My make.conf has the following variable defined SECUREBOOT_SIGN_KEY="/var/lib/portage/home/clefs/db.key" SECUREBOOT_SIGN_CERT="/var/lib/portage/home/clefs/db.crt" MODULES_SIGN_KEY="/var/lib/portage/home/clefs/signing_key.priv" MODULES_SIGN_HASH="sha512" MODULES_SIGN_CERT="/var/lib/portage/home/clefs/signing_key.x509" All of those files exist. Reproducible: Always Someone more knowledgeable than me (monkfish on the gentoo IRC) said the following: "you have "modules-sign" enabled. the supporting eclass is suppoesd to generate a signing key for you. it's probably not being generated correctly for some reason." " indeed, towards the top of your log, there is evidence of a bash command substitution processing junk data: kernel-build.eclass: line 138: warning: command substitution: ignored null byte in input" « and the applicable code is: MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" » « it should be reported. » "to recap, bash command substitutions can only process textual data correctly, and it's clearly expected that a textual key is being processed at that point. for a NUL byte to be in the file suggests something went seriously wrong."
Created attachment 898037 [details] emerge log
Created attachment 898038 [details] emerge log
Created attachment 898039 [details] emerge --info
Created attachment 898040 [details] emerge -pqv
Please verify that all keys you are using here are in PEM format.
Your failure is here: # cmd_gen_order certs/modules.order { :; } > certs/modules.order # CERT certs/x509_certificate_list certs/extract-cert "" certs/x509_certificate_list # CERT certs/signing_key.x509 certs/extract-cert "/tmp/portage/sys-kernel/gentoo-kernel-6.9.10/temp/kernel_key.pem" certs/signing_key.x509 At main.c:164: - SSL error:0480006C:PEM routines::no start line: ../openssl-3.0.13/crypto/pem/pem_lib.c:763 extract-cert: /tmp/portage/sys-kernel/gentoo-kernel-6.9.10/temp/kernel_key.pem: Success make[4]: *** [/tmp/portage/sys-kernel/gentoo-kernel-6.9.10/work/linux-6.9/certs/Makefile:74: certs/signing_key.x509] Error 1 make[3]: *** [/tmp/portage/sys-kernel/gentoo-kernel-6.9.10/work/linux-6.9/scripts/Makefile.build:485: certs] Error 2 "no start line" is what you could see if the key is DER format. Additionally your MODULES_SIGN_CERT has the .x509 suffix, which is usually used for DER format certificates. Both sbsign and the kernel build system require PEM format keys. The easy way to check is with "file", for example: # file /root/kernel_key.der /root/kernel_key.der: Certificate, Version=3 # file /root/kernel_key.pem /root/kernel_key.pem: OpenSSH private key (no password) The other way to check is with "cat", PEM format keys are readable plain text, DER format keys are not. To convert your key between formats use openssl: openssl x509 -in /my/key.der -inform der -out /my/key.pem -outform pem
Thank you. As you suspected there weren't in the pem format
Great! I'm looking into adjusting the eclasses a bit so it will fail earlier if the key is not in the proper format, and with a more helpful error message.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b804fa3f3ec62aabeada773b15ca408e73735d6 commit 1b804fa3f3ec62aabeada773b15ca408e73735d6 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-07-20 18:59:04 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-07-21 13:29:45 +0000 kernel-build.eclass: check and fail early if key or cert in DER format Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> eclass/kernel-build.eclass | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6642547cd274ab4edd7d34b71674d1aa04a2d74 commit f6642547cd274ab4edd7d34b71674d1aa04a2d74 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-07-20 18:10:37 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-07-21 13:29:44 +0000 secureboot.eclass: check and fail early if key or cert in DER format Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> eclass/secureboot.eclass | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-)
