> Dear debian kernel maintainers:
> 
> I want to re-package debian kernel to support modules signing.
> Below is what I do:
> 
> 1. get the debian kernel source via `apt-get source linux`, btw I'm
> using the unstable version.
> 2. change debian/config/config file and modify these items:
>     CONFIG_MODULE_SIG_KEY="path/to/keypairfile"
>     CONFIG_MODULE_SIG=y
>     CONFIG_MODULE_SIG_FORCE=y
>     CONFIG_MODULE_SIG_ALL=y
>     CONFIG_MODULE_SIG_SHA256=y
> 
>    the key file is generated manually following the kernel doc [1].
> 3. re-packaging the source via `dpkg-buildpackage -us -uc`
> 4. install the new generated kernel-image package.
> 
> And here is the problems:
> 1. As what I get from the kernel doc [1], when
> `CONFIG_MODULE_SIG_KEY`
> is not set, the build process will automatically generate a new key
> pair
> for modules signing. but when I left this config item to blank, no
> key
> was generated, and I don't know why.
> 
> 2. I've specified the `CONFIG_MODULE_SIG_ALL=y` and according to the
> doc
> [1], the modules will be automatically signed while `make
> modules_install`, and that doesn't happen either. so I have to
> manually
> sign the modules.
> 
> I really want the answer about this two problems. Any help would be
> very
> appreciated.

I've had this problem in the past. There are 2 issues.

First of all, as far as I can see and test, _SIG_KEY should not be
actually empty, but fixed to this value:

CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

That's what will get autogenerated.

Then, make sure that building the debugging symbols is disabled so that
dh_strip doesn't run, otherwise it will remove the signatures from the
modules as well as the symbols.
There is also a patch to workaround the issue without disabling the
-dbg packages. See:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852715

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to