First beforehand: I'm using USE=modules-sign since over a year and have also set 'MODULES_SIGN_KEY' properly to a self generated .pem file. Something changed the last days in handling with module singing. I guess somewhere in the responsible eclass file. I'm using since ~ a year the package 'sys-kernel/gentoo-kernel' to generate my kernel with config files stored at /etc/portage/savedconfig/sys-kernel. I'm also using two packages with 3rd party kernel-modules: * media-video/v4l2loopback * app-laptop/tuxedo-drivers Both worked until last week. Now I get following error message (e.g): * Checking for suitable kernel configuration options ... [ ok ] * USE=modules-sign requires additional configuration, please see the * kernel[1] documentation and the linux-mod-r1 eclass[2] user variables. * [1] https://www.kernel.org/doc/html/v6.10/admin-guide/module-signing.html * [2] https://devmanual.gentoo.org/eclass-reference/linux-mod-r1.eclass/index.html * ERROR: media-video/v4l2loopback-0.13.1::gentoo failed (setup phase): * USE=modules-sign is set but the private key '/var/tmp/portage/sys-kernel/gentoo-kernel-6.10.6/temp/kernel_key.pem' was not found * * Call stack: * ebuild.sh, line 136: Called pkg_setup * v4l2loopback-0.13.1.ebuild, line 29: Called linux-mod-r1_pkg_setup * linux-mod-r1.eclass, line 348: Called _modules_prepare_sign * linux-mod-r1.eclass, line 751: Called _modules_sign_die 'the private key '/var/tmp/portage/sys-kernel/gentoo-kernel-6.10.6/temp/kernel_key.pem' was not found' * linux-mod-r1.eclass, line 724: Called die * The specific snippet of code: * die "USE=modules-sign is set but ${*}" * * If you need support, post the output of `emerge --info '=media-video/v4l2loopback-0.13.1::gentoo'`, * the complete build log and the output of `emerge -pqv '=media-video/v4l2loopback-0.13.1::gentoo'`. * The complete build log is located at '/var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/die.env'. * Working directory: '/var/tmp/portage/media-video/v4l2loopback-0.13.1/empty' * S: '/var/tmp/portage/media-video/v4l2loopback-0.13.1/work/v4l2loopback-0.13.1' As you see, the build system tries to find my kernel-signing file in temporary build folder of the kernel, which was deleted during cleanup. Looking into the (new) saved config file shows also, 'CONFIG_MODULE_SIG_KEY' is set to the temporary path mentioned in the error above. In older config files 'CONFIG_MODULE_SIG_KEY' is set the path set with 'MODULES_SIGN_KEY' in make.conf Reproducible: Always Steps to Reproduce: 1. set MODULES_SIGN_KEY=/etc/keys/my_kernel_key.pem 2. emerge -q1 sys-kernel/gentoo-kernel 3. emerge -q1 media-video/v4l2loopback 4. emerge -q1 app-laptop/tuxedo-drivers Actual Results: * Package: media-video/v4l2loopback-0.13.1:0 * Repository: gentoo * Maintainer: titanofold@gentoo.org * USE: abi_x86_64 amd64 dist-kernel elibc_glibc kernel_linux modules-compress modules-sign strip * FEATURES: ccache network-sandbox preserve-libs sandbox userpriv usersandbox * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found sources for kernel version: * 6.10.6-x86_64 * Checking for suitable kernel configuration options ... [ ok ] * USE=modules-sign requires additional configuration, please see the * kernel[1] documentation and the linux-mod-r1 eclass[2] user variables. * [1] https://www.kernel.org/doc/html/v6.10/admin-guide/module-signing.html * [2] https://devmanual.gentoo.org/eclass-reference/linux-mod-r1.eclass/index.html * ERROR: media-video/v4l2loopback-0.13.1::gentoo failed (setup phase): * USE=modules-sign is set but the private key '/var/tmp/portage/sys-kernel/gentoo-kernel-6.10.6/temp/kernel_key.pem' was not found * * Call stack: * ebuild.sh, line 136: Called pkg_setup * v4l2loopback-0.13.1.ebuild, line 29: Called linux-mod-r1_pkg_setup * linux-mod-r1.eclass, line 