You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I have sbctl installed in various Gentoo systems, not all of which have keys generated, probably most notably containers. In these containers, kernels are built and installed as part of a normal Gentoo upgrade process with various external kernel modules. Of course, containers have no need for their own secureboot keys, but sbctl's kernel install hook tries to sign the kernels anyway, which results in the upgrade process eventually exiting in error:
dracut: *** Creating image file '/usr/src/linux-5.15.85-gentoo-dist/arch/x86/boot/initrd' ***
dracut: dracut: using auto-determined compression method 'gzip'
dracut: *** Creating initramfs image file '/usr/src/linux-5.15.85-gentoo-dist/arch/x86/boot/initrd' done ***
[ ok ]
* Installing the kernel via installkernel ...
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
[ !! ]
* ERROR: sys-fs/zfs-kmod-2.1.7::gentoo failed (postinst phase):
* Installing the kernel failed
*
* Call stack:
* ebuild.sh, line 136: Called pkg_postinst
* environment, line 3031: Called dist-kernel_reinstall_initramfs '/usr/src/linux' '5.15.83-gentoo-dist-hardened'
* environment, line 1331: Called dist-kernel_install_kernel '5.15.83-gentoo-dist-hardened' '/usr/src/linux/arch/x86/boot/bzImage' '/usr/src/linux/System.map'
* environment, line 1310: Called die
* The specific snippet of code:
* eend ${?} || die -n "Installing the kernel failed"
*
* If you need support, post the output of `emerge --info '=sys-fs/zfs-kmod-2.1.7::gentoo'`,
* the complete build log and the output of `emerge -pqv '=sys-fs/zfs-kmod-2.1.7::gentoo'`.
* The complete build log is located at '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/temp/environment'.
* Working directory: '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/empty'
* S: '/var/tmp/portage/sys-fs/zfs-kmod-2.1.7/work/zfs-kmod-2.1.7'
* FAILED postinst: 1
Would it be possible for the hook to do nothing if the keys do not exist, maybe with a big warning that signing is not happening because the keys don't exist?
The text was updated successfully, but these errors were encountered:
ajakk
added a commit
to ajakk/sbctl
that referenced
this issue
Jan 10, 2023
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.
Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.
Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
ajakk
added a commit
to ajakk/sbctl
that referenced
this issue
Jan 21, 2024
It's expected that signing doesn't work without having previously
generated keys, so don't try to sign when keys don't exist.
Closes: Foxboron#187
Signed-off-by: John Helmert III <ajak@gentoo.org>
Hi! I have
sbctl
installed in various Gentoo systems, not all of which have keys generated, probably most notably containers. In these containers, kernels are built and installed as part of a normal Gentoo upgrade process with various external kernel modules. Of course, containers have no need for their own secureboot keys, butsbctl
's kernel install hook tries to sign the kernels anyway, which results in the upgrade process eventually exiting in error:Would it be possible for the hook to do nothing if the keys do not exist, maybe with a big warning that signing is not happening because the keys don't exist?
The text was updated successfully, but these errors were encountered: