[PATCH AUTOSEL 6.18-6.1] kbuild: Use objtree for module signing key path

[Sasha Levin <sashal@kernel.org>]

From: Mikhail Malyshev <mike.malyshev@gmail.com>

[ Upstream commit af61da281f52aba0c5b090bafb3a31c5739850ff ]

When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.

This causes SSL errors like:
  SSL error:02001002:system library:fopen:No such file or directory
  sign-file: /kernel-src/certs/signing_key.pem

The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)

But both keys are generated in $(objtree) during the build.

This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.

Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Now I have the complete picture. All stable trees that contain commit
13b25489b6f8 (v6.13+) have the incomplete fix and need this patch. Let
me finalize my analysis:

## Complete Analysis

### 1. COMMIT MESSAGE ANALYSIS

The commit message is clear and well-documented:
- **Subject**: "kbuild: Use objtree for module signing key path" -
  clearly states what it does
- **Body**: Explains the problem with detailed error messages and root
  cause analysis
- **References**: Explicitly mentions commit 25ff08aa43e37 as the
  incomplete fix it complements
- **No Cc: stable@vger.kernel.org tag** - the maintainer did not
  explicitly request stable backport
- **No Fixes: tag** - However, logically this fixes the same issue as
  25ff08aa43e37, which has `Fixes: 13b25489b6f8`
- **Has Reviewed-by and Tested-by tags** from Nicolas Schier and Nathan
  Chancellor

### 2. CODE CHANGE ANALYSIS

The change is a **single character change** (literally changing one
word):

```makefile
# Before:
sig-key := $(if $(wildcard
$(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)

# After:
sig-key := $(if $(wildcard
$(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
```

**Technical mechanism of the bug:**
1. When building out-of-tree modules with `CONFIG_MODULE_SIG_FORCE=y`
   and separate source/build directories (e.g., `O=/kernel-out`):
   - `$(srctree)` points to the source tree (e.g., `/kernel-src`)
   - `$(objtree)` points to the build tree (e.g., `/kernel-out`)

2. Module signing keys are **generated during kernel compilation** and
   stored in `$(objtree)/certs/`:
   - Private key: `$(objtree)/certs/signing_key.pem`
   - Public key: `$(objtree)/certs/signing_key.x509`

3. After commit 25ff08aa43e37, `cmd_sign` correctly uses
   `$(objtree)/certs/signing_key.x509` for the public key, but `sig-key`
   still uses `$(srctree)/certs/signing_key.pem` for the private key.

4. This creates an **inconsistency**: The `sign-file` tool is called
   with:
   - Private key: `/kernel-src/certs/signing_key.pem` (WRONG - file
     doesn't exist there)
   - Public key: `/kernel-out/certs/signing_key.x509` (CORRECT)

5. Result: `fopen()` fails with "No such file or directory" when trying
   to open the private key.

**Why the fix is correct:**
- Both signing keys are generated in `$(objtree)`, so both paths should
  reference `$(objtree)`
- The fix is logically consistent with what commit 25ff08aa43e37 did for
  the other paths
- The conditional `$(if $(wildcard
  $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)` only adds the prefix if the
  key path is not absolute, which is correct behavior

### 3. CLASSIFICATION

- **Type**: Bug fix (not a feature)
- **Category**: Build system fix
- **Severity**: Causes complete failure of out-of-tree module signing
  with CONFIG_MODULE_SIG_FORCE=y
- **Security relevance**: Low (doesn't fix a security vulnerability per
  se, but affects security feature - module signing)
- **Exception category**: Build fix - these are explicitly allowed in
  stable

