[Bug 1194943] New: cert related kernel build breakages in 5.17 merge window

newer
[Bug 1195353] include 9p in...

older
[Bug 1198878] New: Realtek...

bugzilla_noreply＠suse.com

20 Jan 2022 20 Jan '22

10:18

https://bugzilla.suse.com/show_bug.cgi?id=1194943 Bug ID: 1194943 Summary: cert related kernel build breakages in 5.17 merge window Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: mkubecek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The upcoming 5.17-rc1 breaks build in two different ways: 1. When building locally with "osc build" (i.e. signing key is not provided), the build fails with error like

...

certs/extract-cert certs/signing_key.x509 Usage: extract-cert <source> <dest> make[2]: *** [/home/mike/work/git/kernel-upstream/certs/Makefile:78: certs/signing_key.x509] Error 2 make[1]: *** [/home/mike/work/git/kernel-upstream/Makefile:1831: certs] Error 2 make[1]: Leaving directory '/srv/ram/kobj' make: *** [Makefile:219: __sub-make] Error 2

After mainline commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"), make executes extract-cert with only one argument due to an unquoted empty string. (Easier way to reproduce this is to run sequence-patch.sh, change CONFIG_MODULE_SIG_KEY to an empty string like our kernel-*.spec do and run "make all" or "make certs"). As the trick with empty CONFIG_MODULE_SIG_KEY (used since bug 1187167) is recommended by (upstream) Documentation/kbuild/reproducible-builds.rst, I also reported this to upstream in https://lore.kernel.org/all/20220120094606.2skuyb26yjlnu66q@lion.mk-sys.cz/ 2. When building in OBS, builds after mainline commit e06a61a89ccd ("certs: use if_changed to re-generate the key when the key type is changed") fail in a different way:

...

[ 42s] make[1]: *** Deleting file 'certs/signing_key.pem' [ 42s] GENKEY certs/signing_key.pem [ 42s] Generating a RSA private key [ 42s] ..........................................................+++++ [ 42s] ..................+++++ [ 42s] writing new private key to 'certs/signing_key.pem' [ 42s] ----- [ 42s] unable to find 'distinguished_name' in config [ 42s] problems making Certificate Request [ 42s] 140680883695552:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=req name=distinguished_name [ 42s] make[1]: *** [../certs/Makefile:57: certs/signing_key.pem] Error 1 [ 42s] make: *** [../Makefile:1845: certs] Error 2 [ 42s] make: *** Waiting for unfinished jobs....

IIUC the problem here is that after rewriting the rule for signing_key.pem to if_changed based version, the rule is always invoked first time as there is no "previous command line" so that the trick introduced in kernel-source commit 6eb6cd2106c2 for bug 983634 (providing our key/certificate under default name and touching certs/x509.genkey to prevent regenerating it no longer works. (The empty certs/x509.genkey is empty created by touch is not valid for openssl.) This can be observed in home:mkubecek:rc0 OBS project at the moment. It can be also reproduced locally with "osc build" by adding a key/certificate file as _projectcert.crt to the directory generated by tar-up.sh (e.g a randomly generated one from a simple "make all" build of expanded tree). I'm not sure if I understand the reason why we do this correctly. Does it still make sense to enforce using the default key/certificate file path when a key/certificate is supplied if we replace CONFIG_MODULE_SIG_KEY with empty string for builds where a key/certificate is not supplied? -- You are receiving this mail because: You are the assignee for the bug.

Attachments:

attachment.htm (text/html — 5.8 KB)

Show replies by date

bugzilla_noreply＠suse.com

20 Jan 20 Jan

10:22

New subject: [Bug 1194943] cert related kernel build breakages in 5.17 merge window

https://bugzilla.suse.com/show_bug.cgi?id=1194943 https://bugzilla.suse.com/show_bug.cgi?id=1194943#c1 Michal Kube��ek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com, | |msuchanek@suse.com, | |tiwai@suse.com --- Comment #1 from Michal Kube��ek --- Adding people involved in related bugs 1187167 and 983634 to Cc. -- You are receiving this mail because: You are the assignee for the bug.

bugzilla_noreply＠suse.com

19:17

New subject: [Bug 1194943] cert related kernel build breakages in 5.17 merge window

https://bugzilla.suse.com/show_bug.cgi?id=1194943 https://bugzilla.suse.com/show_bug.cgi?id=1194943#c2 --- Comment #2 from Michal Suchanek --- Thanks for the analysis. Commit 68b36f0c70b30a1a88a68a9367acac72accb2861 in packaging changes to using non-default patch for the certificate. The code for adding the certificate is ancient so it may be trying to workaround some problem with Linux before 3.0. It seems to work for 4.12 and 5.3 - no dots from generating key appear in build log. -- You are receiving this mail because: You are the assignee for the bug.

bugzilla_noreply＠suse.com

19:38

New subject: [Bug 1194943] cert related kernel build breakages in 5.17 merge window

https://bugzilla.suse.com/show_bug.cgi?id=1194943 https://bugzilla.suse.com/show_bug.cgi?id=1194943#c3 Michal Kube��ek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Michal Kube��ek --- (In reply to Michal Suchanek from comment #2)

...

Thanks for the analysis.

Commit 68b36f0c70b30a1a88a68a9367acac72accb2861 in packaging changes to using non-default patch for the certificate. The code for adding the certificate is ancient so it may be trying to workaround some problem with Linux before 3.0.

It seems to work for 4.12 and 5.3 - no dots from generating key appear in build log.

It also works with current mainline (mainline commit 2c271fe77d52) in home:mkubecek:rc0 OBS project. As for issue 1, it should be addressed by this patch: http://lore.kernel.org/all/20220120192205.525103-2-masahiroy@kernel.org I'm going to test it later today. -- You are receiving this mail because: You are the assignee for the bug.

bugzilla_noreply＠suse.com

30 Mar 30 Mar