As also mentioned in the pull request on github, those commits to kernel-build.eclass result in the following error: Could not open file or uri for loading private key from 40E706E72C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../openssl-3.0.13/crypto/store/store_register.c:237:scheme=file 40E706E72C7F0000:error:80000002:system library:file_open:No such file or directory:../openssl-3.0.13/providers/implementations/storemgmt/file_store.c:267:calling stat() Reverting the commit fixes the issue. I don't use kernel or module signing. emerge --ignore-default-opts --info sys-kernel/gentoo-kernel Portage 3.0.65 (python 3.12.3-final-0, default/linux/amd64/23.0/desktop/gnome/systemd, gcc-13, glibc-2.39-r6, 6.9.10-gentoo-dist x86_64) ================================================================= System Settings ================================================================= System uname: Linux-6.9.10-gentoo-dist-x86_64-Intel-R-_Core-TM-_i7-9700K_CPU_@_3.60GHz-with-glibc2.39 KiB Mem: 32773812 total, 2521700 free KiB Swap: 33554428 total, 33554428 free Head commit of repository gnome-next: 2fe2ca6677ec1e5a17130cbcf9248adca8532377 Head commit of repository steam-overlay: fc142da83eb4eb440c787e9f1befe5945b09f485 Timestamp of repository gentoo: Sun, 21 Jul 2024 14:34:04 +0000 Head commit of repository gentoo: 0ee1badc48f522dc677af576f47f6889881b959c Head commit of repository poncho: 83e72a89a1d6daaa44290a262cd2a6d93b17c7dc Head commit of repository torbrowser: 927ea3e63d842fdb50cadc5b9bfcc5c5edc8629e sh bash 5.2_p26-r6 ld GNU ld (Gentoo 2.42 p3) 2.42.0 app-misc/pax-utils: 1.3.7::gentoo app-shells/bash: 5.2_p26-r6::gentoo dev-build/autoconf: 2.13-r8::gentoo, 2.71-r7::gentoo dev-build/automake: 1.16.5-r2::gentoo dev-build/cmake: 3.28.5::gentoo dev-build/libtool: 2.4.7-r4::gentoo dev-build/make: 4.4.1-r1::gentoo dev-build/meson: 1.4.1::gentoo dev-lang/perl: 5.38.2-r3::gentoo dev-lang/python: 3.11.9-r1::gentoo, 3.12.3-r1::gentoo dev-lang/rust: 1.77.1::gentoo sys-apps/baselayout: 2.15::gentoo sys-apps/sandbox: 2.38::gentoo sys-apps/systemd: 256.2::gentoo sys-devel/binutils: 2.42-r1::gentoo sys-devel/binutils-config: 5.5::gentoo sys-devel/clang: 17.0.6::gentoo sys-devel/gcc: 13.3.1_p20240614::gentoo sys-devel/gcc-config: 2.11::gentoo sys-devel/lld: 17.0.6::gentoo sys-devel/llvm: 17.0.6::gentoo sys-kernel/linux-headers: 6.6-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.39-r6::gentoo Repositories: gnome-next location: /var/db/repos/gnome-next sync-type: git sync-uri: https://github.com/MeisterP/gnome-overlay.git sync-user: poncho masters: gentoo priority: 50 volatile: True steam-overlay location: /var/db/repos/steam sync-type: git sync-uri: https://github.com/anyc/steam-overlay.git masters: gentoo priority: 50 volatile: True gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://anongit.gentoo.org/git/repo/sync/gentoo.git sync-user: poncho priority: 1000 volatile: True sync-git-verify-commit-signature: true poncho location: /var/db/repos/poncho sync-type: git sync-uri: https://github.com/MeisterP/poncho-overlay.git sync-user: poncho masters: gentoo priority: 1050 volatile: True torbrowser location: /var/db/repos/torbrowser sync-type: git sync-uri: https://github.com/MeisterP/torbrowser-overlay.git sync-user: poncho masters: gentoo priority: 1050 volatile: True Binary Repositories: binhost priority: 9999 sync-uri: https://mirror.init7.net/gentoo/releases/amd64/binpackages/23.0/x86-64-v3 Installed sets: @fonts, @kernels, @latex, @python-modules, @virtualbox ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA FraunhoferFDK NVIDIA-CUDA PUEL-11" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/thumbnailers/ffmpegthumbnailer.thumbnailer" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --ask --jobs=8 --load-average=9 --verbose" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="https://mirror.init7.net/gentoo/ http://distfiles.gentoo.org" INSTALL_MASK=" /etc/init.d /etc/conf.d" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs" LEX="flex" LINGUAS="en en_US" MAKEOPTS="-j8 -l9" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" RUSTFLAGS="-C target-cpu=native -C opt-level=2" SHELL="/bin/bash" USE="X a52 aac acl acpi aften alsa amd64 argyllcms bluetooth bzip2 cairo cdda cdio cdr cet colord