SSL error in installing kernel module

[sid7954]

When I try installing the kernel module using "sudo make modules_install", i get the following SSL error. I am not sure which kernel dependencies to install to get rid of this error.

make -C /lib/modules/uname -r/build M=pwd modules_install
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-36-generic'
INSTALL /workspace/siddhant/simple-pt/simple-pt.ko
At main.c:222:
SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
sign-file: certs/signing_key.pem: No such file or directory
INSTALL /workspace/siddhant/simple-pt/test-ftrace.ko
At main.c:222:
SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
sign-file: certs/signing_key.pem: No such file or directory
DEPMOD 4.4.0-36-generic
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-36-generic'

[andikleen]

Looks like certificates are missing. I don't know the package name.

…

On Tue, May 09, 2017 at 08:59:40AM -0700, sid7954 wrote: When I try installing the kernel module using "sudo make modules_install", i get the following SSL error. I am not sure which kernel dependencies to install to get rid of this error. make -C /lib/modules/uname -r/build M=pwd modules_install make[1]: Entering directory '/usr/src/linux-headers-4.4.0-36-generic' INSTALL /workspace/siddhant/simple-pt/simple-pt.ko At main.c:222: • SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175 • SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178 sign-file: certs/signing_key.pem: No such file or directory DEPMOD 4.4.0-36-generic make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-36-generic' — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.*

[bastoica]

Hi Andi,

Thanks for replying. We thought so, but couldn't figure out the right package...

We also suspect it has to do with the current kernel version. Which kernel are you using? We're on 4.4.0-36-generic .

Thanks,
-Bogdan.

[andikleen]

Try installing ca-certificates

[sid7954]

In Ubuntu 16.04.2, the kernel module needs to be validated by a public-private key pair. Another way to go about this is to disable Secure Boot from UEFI console settings. This error did not arise in previous kernel versions. More can be read from free5lot/hid-apple-patched#23 (comment)

[andikleen]

I don't think secure build will affect the build process. It may affect your ability to load the module later.

[sid7954]

Yes, secure build does not affecting the build, but the SSL errors I am getting are not fatal and the build proceeds nonetheless. Validating the kernel module helps me to load it successfully.

[bastoica]

Basically, since Ubuntu kernel 4.4.0.20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel configuration is enabled which prevents loading unsigned third party kernel modules when UEFI Secure Boot is turned on. There are 3 options to get around this (as explained in the link above):

1. Option 1 (secure): sign the module using a public/private key pair (see this reference);
2. Option 2 (less secure): disable module signature verification via sudo mokutil --disable-validation and a reboot (ignore "Failed to request" errors);
3. Option 3 (even less secure): turn off secure boot altogether

-Bogdan.

[HSYAndone]

基本上，由于Ubuntu内核4.4.0.20启用了EFI_SECURE_BOOT_SIG_ENFORCE内核配置，这可防止在打开UEFI安全启动时加载未签名的第三方内核模块。有3个选项可以解决这个问题（如上面的链接所述）：

1. 选项1（安全）：使用公钥/私钥对对模块进行签名（参见此参考）;
2. 选项2（安全性较低）：通过sudo mokutil --disable-validation重启禁用模块签名验证（忽略“请求失败”错误）;
3. 选项3（更不安全）：完全关闭安全启动

-Bogdan。

Why did I do what you said but failed?

[HSYAndone]

Basically, since Ubuntu kernel 4.4.0.20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel configuration is enabled which prevents loading unsigned third party kernel modules when UEFI Secure Boot is turned on. There are 3 options to get around this (as explained in the link above):

1. Option 1 (secure): sign the module using a public/private key pair (see this reference);
2. Option 2 (less secure): disable module signature verification via sudo mokutil --disable-validation and a reboot (ignore "Failed to request" errors);
3. Option 3 (even less secure): turn off secure boot altogether

-Bogdan.

I have turned off the secure boot but still can not 'make modules_install ' successfully

[jiqianxu]

Basically, since Ubuntu kernel 4.4.0.20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel configuration is enabled which prevents loading unsigned third party kernel modules when UEFI Secure Boot is turned on. There are 3 options to get around this (as explained in the link above):

1. Option 1 (secure): sign the module using a public/private key pair (see this reference);
2. Option 2 (less secure): disable module signature verification via sudo mokutil --disable-validation and a reboot (ignore "Failed to request" errors);
3. Option 3 (even less secure): turn off secure boot altogether

-Bogdan.

I have turned off the secure boot but still can not 'make modules_install ' successfully

hi，do you resolve this problem now？

[poseidon-j]

i have issue
Check old driver and unload it.
rmmod r8168
Build the module and install
At main.c:160:

• SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:69
• SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:76
  sign-file: certs/signing_key.pem: No such file or directory
  Warning: modules_install: missing 'System.map' file. Skipping depmod.
  DEPMOD 5.4.0-37-generic
  load module r8168
  Updating initramfs. Please wait.
  update-initramfs: Generating /boot/initrd.img-5.4.0-37-generic
  Completed.

[moose09876]

@poseidon-j - I'm seeing the same error. Did you get this resolved? Guessing you're trying to install the 8152 driver?

[strugglehonor]

@poseidon-j @moose09876 I have the same error,too. Anything updated?

[alexpop]

You are missing a signing key to sign the module: sign-file: certs/signing_key.pem: No such file or directory

Create the key like this:

cd /lib/modules/$(uname -r)/build/certs

sudo tee x509.genkey > /dev/null << 'EOF'
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

sudo openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

[sunshinerxu]

You are missing a signing key to sign the module: sign-file: certs/signing_key.pem: No such file or directory

Create the key like this:

cd /lib/modules/$(uname -r)/build/certs

sudo tee x509.genkey > /dev/null << 'EOF'
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

sudo openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

Solved by this mean.

[li-kiao]

Solved by this mean.
thanks,I sloved it by this mean in openEuler22.03LTS.