| Summary: | app-crypt/sbctl: fatal failure in installkernel hook if no keys are setup: couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Toralf Förster <toralf> |
| Component: | Current packages | Assignee: | John Helmert III <ajak> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, andrewammerlaan, mgorny, toralf |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/Foxboron/sbctl/issues/187 | ||
| See Also: | https://github.com/Foxboron/sbctl/pull/188 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 928332 | ||
| Bug Blocks: | |||
| Attachments: |
emerge-info.txt
emerge-history.txt.xz environment etc.clang.tar.xz etc.portage.tar.xz logs.tar.xz qlist-info.txt.xz sys-kernel:gentoo-kernel-bin-6.6.13:20240121-112159.log.xz |
||
Created attachment 882767 [details]
emerge-info.txt
Created attachment 882768 [details]
emerge-history.txt.xz
Created attachment 882769 [details]
environment
Created attachment 882770 [details]
etc.clang.tar.xz
Created attachment 882771 [details]
etc.portage.tar.xz
Created attachment 882772 [details]
logs.tar.xz
Created attachment 882773 [details]
qlist-info.txt.xz
Created attachment 882774 [details]
sys-kernel:gentoo-kernel-bin-6.6.13:20240121-112159.log.xz
likely due to the tinderbox setup - I do wonder if I shall ignore those errors or how to avoid them? Looks like it's trying to sign something without having signing keys set up. <+AndrewAmmerlaan> sbctl.install is installed by the sbctl package <+AndrewAmmerlaan> I would expect it to fail if you don't setup sbctl first CC-ing ajak@ (sbctl maintainer). The way I see it we have two options: 1. Close as INVALID — i.e. if you install sbctl, you need to set it up. 2. Change sbctl's hook not to do anything if it ain't configured. > 2. Change sbctl's hook not to do anything if it ain't configured. Indeed, there's an upstream bug/stalled PR: https://github.com/Foxboron/sbctl/issues/187 https://github.com/Foxboron/sbctl/pull/188 In the meantime, I think it's reasonable to expect the user to generate the keys if they install sbctl. Maybe we could also remove the executable bits from the plugin, but that would break existing environments that require it. same for 6.7.4 now > same for 6.7.4 now
This has nothing to do with the (dist-)kernel, it will happen for every kernel version, both dist-kernel and custom built.
It's app-crypt/sbctl's plugin for sys-kernel/installkernel.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eadcb62ab76f54a84f6a2bb41a8f4550c02938e commit 6eadcb62ab76f54a84f6a2bb41a8f4550c02938e Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-02-10 19:49:50 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-10 19:51:51 +0000 app-crypt/sbctl: patch to avoid install hook failure with no keys This patch gives us a nicer message rather than a hard failure when configuring a kernel with `installkernel[systemd]`: sbctl: Signing kernel /boot/3389a12916b765a75a36a1cf65c7ab53/6.6.13-gentoo-dist/linux Secureboot key directory doesn't exist, not signing! Bug: https://bugs.gentoo.org/922618 Signed-off-by: John Helmert III <ajak@gentoo.org> .../files/sbctl-0.13-no-installkernel-error.patch | 27 +++++++++++++++ app-crypt/sbctl/sbctl-0.13-r1.ebuild | 40 ++++++++++++++++++++++ 2 files changed, 67 insertions(+) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eeaec30789bc4cffef26251adc8ac3d861a35d2b commit eeaec30789bc4cffef26251adc8ac3d861a35d2b Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-04-21 22:13:17 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-04-21 22:26:07 +0000 app-crypt/sbctl: drop 0.11, 0.12, 0.13 Closes: https://bugs.gentoo.org/922618 Signed-off-by: John Helmert III <ajak@gentoo.org> app-crypt/sbctl/Manifest | 6 ------ app-crypt/sbctl/sbctl-0.11.ebuild | 38 -------------------------------------- app-crypt/sbctl/sbctl-0.12.ebuild | 38 -------------------------------------- app-crypt/sbctl/sbctl-0.13.ebuild | 38 -------------------------------------- 4 files changed, 120 deletions(-) |
too long lines were shrinked: x86_64-pc-linux-gnu-gcc -Wl,-O1 -Wl,--as-needed -Wl,--defsym=__gentoo_check_ldflags__=0 -o scripts/mod/modpost scripts/mod/modpost.o scripts/mod/file2alias.o scripts/mod/sumversion.o make -f /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/scripts/Makefile.build obj=. prepare set -e; mkdir -p include/generated/; trap "rm -f include/generated/.tmp_timeconst.h" EXIT; { echo 300 | bc -q /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/kernel/time/timeconst.bc; } > include/generated/.tmp_timeconst.h; if [ ! -r include/generated/timeconst.h ] || ! cmp -s in # CC kernel/bounds.s x86_64-pc-linux-gnu-gcc -Wp,-MMD,kernel/.bounds.s.d -nostdinc -I/var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/arch/x86/include -I./arch/x86/include/generated -I/var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/include -I./include -I/var/tmp/portage/sys-kerne # CHKSHA1 /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/include/linux/atomic/atomic-arch-fallback.h if ! command -v sha1sum >/dev/null; then echo "warning: cannot check the header due to sha1sum missing"; exit 0; fi; if [ "$(sed -n '$s:// ::p' /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/include/linux/atomic/atomic-arch-fallback.h)" != "$(sed '$d' /var/tmp/portage/sys-kern # CHKSHA1 /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/include/linux/atomic/atomic-instrumented.h if ! command -v sha1sum >/dev/null; then echo "warning: cannot check the header due to sha1sum missing"; exit 0; fi; if [ "$(sed -n '$s:// ::p' /var/tmp/portage/sys-kernel/gentoo-kernel-bin-6.6.13/work/linux-6.6/include/linux/atomic/atomic-instrumented.h)" != "$(sed '$d' /var/tmp/portage/sys-kerne ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.1_desktop_systemd-20240114-014506 ------------------------------------------------------------------- gcc-config -l: [1] x86_64-pc-linux-gnu-10 [2] x86_64-pc-linux-gnu-13 * clang/llvm (if any): clang version 17.0.6 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/17/bin Configuration file: /etc/clang/x86_64-pc-linux-gnu-clang.cfg /usr/lib/llvm/17 17.0.6 Python 3.11.7 Available Rust versions: [1] rust-bin-1.74.1 [2] rust-1.74.1 * The following VMs are available for generation-2: 1) Eclipse Temurin JDK 17.0.8.1_p1 [openjdk-bin-17] *) Eclipse Temurin JDK 21.0.1_p12 [openjdk-bin-21] 3) Eclipse Temurin JDK 8.382_p05 [openjdk-bin-8] Available Java Virtual Machines: [1] openjdk-bin-8 [2] openjdk-bin-17 [3] openjdk-bin-21 system-vm The Glorious Glasgow Haskell Compilation System, version 9.2.8 php cli (if any): go version go1.21.6 linux/amd64 HEAD of ::gentoo commit d792b76d480273372ec593c8bdc0d17e5725fac2 Author: Repository mirror & CI <repomirrorci@gentoo.org> Date: Sun Jan 21 10:18:13 2024 +0000 2024-01-21 10:18:13 UTC emerge -qpvO sys-kernel/gentoo-kernel-bin [ebuild R ] sys-kernel/gentoo-kernel-bin-6.6.13 USE="-generic-uki -initramfs -modules-compress -test"