[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFSh4Uz4jMhR8jV2xjcDg4i05neJMsBewtgcxmG_csETzYdq3A@mail.gmail.com>
Date: Mon, 11 Dec 2023 10:24:14 +0000
From: Tom Cook <tom.k.cook@...il.com>
To: Bagas Sanjaya <bagasdotme@...il.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Kernel Build System <linux-kbuild@...r.kernel.org>,
Linux Crypto API <linux-crypto@...r.kernel.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Nick Terrell <terrelln@...com>
Subject: Re: Building signed debs
On Fri, Dec 8, 2023 at 12:06 PM Bagas Sanjaya <bagasdotme@...il.com> wrote:
> On Fri, Dec 08, 2023 at 11:14:35AM +0000, Tom Cook wrote:
> > Unsetting CONFIG_MODULE_COMPRESS_ZSTD is a workaround (ie disable
> > module compression).
> >
>
> Seriously? Unrelated option becomes a workaround?
"Workaround" as in "With this options set, `make deb-pkg` crashes out with the
reported error, while with this option unset it produces a deb package
of a signed
kernel and modules." This looks like a defect in the build system to me and the
workaround allows me to build a package in the meantime.
> > Is there a way to build a .deb of a signed kernel with compressed modules?
> >
> > Thanks for any help,
> > Tom
> >
> > INSTALL debian/linux-libc-dev/usr/include
> > SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/amd/amd-uncore.ko
> > SIGN debian/linux-image/lib/modules/6.6.0-local/kernel/arch/x86/events/intel/intel-cstate.ko
> > At main.c:298:
> > - SSL error:FFFFFFFF80000002:system library::No such file or
> > directory: ../crypto/bio/bss_file.c:67
>
> Above means that you don't have a valid certificate/keypair set in
> CONFIG_MODULE_SIG_KEY. If you keep the option value on `certs/signing_key.pem`
> (which is the default), the key should be automatically generated
> (with your observation, only if `certs/x509.genkey` doesn't already exist).
> After building the kernel with `make all`, you should check if the certificate
> pointed in CONFIG_MODULE_SIG_KEY is present or not. If it isn't the case,
> you have to generate the certificate yourself. For more information, see
> Documentation/admin-guide/module.signing.rst in the kernel sources.
Sorry for being unclear - I'm not building with `make all`, I'm
building with `make deb-pkg`.
If I had to guess, I'd say the .deb depends on the uncompressed modules
rather than the dependency depending on whether module compression is turned
on or not, but it's only a guess.
Regards,
Tom
Powered by blists - more mailing lists