348: Called _modules_prepare_sign * linux-mod-r1.eclass, line 751: Called _modules_sign_die 'the private key '/var/tmp/portage/sys-kernel/gentoo-kernel-6.10.6/temp/kernel_key.pem' was not found' * linux-mod-r1.eclass, line 724: Called die * The specific snippet of code: * die "USE=modules-sign is set but ${*}" * * If you need support, post the output of `emerge --info '=media-video/v4l2loopback-0.13.1::gentoo'`, * the complete build log and the output of `emerge -pqv '=media-video/v4l2loopback-0.13.1::gentoo'`. * The complete build log is located at '/var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/die.env'. * Working directory: '/var/tmp/portage/media-video/v4l2loopback-0.13.1/empty' * S: '/var/tmp/portage/media-video/v4l2loopback-0.13.1/work/v4l2loopback-0.13.1' Expected Results: package find an uses *.pem file set via 'MODULES_SIGN_KEY' Portage 3.0.65 (python 3.12.3-final-0, default/linux/amd64/23.0/desktop/gnome/systemd, gcc-13, glibc-2.39-r6, 6.10.6-x86_64 x86_64) ================================================================= System uname: Linux-6.10.6-x86_64-x86_64-AMD_Ryzen_7_8845HS_w-_Radeon_780M_Graphics-with-glibc2.39 KiB Mem: 98161588 total, 90215380 free KiB Swap: 16777212 total, 16777212 free Timestamp of repository gentoo: Sat, 24 Aug 2024 13:18:56 +0000 Head commit of repository gentoo: 1b210e388f232829b99318ebf51907bcece6525b Head commit of repository gentoo-unity7: 004e2c17abc71468007a1c724a9cda22c871e678 Timestamp of repository steam-overlay: Fri, 23 Aug 2024 21:33:51 +0000 Head commit of repository steam-overlay: 1057828cc4261082ad3faf418c27176e0282557b Head commit of repository temilun_overlay: fba610a561bc736becb44e844e081e44ba6f7975 sh bash 5.2_p26-r6 ld GNU ld (Gentoo 2.42 p3) 2.42.0 ccache version 4.9.1 [enabled] app-misc/pax-utils: 1.3.7::gentoo app-shells/bash: 5.2_p26-r6::gentoo dev-build/autoconf: 2.13-r8::gentoo, 2.71-r7::gentoo dev-build/automake: 1.16.5-r2::gentoo dev-build/cmake: 3.28.5::gentoo dev-build/libtool: 2.4.7-r4::gentoo dev-build/make: 4.4.1-r1::gentoo dev-build/meson: 1.5.1::gentoo dev-lang/perl: 5.38.2-r3::gentoo dev-lang/python: 3.12.3-r1::gentoo dev-lang/rust-bin: 1.79.0::gentoo dev-util/ccache: 4.9.1-r1::gentoo sys-apps/baselayout: 2.15::gentoo sys-apps/sandbox: 2.38::gentoo sys-apps/systemd: 255.7-r1::gentoo sys-devel/binutils: 2.42-r1::gentoo sys-devel/binutils-config: 5.5::gentoo sys-devel/clang: 18.1.8::gentoo sys-devel/gcc: 13.3.1_p20240614::gentoo sys-devel/gcc-config: 2.11::gentoo sys-devel/lld: 18.1.8::gentoo sys-devel/llvm: 18.1.8-r1::gentoo sys-kernel/linux-headers: 6.6-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.39-r6::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo.git priority: -1000 volatile: False gentoo-unity7 location: /var/db/repos/gentoo-unity7 sync-type: git sync-uri: https://github.com/c4pp4/gentoo-unity7.git masters: gentoo volatile: False steam-overlay location: /var/db/repos/steam-overlay sync-type: git sync-uri: https://github.com/gentoo-mirror/steam-overlay.git masters: gentoo volatile: False temilun_overlay location: /var/db/repos/temilun_overlay sync-type: git sync-uri: mirko@temilun:/srv/git/overlay.git masters: gentoo volatile: False Binary Repositories: gentoobinhost priority: 1 sync-uri: https://distfiles.gentoo.org/releases/amd64/binpackages/23.0/x86-64 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -fvect-cost-model=dynamic -fno-semantic-interposition -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d" CXXFLAGS="-march=native -O2 -fvect-cost-model=dynamic -fno-semantic-interposition -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--autounmask-keep-masks=y --verbose-conflicts" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=native -O2 -fvect-cost-model=dynamic -fno-semantic-interposition -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -fvect-cost-model=dynamic -fno-semantic-interposition -pipe" GENTOO_MIRRORS="https://mirror.hs-esslingen.de/Mirrors/gentoo/ http://mirror.netcologne.de/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="en_GB.