crypt cryptsetup css cuda cups dav1d dbus device-mapper dist-kernel dri drm dts dvd dvdr encode evo exif fdk ffmpeg flac fontconfig gdbm gif gnome gnome-keyring gnome-online-accounts gnome-shell gstreamer gtk gui harfbuzz heif iconv icu id3tag introspection ipv6 jpeg keyring kf6compat kms lame lcms libass libnotify libplacebo libproxy libtirpc mad mng mp3 mp4 mpeg multilib nautilus ncurses networkmanager nls nss nvenc nvidia ogg opengl openmp opus pam pango pcre pdf pipewire png policykit postscript ppds pulseaudio raw readline rtmp sdl seccomp sndfile sound speex spell ssl startup-notification svg sysprof systemd test-rust theora tiff tracker truetype udev udisks unicode upower usb v4l vaapi vorbis vpx vulkan wavpack webp x264 x265 xattr xcb xft xml xmp xps xv xvid zlib" ABI_X86="64" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en_US" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_12" PYTHON_TARGETS="python3_12" RUBY_TARGETS="ruby31 ruby32" SANE_BACKENDS="hp" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, SIZE, STRINGS, STRIP, YACC, YFLAGS ================================================================= Package Settings ================================================================= sys-kernel/gentoo-kernel-6.9.6::gentoo was built with the following: USE="initramfs strip -debug -generic-uki -hardened -modules-compress -modules-sign -savedconfig -secureboot -test" ABI_X86="(64)" FEATURES="userfetch binpkg-logs strict unmerge-logs config-protect-if-modified preserve-libs merge-sync userpriv qa-unresolved-soname-deps buildpkg-live fixlafiles multilib-strict assume-digests usersync unmerge-orphans binpkg-dostrip ipc-sandbox network-sandbox mount-sandbox usersandbox pkgdir-index-trusted distlocks pid-sandbox news merge-wait parallel-fetch ebuild-locks xattr sfperms unknown-features-warn binpkg-docompress parallel-install sandbox protect-owned" sys-kernel/gentoo-kernel-6.9.7::gentoo was built with the following: USE="initramfs strip -debug -generic-uki -hardened -modules-compress -modules-sign -savedconfig -secureboot -test" ABI_X86="(64)" FEATURES="assume-digests usersync binpkg-dostrip mount-sandbox fixlafiles preserve-libs parallel-fetch ipc-sandbox binpkg-docompress unmerge-logs merge-wait xattr usersandbox userfetch network-sandbox unmerge-orphans qa-unresolved-soname-deps strict multilib-strict pkgdir-index-trusted userpriv sandbox unknown-features-warn parallel-install ebuild-locks merge-sync sfperms buildpkg-live config-protect-if-modified protect-owned news binpkg-logs distlocks pid-sandbox" sys-kernel/gentoo-kernel-6.9.8::gentoo was built with the following: USE="initramfs strip -debug -generic-uki -hardened -modules-compress -modules-sign -savedconfig -secureboot -test" ABI_X86="(64)" FEATURES="binpkg-logs unknown-features-warn userpriv multilib-strict distlocks sfperms protect-owned network-sandbox xattr binpkg-dostrip binpkg-docompress parallel-fetch strict unmerge-logs userfetch config-protect-if-modified mount-sandbox pid-sandbox usersync news buildpkg-live preserve-libs ebuild-locks qa-unresolved-soname-deps fixlafiles merge-sync sandbox merge-wait assume-digests pkgdir-index-trusted usersandbox unmerge-orphans ipc-sandbox parallel-install" sys-kernel/gentoo-kernel-6.9.9::gentoo was built with the following: USE="initramfs strip -debug -generic-uki -hardened -modules-compress -modules-sign -savedconfig -secureboot -test" ABI_X86="(64)" sys-kernel/gentoo-kernel-6.9.10::gentoo was built with the following: USE="initramfs strip -debug -generic-uki -hardened -modules-compress -modules-sign -savedconfig -secureboot -test" ABI_X86="(64)"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46f7840350a04cbe47a1e6902baca0d638f85e6d commit 46f7840350a04cbe47a1e6902baca0d638f85e6d Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-07-21 15:12:55 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-07-21 15:14:15 +0000 kernel-build.eclass: add missing modules-sign conditional to cert/key check Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> eclass/kernel-build.eclass | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-)
