Hello everyone,
I am trying to debug an issue in a kernel driver (see this bug); I'm in contact with the kernel driver maintainer and as part of the debugging I need to figure out if this issue only occurs on a Debian kernel (and Arch! but the driver maintainer says he has no issues in Fedora) or also in vanilla, and that's why I'm trying to compile one. I run with secure boot enabled, so I need to sign modules and kernel. This is what I've done so far:
In my system I have already enrolled in MOK the dkms signing key found in /var/lib/dkms, which dkms uses everyday to sign e.g. the virtualbox module, so I'd like to use this one to sign my custom kernel and modules.
Initially I thought I could skip compiling my own kernel, so I downloaded the deb for a vanilla kernel compiled by toeirei at this address. The kernel in principle is for Bookworm and I'm on Sid, but I figured a kernel is a kernel, so I gave it a go. Of course this particular kernel is not signed, so I had to sign it. I converted my dkms mok.pub der key into pem format using
and then I extracted the deb package, signed the kernel, and repacked the deb as explained here. After reboot, the newly signed kernel actually loaded (so I guess the signing process with the dkms key worked) and the system started, although with all sorts of issues. For starters, the laptop's touchpad wasn't working, and I had to navigate with the keyboard. In hindsight, I signed the kernel, but most likely all the related modules weren't signed and possibly didn't load, so I decided to compile my own kernel after all.
I downloaded the tarball from the kernel website, copied the debian kernel configuration file present in /boot and then run
to adjust the last couple of parameters. In following tries, I've also copied the signing key from /var/lib/dkms to the certs folder of the kernel source, so in the following code lines you'll see it from there (but I still get an error). In particular, related to the signing of modules and stuff, in the kernel config I have this set:
In my mind with this I've given the config file the key to use to sign modules and to add to the trusted keys. After a
I compiled the kernel with
The kernel compiles fine for the most part, but when it gets to signing the modules it just compiled I get this error:
(I'm sorry some of the erorr text is in Italian; "Eliminazione del file" means deleting file", and of course "Errore" is "Error"). This is where I'm stuck. I've tried to google "SSL error:1E08010C:DECODER routines::unsupported: ../crypto/encode_decode/decoder_lib.c" but I haven't found anything relevant to my problem; mostly either non-kernel related issues or people who actually forgot to specify a signing key. I've tried to change the pem key with the der key, but that doesn't work either. Is there anyone here who can help me?
I am trying to debug an issue in a kernel driver (see this bug); I'm in contact with the kernel driver maintainer and as part of the debugging I need to figure out if this issue only occurs on a Debian kernel (and Arch! but the driver maintainer says he has no issues in Fedora) or also in vanilla, and that's why I'm trying to compile one. I run with secure boot enabled, so I need to sign modules and kernel. This is what I've done so far:
In my system I have already enrolled in MOK the dkms signing key found in /var/lib/dkms, which dkms uses everyday to sign e.g. the virtualbox module, so I'd like to use this one to sign my custom kernel and modules.
Initially I thought I could skip compiling my own kernel, so I downloaded the deb for a vanilla kernel compiled by toeirei at this address. The kernel in principle is for Bookworm and I'm on Sid, but I figured a kernel is a kernel, so I gave it a go. Of course this particular kernel is not signed, so I had to sign it. I converted my dkms mok.pub der key into pem format using
Code:
openssl x509 -in mok.pub -inform DER -outform PEM -out mok.pemI downloaded the tarball from the kernel website, copied the debian kernel configuration file present in /boot and then run
Code:
make oldconfigCode:
## Certificates for signature checking#CONFIG_MODULE_SIG_KEY="certs/mok.pem"CONFIG_MODULE_SIG_KEY_TYPE_RSA=yCONFIG_SYSTEM_TRUSTED_KEYRING=yCONFIG_SYSTEM_TRUSTED_KEYS="certs/mok.pem"# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not setCONFIG_SECONDARY_TRUSTED_KEYRING=y# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not setCONFIG_SYSTEM_BLACKLIST_KEYRING=yCONFIG_SYSTEM_BLACKLIST_HASH_LIST=""# CONFIG_SYSTEM_REVOCATION_LIST is not set# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set# end of Certificates for signature checkingCode:
make cleanCode:
make bindeb-pkg LOCALVERSION=-iacchiCode:
INSTALL debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko STRIP debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko SIGN debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.koAt main.c:170:- SSL error:1E08010C:DECODER routines::unsupported: ../crypto/encode_decode/decoder_lib.c:102sign-file: certs/mok.pemmake[6]: *** [scripts/Makefile.modinst:121: debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko] Errore 1make[6]: *** Eliminazione del file «debian/linux-image-6.10.4-iacchi/lib/modules/6.10.4-iacchi/kernel/arch/x86/events/amd/power.ko»make[5]: *** [Makefile:1842: modules_install] Errore 2Statistics: Posted by iacchi — 2024-08-14 08:44 — Replies 4 — Views 88