Attempting to compile kernel yields a certification error

Question

I'm currently attempting to follow Hardening Debian for the Desktop Using Grsecurity guide in order to install the 4.5.7 kernel with Grsecurity on my Kali Linux desktop.

I am following that list of instructions verbatim, except for the fact that I'm trying to use Grsecurity's test patch for the 4.5.7 kernel and I'm running Kali Linux instead of straight Debian.

Every time I attempt to compile the kernel, however, I get this error following the line "CC certs/system_keyring.o":

  CC      certs/system_keyring.o
make[2]: *** No rule to make target 'debian/certs/[email protected]', needed by 'certs/x509_certificate_list'.  Stop.
Makefile:951: recipe for target 'certs' failed
make[1]: *** [certs] Error 2
make[1]: Leaving directory '/home/jc/Downloads/linux-4.5.7'
debian/ruleset/targets/common.mk:295: recipe for target 'debian/stamp/build/kernel' failed
make: *** [debian/stamp/build/kernel] Error 2

I get this error, as I found out, for any kernel even if I apply no patches or modifications, so it has something to do with the tools I'm using to compile the kernel (apparently a system keychain of some sort). Can someone out there tell me how to fix my OS and compile my kernel?

P.S. Here is the output of cat /proc/version:

Linux version 4.6.0-kali1-amd64 ([email protected]) (gcc version 5.4.0 20160609 (Debian 5.4.0-4) ) #1 SMP Debian 4.6.2-2kali2 (2016-06-28)

Try commenting out the CONFIG_SYSTEM_TRUSTED_KEYS line from your .config ? — steve, Jul 03 '16 at 20:41
I am confused you say “except for the fact that I'm trying to use Grsecurity's test patch“, and you say “even if I apply no patches". I can not work you what problem you are describing. **Do you get the problem when following the instructions 100%, of is it only when applying the patch?** — ctrl-alt-delor, Jul 03 '16 at 20:56
Sorry for the confusion - I get the problem when compiling any kernel in any fashion. I am attempting to compile the kernel the same way as micah lee except for a few differences; but the problem exists whether or I not I try to include grsecurity. — John Doe, Jul 03 '16 at 20:59
@Steve, will that affect my final build? I'd rather fix the real problem with my current setup than attempt to remove any essential keys from my new kernel. — John Doe, Jul 03 '16 at 21:04

score 58 · Answer 1 · edited Jul 06 '16 at 01:59

58

I ran into this several years ago on a Debian build. In the .config file you copied from /boot find and comment out the lines CONFIG_SYSTEM_TRUSTED_KEY and CONFIG_MODULE_SIG_KEY.

During the build you can use your own cert or just use a random one time cert.

Found the above in this thread.

edited Jul 06 '16 at 01:59

slm

363,520
117
767
871

answered Jul 05 '16 at 21:40

agora

581
3
2

8

For me (4.8) it was CONFIG_SYSTEM_TRUSTED_KEYS – Pierre Jan 15 '17 at 11:31
8

Oneliner for a 4.19 config - `sed -ri '/CONFIG_SYSTEM_TRUSTED_KEYS/s/=.+/=""/g' .config` – Adam Baxter Mar 04 '19 at 06:50
3

For me (5.13) I also had to `CONFIG_SYSTEM_REVOCATION_KEYS=""` – vmemmap Dec 31 '21 at 12:05
Just to clarify further, what worked for me was commenting out all the three parameters mentioned within the reply and the comments and hit Enter to all the prompts – Phoenix87 Jan 10 '22 at 14:21

score 18 · Answer 2 · edited Apr 27 '21 at 14:51

18

You can change your config file .config

CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"

to

CONFIG_SYSTEM_TRUSTED_KEYS=""

edited Apr 27 '21 at 14:51

Archemar

31,183
18
69
104

answered Apr 26 '21 at 09:34

BitManipulator

181
1
2

This worked for me and super easy – clearlight Aug 20 '21 at 04:31
This is the correct (https://unix.stackexchange.com/questions/293642/attempting-to-compile-kernel-yields-a-certification-error) for my when compile a Kernel from (https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html) – Indacochea Wachín Sep 13 '21 at 02:20
It can be scripted: `scripts/config -s CONFIG_MODULE_SIG_KEY ''` – pevik Oct 24 '22 at 15:15
This answer is the official, correct way https://wiki.debian.org/BuildADebianKernelPackage – Mads Y Feb 07 '23 at 09:15

score 8 · Answer 3 · edited May 20 '21 at 10:23

8

In the folder where the kernel source is, create a debian folder. Create a certs folder in it.
Create a file named debian-uefi-certs.pem with this content.

edited May 20 '21 at 10:23

tambre

105
4

answered May 20 '20 at 09:41

Stanislav Panayotov

89
1
1

By "create" do you mean "touch debian-uefi-certs.pem", or do you need to make a file with content? Any specific content? – llywrch May 20 '20 at 20:02
yep - touch debian-uefi-certs.pem – Stanislav Panayotov May 21 '20 at 13:27
4

This sounds potentially dangerous. – Infiltrator Mar 20 '21 at 11:51
4

Why should they use that particular contents for the file? The link does not seem to end up on an officially endorsed Debian site. – Kusalananda Mar 21 '21 at 17:47
@Kusalananda The updated site now does. – Trect Aug 08 '21 at 15:45

score 5 · Answer 4 · answered May 13 '21 at 07:00

5

Ran into this, install the source package through the package manager and move the debian and debian.master folders into the linux source where the makefile is located

$ sudo apt search linux-source
# don't worry about it not saying 'generic'

$ sudo apt install linux-source-<version>
$ cd /usr/src/linux-source-<version>
$ sudo tar xf linux-source-<version>.tar.gz
$ sudo mv debian linux-source-<version>/debian
$ sudo mv debian.master linux-source-<version>/debian.master

answered May 13 '21 at 07:00

Tyler Curtis Jowers

51
1
2

I did not need to extract an archive, and could just run `cp -r /usr/src/linux-source-5.19.0/debian.master .` and `cp -r /usr/src/linux-source-5.19.0/debian .` – Derkades Jan 18 '23 at 23:11

score 0 · Answer 5 · answered Oct 07 '21 at 02:02

0

For me, Centos 8, compile 4.19 kernel source. I disable these:

# CONFIG_TRUSTED_KEY
# CONFIG_SYSTEM_TRUSTED_KEYRING
# CONFIG_SYSTEM_TRUSTED_KEYS=""

Then I make. It will show some create new cert notice. Then you can continue compile.

answered Oct 07 '21 at 02:02

VictorV

101
1

Attempting to compile kernel yields a certification error

5 Answers5

Linked

Related