [Makefile:1657: bindeb-pkg] Error 2
> 
> I have tried to enable NEXT crypto mode:
> 
> % sudo update-crypto-policies --set NEXT
> 
> and rebooted, but no use.
> 
> Google also doesn't give a clue.
> I have been able to compile kernels on Ubuntu 22.04 LTS on my laptop just about a year ago.

Hi all,

There was no success in building 6.3+ with the Ubuntu generic config, but it has succeeded
with the config derived from Debian one.

Still, it would be interesting to find what is preventing the Ubuntu config from signing the
kernel modules. Up to that point the build process is fine.

Best regards,
Mirsad

-- 
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union

Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu

Re: [BUILD] [FOUND WORKAROUND] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[Bagas Sanjaya]

On 5/5/23 16:00, Mirsad Goran Todorovac wrote:
> Hi all,
> 
> There was no success in building 6.3+ with the Ubuntu generic config, but it has succeeded
> with the config derived from Debian one.
> 
> Still, it would be interesting to find what is preventing the Ubuntu config from signing the
> kernel modules. Up to that point the build process is fine.
> 

You will need to see Documentation/admin-guide/module-signing.rst.
Especially on "Generating signing keys", there are instructions on
generating your own signing key, because in most cases you don't
have access to signing keys from your distribution.

Anyway, when you have problems related to building kernel, always
Cc: linux-kbuild list.

Thanks.

-- 
An old man doll... just what I always wanted! - Clara

Re: [BUILD] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

On Thu, May 04, 2023 at 07:02:57PM +0200, Mirsad Goran Todorovac wrote:
> Hi Bagas,
> 
> I seem to have run into a dead end with this.
> 
> OpenSSL 3.0.2 refuses to cooperate, despite enabling legacy ciphers:
> 
>   BTF [M] net/nsh/nsh.ko
>   BTF [M] net/hsr/hsr.ko
> make -f ./Makefile ARCH=x86     KERNELRELEASE=6.3.0+ intdeb-pkg
> sh ./scripts/package/builddeb
>   INSTALL debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
>   SIGN debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
> At main.c:170:
> - SSL error:1E08010C:DECODER routines::unsupported:
> ../crypto/encode_decode/decoder_lib.c:101

I didn't find any errors using self-compiled OpenSSL 3.1.0. I installed the
library to `/tmp/openssl` and specify
`KCFLAGS=-L/tmp/openssl/lib -I/tmp/openssl/include` when building bindeb-pkgs.
Am I missing something?

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [BUILD] Unable to sign drivers on Ubuntu 22.04 LTS desktop

[Mirsad Goran Todorovac]

On 05. 05. 2023. 15:46, Bagas Sanjaya wrote:

> On Thu, May 04, 2023 at 07:02:57PM +0200, Mirsad Goran Todorovac wrote:
>> Hi Bagas,
>>
>> I seem to have run into a dead end with this.
>>
>> OpenSSL 3.0.2 refuses to cooperate, despite enabling legacy ciphers:
>>
>>    BTF [M] net/nsh/nsh.ko
>>    BTF [M] net/hsr/hsr.ko
>> make -f ./Makefile ARCH=x86     KERNELRELEASE=6.3.0+ intdeb-pkg
>> sh ./scripts/package/builddeb
>>    INSTALL debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
>>    SIGN debian/linux-image/lib/modules/6.3.0+/kernel/arch/x86/events/intel/intel-cstate.ko
>> At main.c:170:
>> - SSL error:1E08010C:DECODER routines::unsupported:
>> ../crypto/encode_decode/decoder_lib.c:101
> I didn't find any errors using self-compiled OpenSSL 3.1.0. I installed the
> library to `/tmp/openssl` and specify
> `KCFLAGS=-L/tmp/openssl/lib -I/tmp/openssl/include` when building bindeb-pkgs.
> Am I missing something?

Dear Mr. Bagas,

I have mistakenly deleted the

CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

to

CONFIG_MODULE_SIG_KEY=""

so I got these strange errors, which made me believe that OpenSSL 3.0.1 
disabled some encryptions and hashes.

I suspected it was the problem with the FIPS mode not installed in the 
stock Ubuntu 22.04 LTS library, but I have to admit before so many 
people that it was this stupid mistake which I found out by looking up 
Debian config.

IOW, false alarm.

Ubuntu config with FIPS mode OpenSSL 3.1.0 works, however, I have 
rebuilt with the default OpenSSL 3.0.1 and the error was bisected to the 
missing .PEM.

Best regards,
Mirsad