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs" LEX="flex" LINGUAS="de en-GB" PKGDIR="/var/cache/binpkgs" PORTAGE_COMPRESS="zstd" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="X a52 aac acl acpi alsa amd64 ayatana bash-completion battery bluetooth branding bzip2 cairo cdda cdr cet colord corefonts cpudetection crypt cryptsetup cups dbus dhclient dist-kernel dri dts dvd dvdr eds encode evo exif flac fuse gdbm gif git glamor gnome gnome-keyring gpm gstreamer gtk gui hwaccel iconv icu introspection ipv6 jpeg keyring kf6compat lcms libnotify libtirpc lm_sensors lvm mad mng modules-compress modules-sign mp3 mp4 mpeg mtp multilib ncurses networkmanager nls ntpl ogg opengl openh264 openmp pam pango pcre pdf pic plymouth png policykit ppds pulseaudio qt5 readline screencast sdl seccomp secureboot session shared-dricore sound sound-server spell ssl startup-notification svg sysprof system-png systemd test-rust threads tiff tracker truetype type3 udev udisks unicode upower usb vala vorbis vulkan wifi wxwidgets x264 xattr xcb xdg xft xinerama xml xv xvid zeroconf zlib" ABI_X86="64" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 avx512_bf16 avx512_bitalg avx512_vbmi2 avx512_vnni avx512_vpopcntdq avx512bw avx512cd avx512dq avx512f avx512ifma avx512vbmi avx512vl f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 sse4a ssse3 vpclmulqdq" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GUILE_SINGLE_TARGET="3-0" GUILE_TARGETS="3-0" INPUT_DEVICES="libinput" KERNEL="linux" L10N="de en-GB" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PERL_FEATURES="ithreads" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_12" PYTHON_TARGETS="python3_12" RUBY_TARGETS="ruby31 ruby32" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, MAKEOPTS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
I guess we broke this somehow in e290c3c78b7acb59393f46d1d15175d6dbfc77da.
This looks like it is somehow not getting the key from the environment and using instead the value of the key as set by the kernel config. Could you please share the environment for this package: /var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/die.env
Created attachment 901127 [details] v4l2loopback.env /var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/die.env
>Something changed the last days in handling with >module singing. I guess somewhere in the responsible eclass file. eclass hasn't changed anything with modules signing since it was introduced (and last unrelated commit was done a month ago). And if MODULES_SIGN_KEY is non-empty, it never checks for the kernel's config: if [[ -z ${MODULES_SIGN_KEY} ]]; then : "$(linux_chkconfig_string MODULE_SIG_KEY)" MODULES_SIGN_KEY=${_//\"} [[ -n ${MODULES_SIGN_KEY} ]] || _modules_sign_die "CONFIG_MODULE_SIG_KEY is not set in the kernel" fi That would imply that it is actually empty and then (as shown in the env file) the eclass read the config and set it to that value. So there must be something somewhere wrong your configs. Maybe something resets the value, a typo, I wouldn't know. I cannot reproduce from a quick try anyhow: $ MODULES_SIGN_KEY=/etc/keys/signing_key.pem USE=modules-sign emerge xpadneo <snip> * Signing modules ... * Running /tmp/portage/games-util/xpadneo-9999/temp/linux-mod-r1_sign-file sha1 /etc/keys/signing_key.pem <snip> Albeit didn't test with a dist-kernel, but I don't see how e290c3c78b7acb59393f46d1d15175d6dbfc77da or anything else could affect the eclass when MODULES_SIGN_KEY takes priority over the config.