### 4. SCOPE AND RISK ASSESSMENT

- **Lines changed**: 1 line (trivial)
- **Files touched**: 1 file (`scripts/Makefile.modinst`)
- **Complexity**: Extremely simple - just changing `srctree` to
  `objtree`
- **Subsystem**: kbuild (build system)
- **Risk level**: **VERY LOW**
  - Only affects out-of-tree module signing with separate source/build
    directories
  - Only affects configurations with `CONFIG_MODULE_SIG_FORCE=y` or
    `CONFIG_MODULE_SIG_ALL=y`
  - The change is logically correct and consistent with the rest of the
    code
  - Cannot break anything that was working before

### 5. USER IMPACT

- **Who is affected**:
  - Users building out-of-tree modules (e.g., NVIDIA drivers,
    VirtualBox, ZFS)
  - With separate source and build directories (`O=/path/to/build`)
  - With module signature enforcement enabled
- **Severity**: HIGH for affected users - module signing completely
  fails
- **User reports**: The commit message shows this was reported as a real
  user problem with specific error messages
- **Prevalence**: Common scenario for distribution builders and
  enterprise environments

### 6. STABILITY INDICATORS

- **Tested-by: Nicolas Schier** - the kbuild maintainer tested it
- **Reviewed-by: Nathan Chancellor** - well-known kernel developer
  reviewed it
- **Link to patch discussion**: Shows proper review process
- **Age in mainline**: This appears to be a recent commit (October 2025
  in the patch date)

### 7. DEPENDENCY CHECK

**Critical finding**: This commit has a dependency:
- It requires commit **25ff08aa43e37** ("kbuild: Fix signing issue for
  external modules") to be present first
- 25ff08aa43e37 requires commit **13b25489b6f8** ("kbuild: change
  working directory to external module directory with M=")

**Affected stable versions**:
- v6.13.x: Has 13b25489b6f8 (the bug) and backported 25ff08aa43e37
  (partial fix) → **NEEDS this patch**
- v6.14.x: Has both 13b25489b6f8 and 25ff08aa43e37 → **NEEDS this
  patch**
- v6.15.x: Has both → **NEEDS this patch**
- v6.16.x: Has both → **NEEDS this patch**
- v6.17.x: Has both → **NEEDS this patch**
- v6.6.x and older: Does NOT have 13b25489b6f8 → **Does NOT need this
  patch** (and would break if applied)

**Backport note**: This commit should ONLY be backported to stable trees
that already have:
1. Commit 13b25489b6f8 (the original behavior change)
2. Commit 25ff08aa43e37 (the partial fix)

This means v6.13+ stable trees only.

### SUMMARY

This commit is an **excellent candidate for stable backport** to kernel
versions v6.13+:

**Positive factors:**
1. ✅ Fixes a real bug that causes complete failure of module signing
2. ✅ Extremely small change (1 line, 1 word)
3. ✅ Zero risk of regression (only fixes broken behavior)
4. ✅ Properly reviewed and tested by kbuild maintainers
5. ✅ Complements an existing fix that was already backported to stable
6. ✅ Build fix category - explicitly allowed in stable rules
7. ✅ Clear, well-documented commit message
8. ✅ Affects users who follow best practices (separate build directory)

**Concerns:**
1. ⚠️ No explicit `Cc: stable@vger.kernel.org` tag (but the first fix
   also didn't have one and was still backported)
2. ⚠️ No explicit `Fixes:` tag (but logically fixes the same issue as
   25ff08aa43e37)
3. ⚠️ Must only be applied to v6.13+ stable trees (where 13b25489b6f8
   exists)

The commit passes all stable kernel criteria: it's obviously correct,
fixes a real user-visible bug, is small and surgical, has no new
features, and has been tested. The incomplete fix in stable trees is
currently causing module signing to fail for users with separate
source/build directories.

**YES**

 scripts/Makefile.modinst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 1628198f3e830..9ba45e5b32b18 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -100,7 +100,7 @@ endif
 # Don't stop modules_install even if we can't sign external modules.
 #
 ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
+sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
 else
 sig-key := $(CONFIG_MODULE_SIG_KEY)
 endif
-- 
2.51.0