> Dear debian kernel maintainers: > > I want to re-package debian kernel to support modules signing. > Below is what I do: > > 1. get the debian kernel source via `apt-get source linux`, btw I'm > using the unstable version. > 2. change debian/config/config file and modify these items: > CONFIG_MODULE_SIG_KEY="path/to/keypairfile" > CONFIG_MODULE_SIG=y > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_ALL=y > CONFIG_MODULE_SIG_SHA256=y > > the key file is generated manually following the kernel doc [1]. > 3. re-packaging the source via `dpkg-buildpackage -us -uc` > 4. install the new generated kernel-image package. > > And here is the problems: > 1. As what I get from the kernel doc [1], when > `CONFIG_MODULE_SIG_KEY` > is not set, the build process will automatically generate a new key > pair > for modules signing. but when I left this config item to blank, no > key > was generated, and I don't know why. > > 2. I've specified the `CONFIG_MODULE_SIG_ALL=y` and according to the > doc > [1], the modules will be automatically signed while `make > modules_install`, and that doesn't happen either. so I have to > manually > sign the modules. > > I really want the answer about this two problems. Any help would be > very > appreciated. I've had this problem in the past. There are 2 issues. First of all, as far as I can see and test, _SIG_KEY should not be actually empty, but fixed to this value: CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" That's what will get autogenerated. Then, make sure that building the debugging symbols is disabled so that dh_strip doesn't run, otherwise it will remove the signatures from the modules as well as the symbols. There is also a patch to workaround the issue without disabling the -dbg packages. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852715 -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part