> Looking into the (new) saved config file shows also, 'CONFIG_MODULE_SIG_KEY' > is set to the temporary path mentioned in the error above. In older config > files 'CONFIG_MODULE_SIG_KEY' is set the path set with 'MODULES_SIGN_KEY' in > make.conf This new behaviour you are seeing has been around since December, it was introduced in 3e0c89e3b299928215dd505467e49f13f8bbbbd3 to workaround a problem where the compile phase has insufficient permissions to read keys owned by the root user.
(In reply to Mirko Guenther from comment #3) > Created attachment 901127 [details] > v4l2loopback.env > > /var/tmp/portage/media-video/v4l2loopback-0.13.1/temp/die.env The value for MODULES_SIGN_CERT also looks suspicious to me. Please verify that the correct settings are still present in make.conf.
I had a closer look into it. I set 'MODULES_SIGN_KEY' via config file in '/etc/portage/env', Both 3rd party kernel package modules were not mentioned in /etc/portage/package.env. Guess in former days the eclass used the path in kernel config file for this packages and didn't overwrote the setting with the value determined for 'MODULES_SIGN_KEY' Guess we can close the report, since the error is on my side
(In reply to Mirko Guenther from comment #7) > Guess in former days the eclass used the path in kernel config file for this > packages and didn't overwrote the setting with the value determined for > 'MODULES_SIGN_KEY' The eclass only ever had 1 implementation that never changed since its introduction, so there's nothing different in the older days. But I see what happened and what sam meant now. It happened to work before because you had the right path set in the savedconfig (aka it didn't need the env var to work), but changes caused it to get overwritten *there* which sound undesirable. So the issue here isn't MODULES_SIGN_KEY not being respected, it just exposed a different issue.
Could ask whether we want to support MODULES_SIGN_KEY not being set and relying on savedconfig, but I'll leave this open until it's further considered esp. given it does break existing usage.
(In reply to Ionen Wolkens from comment #8) > So the issue here isn't MODULES_SIGN_KEY not being respected, it just > exposed a different issue. There is nothing we can really do about this. kernel-build.eclass sets CONFIG_MODULE_SIG_KEY to a temporary file that contains the MODULES_SIGN_KEY and the MODULES_SIGN_CERT. It does so because the kernel build system expects that config switch to point to one file that contains both the private and public PEM key. Whereas the way we have implemented this in portage allows users to have the MODULES_SIGN_KEY and the MODULES_SIGN_CERT in different files. Relying on the kernels CONFIG_MODULE_SIG_KEY is therefore fundamentally unreliable (at least when using dist kernels). We could, after compiling and installing, sed the CONFIG_MODULE_SIG_KEY in kernel-build.eclass to point to the 'real' MODULES_SIGN_KEY, but that will not help users who have the MODULES_SIGN_KEY and MODULES_SIGN_CERT in separate files. For this reason, all the documentation for sys-kernel/gentoo-kernel(-bin)[modules-sign] explicitly instructs to set MODULES_SIGN_KEY and MODULES_SIGN_CERT in make.conf and not in package.env. That is why I closed this as invalid.
