From: Nicolas Schier <nsc@kernel.org>
To: mike.malyshev@gmail.com
Cc: Nathan Chancellor <nathan@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] kbuild: Use objtree for module signing key path
Date: Wed, 15 Oct 2025 21:08:35 +0200 [thread overview]
Message-ID: <aO_xM1PraLOLjD4h@levanger> (raw)
In-Reply-To: <20251015163452.3754286-1-mike.malyshev@gmail.com>
On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@gmail.com wrote:
> From: Mikhail Malyshev <mike.malyshev@gmail.com>
>
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
>
> This causes SSL errors like:
> SSL error:02001002:system library:fopen:No such file or directory
> sign-file: /kernel-src/certs/signing_key.pem
>
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
>
> But both keys are generated in $(objtree) during the build.
>
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
>
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
>
> Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
> ---
> scripts/Makefile.modinst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks!
Tested-by: Nicolas Schier <nsc@kernel.org>
I am going to wait a few days for possible tags and other feedback.
--
Nicolas
next prev parent reply other threads:[~2025-10-15 19:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-15 16:34 [PATCH] kbuild: Use objtree for module signing key path mike.malyshev
2025-10-15 19:08 ` Nicolas Schier [this message]
2025-10-15 23:07 ` Nathan Chancellor
2025-10-22 21:20 ` Nicolas Schier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aO_xM1PraLOLjD4h@levanger \
--to=nsc@kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=mike.malyshev@gmail.com \
--cc=nathan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox