lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZXMGqjm1466fQ3g2@archie.me>
Date:   Fri, 8 Dec 2023 19:06:02 +0700
From:   Bagas Sanjaya <bagasdotme@...il.com>
To:     Tom Cook <tom.k.cook@...il.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux Kernel Build System <linux-kbuild@...r.kernel.org>,
        Linux Crypto API <linux-crypto@...r.kernel.org>
Cc:     Masahiro Yamada <masahiroy@...nel.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        Nick Terrell <terrelln@...com>
Subject: Re: Building signed debs

On Fri, Dec 08, 2023 at 11:14:35AM +0000, Tom Cook wrote:
> I'm trying to build a signed .deb kernel package of
> https://github.com/torvalds/linux/tree/v6.6.  I've copied
> certs/default_x509.genkey to certs/x509.genkey.  The .config is the
> one from Ubuntu 23.10's default kernel with all new options accepted
> at their default and CONFIG_SYSTEM_TRUSTED_KEYS="" and
> CONFIG_SYSTEM_REVOCATION_KEYS="".
> 
> This builds the kernel and modules, signs the modules, compresses the
> modules and then attempts to sign the modules again.  That fails,
> because the .ko module files are now .ko.zst files and the file it's
> trying to sign isn't there.  Full failure is pasted below.
> 
> Unsetting CONFIG_MODULE_COMPRESS_ZSTD is a workaround (ie disable
> module compression).
> 

Seriously? Unrelated option becomes a workaround?

> Is there a way to build a .deb of a signed kernel with compressed modules?
> 
> Thanks for any help,
> Tom
> 
>   INSTALL debian/linux-libc-dev/usr/include
>   SIGN    debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/amd/amd-uncore.ko
>   SIGN    debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/intel/intel-cstate.ko
> At main.c:298:
> - SSL error:FFFFFFFF80000002:system library::No such file or
> directory: ../crypto/bio/bss_file.c:67

Above means that you don't have a valid certificate/keypair set in
CONFIG_MODULE_SIG_KEY. If you keep the option value on `certs/signing_key.pem`
(which is the default), the key should be automatically generated
(with your observation, only if `certs/x509.genkey` doesn't already exist).
After building the kernel with `make all`, you should check if the certificate
pointed in CONFIG_MODULE_SIG_KEY is present or not. If it isn't the case,
you have to generate the certificate yourself. For more information, see
Documentation/admin-guide/module.signing.rst in the kernel sources.

Thanks.

-- 
An old man doll... just what I always wanted! - Clara

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