On Mon, 2017-02-13 at 02:51 +0000, 慕 冬亮 wrote: > On Sun, 2017-02-12 at 17:14 +0000, Ben Hutchings wrote: > > On Sun, 2017-02-12 at 05:43 +0000, 慕 冬亮 wrote: > > > Hi all, > > > > > > > > > when I want to compile the master branch of linux kernel in Debian > > > Stretch, there is one error in the following. It seems to be > > > problem > > > of Debian, not the upstream > > > > > > > > > $ make > > > CHK include/config/kernel.release > > > CHK include/generated/uapi/linux/version.h > > > CHK include/generated/utsrelease.h > > > CHK include/generated/bounds.h > > > CHK include/generated/timeconst.h > > > CHK include/generated/asm-offsets.h > > > CALL scripts/checksyscalls.sh > > > CHK include/generated/compile.h > > > make[1]: *** No rule to make target 'debian/certs/benh@debian.org.c > > > ert.pem', needed by 'certs/x509_certificate_list'. Stop. > > > Makefile:988: recipe for target 'certs' failed > > > make: *** [certs] Error 2 > > > > You have started with the config file for our official kernel binary > > packages, for which the modules get signed. You will not be signing > > modules with our signing key, so you need to change the configuration > > accordingly. > > > > Yes, I directly used the old config file copied from /boot/config- > 4.9.0-1-amd64(linux-image-4.9.0-1-amd64 package). > > You mean I need to disable "CONFIG_MODULE_SIG" configuration in "Enable > loadable module support"? No, but you do need to clear CONFIG_SYSTEM_TRUSTED_KEYS. > And why does Debian kernel team enable such one configuration by > default? For security or what? Yes, this can be a useful security feature. Ben. > > The config files provided in linux-source-4.9 have the module signing > > configuration changed to be suitable for custom kernel builds. > > > > Ben. > > -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong.
Attachment:
signature.asc
Description: This is a digitally signed message part