Feel free to close it again if you think overwriting savedconfig (that otherwise worked it seems) is right, just didn't want it to be closed over "your configs were wrong" rather than "we don't support this"
(In reply to Andrew Nowa Ammerlaan from comment #10) > We could, after compiling and > installing, sed the CONFIG_MODULE_SIG_KEY in kernel-build.eclass to point to > the 'real' MODULES_SIGN_KEY, but that will not help users who have the > MODULES_SIGN_KEY and MODULES_SIGN_CERT in separate files. It will also not help for gentoo-kernel-bin as the .config will then contain the path to the key as it is in the docker image which also will not exist on the users systems. (In reply to Ionen Wolkens from comment #11) > Feel free to close it again if you think overwriting savedconfig (that > otherwise worked it seems) is right, just didn't want it to be closed over > "your configs were wrong" rather than "we don't support this" It only overwrites the savedconfig value if MODULES_SIGN_KEY is set in the dist kernel environment. If the MODULES_SIGN_KEY is not set, then the kernel build system generates a key and the value for CONFIG_MODULE_SIG_KEY will be "certs/signing_key.pem", which will then be an existing key that linux-mod-r1.eclass can pick up. As I understand it, Mirko's issues is caused by MODULES_SIGN_KEY being in the package.env for sys-kernel/gentoo-kernel, but not in the package.env for media-video/v4l2loopback. We support either not setting MODULES_SIGN_{KEY,CERT} at all (and using the key the kernel generates), or setting it globally for all packages. I don't think we can realistically support setting this for the dist kernel but not for the third party modules (though the other way around should be fine).
(In reply to Andrew Nowa Ammerlaan from comment #12) > As I understand it, Mirko's issues is caused by MODULES_SIGN_KEY being in > the package.env for sys-kernel/gentoo-kernel, but not in the package.env for > media-video/v4l2loopback. Is it? If it's *set* on gentoo-kernel, shouldn't the .config be using that path? The modules were reading from the .config. I mean: echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ >> "${WORKDIR}/modules-sign-key.config" Why is it a temporary path then? My understanding was that it's not set at all, and then it merged modules-sign-key.config with the temporary path overwriting the current path the user set in savedconfig.
(not that this changes that setting USE=modules-sign without setting MODULES_SIGN_KEY is questionable, so..)
(In reply to Ionen Wolkens from comment #13) > (In reply to Andrew Nowa Ammerlaan from comment #12) > > As I understand it, Mirko's issues is caused by MODULES_SIGN_KEY being in > > the package.env for sys-kernel/gentoo-kernel, but not in the package.env for > > media-video/v4l2loopback. > Is it? If it's *set* on gentoo-kernel, shouldn't the .config be using that > path? No because the MODULES_SIGN_KEY may or may not contain the MODULES_SIGN_CERT. And the MODULES_SIGN_KEY may or may not be readable by the portage user. The temporary file works around both issues > I mean: > echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ > >> "${WORKDIR}/modules-sign-key.config" This is only executed if MODULES_SIGN_KEY points to a readable file or is a pkcs11 uri. Note that the temporary file will not exist if MODULES_SIGN_{KEY,CERT} is not set and therefore merging the modules-sign-key.config will do nothing. > Why is it a temporary path then? Because src_compile is not executed as root (and you usually want your keys to be only readable by root), and because we need to concat the key and certificate into one file. See lines 617 to 639 and 134 to 163. > My understanding was that it's not set at > all, and then it merged modules-sign-key.config with the temporary path > overwriting the current path the user set in savedconfig.
In hindsight, this code would have been less confusing if we hadn't re-used the MODULES_SIGN_KEY variable and re-assigned it on line 630. I might address that the next time I'm touching this eclass.
I see, looking closer I did miss that the logic for that was behind the CONTENTS variable. Well, mismatching the variable between ebuilds is certainly more on the odd side so I think can safely re-close. Thanks for explaining.
