System and Network configuration • Re: Help with compiling a signed vanilla kernel

Hello,

Ok, so, here's what happens when I run that command:

Code:

root@hactar:/home/iacopo/Downloads/linux-6.10.4# scripts/sign-file "sha256"  "certs/mok.pem" certs/signing_key.x509  debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.koAt main.c:298:- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75sign-file: debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko

The error is quite different from before, but I'm not quite sure what to make of it, given the difference. For reference, inside crypto there is no bio folder at all.

The error above is generated because file debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko is not there.

The config file (which, again, it's mostly Debian's) is here: https://forums.debian.net/app.php/paste ... view&s=115

Ok.

[..]
if I try to run the command with mok.key and mok.pem as key and certificate, the result is the same:

Code:

# scripts/sign-file "sha256"  "certs/mok.key" certs/mok.pem  debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.koAt main.c:298:- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75sign-file: debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko

I suspect that the PEM signing key is not in the format expected by the building process of the kernel.

I tried to replicate you issue and I solved using the following instructions:

• Download vanilla upstream source code for Linux kernel 6.10.4:

  Code:

  $ wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.10.4.tar.xz$ tar xf linux-6.10.4.tar.xz$ cd linux-6.10.4.tar.xz

• Copy your kernel's .config file:

  • Image may be NSFW.
    Clik here to view. iacchi-config.txt

  from the previous post into the root directory of the kernel source named linux-6.10.4:
  • note: the key to sign the kernel binary and the kernel modules is expected to be named certs/mok.pem in the certs/ directory according to the kernel config parameter CONFIG_MODULE_SIG_KEY="certs/mok.pem" in your .config file)

  Code:

  $ grep MODULE_SIG .config CONFIG_MODULE_SIG_FORMAT=yCONFIG_MODULE_SIG=y# CONFIG_MODULE_SIG_FORCE is not setCONFIG_MODULE_SIG_ALL=y# CONFIG_MODULE_SIG_SHA1 is not setCONFIG_MODULE_SIG_SHA256=y# CONFIG_MODULE_SIG_SHA384 is not set# CONFIG_MODULE_SIG_SHA512 is not set# CONFIG_MODULE_SIG_SHA3_256 is not set# CONFIG_MODULE_SIG_SHA3_384 is not set# CONFIG_MODULE_SIG_SHA3_512 is not setCONFIG_MODULE_SIG_HASH="sha256"CONFIG_MODULE_SIG_KEY="certs/mok.pem"CONFIG_MODULE_SIG_KEY_TYPE_RSA=y

• Create the key in PEM format (in the ./certs/ directory) to sign the kernel binaries and modules:

  Code:

  $ cd certs$ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 -config default_x509.genkey -outform PEM -out kernel_key.pem -keyout kernel_key.pem$ cp kernel_key.pem mok.pem$ cd ..

• Create the machine owner key (MOK) for UEFI secure boot converting the kernel signing key from PEM to DER format:

  Code:

  $ export KERNEL_CERTS_DIR="$PWD/certs"$ su -l --whitelist-environment=KERNEL_CERTS_DIR# MOK_KEY_DIR=/var/lib/shim-signed/mok# mkdir -p $MOK_KEY_DIR# cd $MOK_KEY_DIR# $KERNEL_CERTS_DIR/extract-cert  $KERNEL_CERTS_DIR/mok.pem  $MOK_KEY_DIR/mok.der# ls -latotal 12drwxr-xr-x 2 root root 4096 Aug 17 11:31 .drwxr-xr-x 3 root root 4096 Aug 14 15:29 ..-rw-r--r-- 1 root root 1324 Aug 17 11:31 mok.der# exit

• Build the kernel (notes: the bindeb-pkg rule is from ./scripts/Makefile.package at line 119/120:
  • notes:
    • the ccache program speeds up repetitive builds (see ccache package Package: ccache)
    • the --no-pre-clean option avoid deleting built binaries from previous kernel builds

  Code:

  $ script build.log$ time DPKG="--no-pre-clean" make CC="ccache gcc" bindeb-pkg LOCALVERSION=-iacchi $ exit

• Load machine owner key (MOK) in UEFI firmware (note: add MOD keys wisely in the UEFI NVRAM to prevent its "pollution"):

  Code:

  $ export MOK_KEY_DIR=/var/lib/shim-signed/mok$ su -l --whitelist-environment=MOK_KEY_DIR# mokutil --import $MOK_KEY_DIR/mok.der# exit

• Sign the kernel image in the build Debian package (note: modules are signed, but kernel bzimage is not) and rebuild deb kernel package:

  Code:

  $ cd ..$ dpkg-deb -R linux-image-6.10.4-iacchi_6.10.4-3_amd64.deb extracted-files/$ sbsign  --key linux-6.10.4/certs/mok.pem   --cert linux-6.10.4/certs/mok.pem   ./extracted-files/boot/vmlinuz-6.10.4-iacchi   --output ./extracted-files/boot/vmlinuz-6.10.4-iacchi-signed$ ls extracted-files/boot/ -latotal 25468drwxr-xr-x 2 aki aki    4096 Aug 17 19:11 .drwxr-xr-x 7 aki aki    4096 Aug 17 19:10 ..-rw-r--r-- 1 aki aki 6465637 Aug 17 11:32 System.map-6.10.4-iacchi-rw-r--r-- 1 aki aki  276454 Aug 17 11:32 config-6.10.4-iacchi-rw-r--r-- 1 aki aki 9658880 Aug 17 11:32 vmlinuz-6.10.4-iacchi-rw-r--r-- 1 aki aki 9661248 Aug 17 19:11 vmlinuz-6.10.4-iacchi-signed$ sbverify --cert linux-6.10.4/certs/mok.pem extracted-files/boot/vmlinuz-6.10.4-iacchi-signedSignature verification OK$ mv extracted-files/boot/vmlinuz-6.10.4-iacchi-signed   extracted-files/boot/vmlinuz-6.10.4-iacchi$ ls extracted-files/boot/ -latotal 16032drwxr-xr-x 2 aki aki    4096 Aug 17 20:31 .drwxr-xr-x 7 aki aki    4096 Aug 17 20:18 ..-rw-r--r-- 1 aki aki 6465637 Aug 17 11:32 System.map-6.10.4-iacchi-rw-r--r-- 1 aki aki  276454 Aug 17 11:32 config-6.10.4-iacchi-rw-r--r-- 1 aki aki 9661248 Aug 17 20:18 vmlinuz-6.10.4-iacchi$ dpkg-deb -b extracted-files/ linux-image-6.10.4-iacchi_6.10.4-3_amd64-signed.deb

• Install the deb package containing the signed kernel

Hope this helps.

--
[1] The Linux Kernel - Kernel module signing facility
[2] Debian Wiki - Secure Boot - Machine Owner Key
[3] https://www.kernel.org/doc/Documentatio ... igning.rst
[4] https://nickdesaulniers.github.io/blog/ ... th-ccache/
[5] https://paldan.altervista.org/signed-li ... 6894531250

Statistics: Posted by Aki — 2024-08-17 21:26

---