Instead of removing the kernel signature checking, I've just configured it correctly:
#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking
To get there, I've just followed these steps:
sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*
...which:
- installs the Ubuntu Linux kernel sources
- copies the certificates into a dedicated non-package-managed directory
- removes any kernel sources package again
This process can be repeated whenever an update is required (e.g. new certificates).
Answer from Ancoron on Stack OverflowInstead of removing the kernel signature checking, I've just configured it correctly:
#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking
To get there, I've just followed these steps:
sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*
...which:
- installs the Ubuntu Linux kernel sources
- copies the certificates into a dedicated non-package-managed directory
- removes any kernel sources package again
This process can be repeated whenever an update is required (e.g. new certificates).
This seems to be the way to go with the current version:
https://unix.stackexchange.com/a/649484/301245
There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes. Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this:
#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
# end of Certificates for signature checking
Need someone confirmation for the changes I did
[Bug 1201450] New: Cannot compile kernel, No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' - openSUSE Kernel Bugs - openSUSE Mailing Lists
debian - Attempting to compile kernel yields a certification error - Unix & Linux Stack Exchange
Guidance to compile the linux kernel
In your kernel configuration file you will find this line:
CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
Change it to this:
CONFIG_SYSTEM_TRUSTED_KEYS=""
Depending on your source structure you might be able to do it via command line. Examples:
scripts/config --disable SYSTEM_TRUSTED_KEYS
or
scripts/config --set-str SYSTEM_TRUSTED_KEYS ""
EDIT: Another key has been added to the default Canonical kernel configuration since this answer was posted:
CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
So, it also needs to be dealt with for user kernel compiles to complete:
scripts/config --disable SYSTEM_REVOCATION_KEYS
See also git based mainline kernel compile notes.
Well, I just generated a self-signed x509 certificate with a common name as my name, put the key and certificate in the same file and pointed both lines to the file. Compiles perfectly and security should be intact. I assume it's used to sign kernel binary and you can whitelist your certificate in a secure boot to allow your kernel to boot.
openssl req -x509 -newkey rsa:4096 -keyout certs/mycert.pem -out certs/mycert.pem -nodes -days 3650
CONFIG_MODULE_SIG_KEY="certs/mycert.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="certs/mycert.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
I ran into this several years ago on a Debian build. In the .config file you copied from /boot find and comment out the lines CONFIG_SYSTEM_TRUSTED_KEY
and CONFIG_MODULE_SIG_KEY.
During the build you can use your own cert or just use a random one time cert.
Found the above in this thread.
You can change your config file .config
CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
to
CONFIG_SYSTEM_TRUSTED_KEYS=""
Hi,
I am trying to recompile the linux kernel and facing some issues can y'all help me out please?
My OS is the ubuntu 24.04 LTS. The kernel is the 5.19.8 from here.
When I run make I used to get the following issue:
CC kernel/jump_label.o CC kernel/iomem.o CC kernel/rseq.o AR kernel/built-in.a CC certs/system_keyring.o make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1851: certs] Error 2CC kernel/jump_label.o CC kernel/iomem.o CC kernel/rseq.o AR kernel/built-in.a CC certs/system_keyring.o make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1851: certs] Error 2
I did as one of the user in thie stackoverflow post said
scripts/config --disable SYSTEM_TRUSTED_KEYS scripts/config --disable SYSTEM_REVOCATION_KEYS
Now I get the and then when I run make I get the following issue, this I am not sure how I should go about solving it
make[1]: *** No rule to make target 'y', needed by 'certs/x509_certificate_list'. Stop.
make: *** [Makefile:1847: certs] Error 2
Hi !
I tried to build the linux kernel Linux by typing this command :
make -j$(nproc) deb-pkg LOCALVERSION=-custom
but I got this error :
make[2]: *** [debian/rules:7 : build-arch] Erreur 2 dpkg-buildpackage: erreur: debian/rules binary subprocess returned exit status 2
I also got this message above :
make[4]: *** No rule to make target « debian/canonical-certs.pem », needed by « certs/x509_certificate_list ». Stop.
Could somebody help me please ?