Re: make error in compiling kernel in Debian Stretch
On Mon, 2017-02-13 at 03:03 +0000, Ben Hutchings wrote:
> On Mon, 2017-02-13 at 02:51 +0000, 慕 冬亮 wrote:
> > On Sun, 2017-02-12 at 17:14 +0000, Ben Hutchings wrote:
> > > On Sun, 2017-02-12 at 05:43 +0000, 慕 冬亮 wrote:
> > > > Hi all,
> > > >
> > > >
> > > > when I want to compile the master branch of linux kernel in
> > > > Debian
> > > > Stretch, there is one error in the following. It seems to be
> > > > problem
> > > > of Debian, not the upstream
> > > >
> > > >
> > > > $ make
> > > > CHK include/config/kernel.release
> > > > CHK include/generated/uapi/linux/version.h
> > > > CHK include/generated/utsrelease.h
> > > > CHK include/generated/bounds.h
> > > > CHK include/generated/timeconst.h
> > > > CHK include/generated/asm-offsets.h
> > > > CALL scripts/checksyscalls.sh
> > > > CHK include/generated/compile.h
> > > > make[1]: *** No rule to make target 'debian/certs/benh@debian.o
> > > > rg.c
> > > > ert.pem', needed by 'certs/x509_certificate_list'. Stop.
> > > > Makefile:988: recipe for target 'certs' failed
> > > > make: *** [certs] Error 2
> > >
> > > You have started with the config file for our official kernel
> > > binary
> > > packages, for which the modules get signed. You will not be
> > > signing
> > > modules with our signing key, so you need to change the
> > > configuration
> > > accordingly.
> > >
> >
> > Yes, I directly used the old config file copied from /boot/config-
> > 4.9.0-1-amd64(linux-image-4.9.0-1-amd64 package).
> >
> > You mean I need to disable "CONFIG_MODULE_SIG" configuration in
> > "Enable
> > loadable module support"?
>
> No, but you do need to clear CONFIG_SYSTEM_TRUSTED_KEYS.
Just open .config file and clear content of
"CONFIG_SYSTEM_TRUSTED_KEYS", like
CONFIG_SYSTEM_TRUSTED_KEYS=""
It works now.
>
> > And why does Debian kernel team enable such one configuration by
> > default? For security or what?
>
> Yes, this can be a useful security feature.
>
> Ben.
>
> > > The config files provided in linux-source-4.9 have the module
> > > signing
> > > configuration changed to be suitable for custom kernel builds.
> > >
> > > Ben.
> > >
Reply to: