Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel install hook should do nothing if keys do not exist #187

Closed
ajakk opened this issue Jan 9, 2023 · 0 comments · Fixed by #188
Closed

kernel install hook should do nothing if keys do not exist #187

ajakk opened this issue Jan 9, 2023 · 0 comments · Fixed by #188

Comments

@ajakk
Copy link
Contributor

ajakk commented Jan 9, 2023

Hi! I have sbctl installed in various Gentoo systems, not all of which have keys generated, probably most notably containers. In these containers, kernels are built and installed as part of a normal Gentoo upgrade process with various external kernel modules. Of course, containers have no need for their own secureboot keys, but sbctl's kernel install hook tries to sign the kernels anyway, which results in the upgrade process eventually exiting in error:

dracut: *** Creating image file '/usr/src/linux-5.15.85-gentoo-dist/arch/x86/boot/initrd' ***
dracut: dracut: using auto-determined compression method 'gzip'
dracut: *** Creating initramfs image file '/usr/src/linux-5.15.85-gentoo-dist/arch/x86/boot/initrd' done ***
 [ ok ]
 * Installing the kernel via installkernel ...
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
 [ !! ]
 * ERROR: sys-fs/zfs-kmod-2.1.7::gentoo failed (postinst phase):
 *   Installing the kernel failed
 *
 * Call stack:
 *     ebuild.sh, line  136:  Called pkg_postinst
 *   environment, line 3031:  Called dist-kernel_reinstall_initramfs '/usr/src/linux' '5.15.83-gentoo-dist-hardened'
 *   environment, line 1331:  Called dist-kernel_install_kernel '5.15.83-gentoo-dist-hardened' '/usr/src/linux/arch/x86/boot/bzImage' '/usr/src/linux/System.map'
 *   environment, line 1310:  Called die
 * The specific snippet of code:
 *       eend ${?} || die -n "Installing the kernel failed"
 *
 * If you need support, post the output of `emerge --info '=sys-fs/zfs-kmod-2.1.7::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=sys-fs/zfs-kmod-2.1.7::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/temp/environment'.
 * Working directory: '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/empty'
 * S: '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/work/zfs-kmod-2.1.7'
 * FAILED postinst: 1

Would it be possible for the hook to do nothing if the keys do not exist, maybe with a big warning that signing is not happening because the keys don't exist?
ajakk added a commit to ajakk/sbctl that referenced this issue Jan 10, 2023
@ajakk
91-sbctl.install: don't sign without signing keys
0b70498 
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.

Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
@ajakk ajakk mentioned this issue Jan 10, 2023
Merged
ajakk added a commit to ajakk/sbctl that referenced this issue Jan 21, 2024
@ajakk
91-sbctl.install: don't sign without signing keys
1d444d2 
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.

Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
ajakk added a commit to ajakk/sbctl that referenced this issue Jan 21, 2024
@ajakk
91-sbctl.install: don't sign without signing keys
d224236 
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.

Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

91-sbctl.install: don't sign without signing keys ajakk/sbctl
1 participant
@ajakk