Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL error when dkms-install on Fedora 36 #11

Closed
Pairman opened this issue Jul 29, 2022 · 7 comments
Closed

SSL error when dkms-install on Fedora 36 #11

Pairman opened this issue Jul 29, 2022 · 7 comments

Comments

@Pairman
Copy link

Pairman commented Jul 29, 2022

I come back after a long period and rebuild this again. But this time I met with a new issue.

[pairman@fedora ithc-linux]$ sudo make dkms-install
mkdir -p /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
cp -r dkms.conf Makefile src /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
dkms add `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Creating symlink /var/lib/dkms/ithc/0.1/source -> /usr/src/ithc-0.1
dkms build `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Sign command: /lib/modules/5.18.11-1.surface.fc36.x86_64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...

Building module:
Cleaning build area...
make -j8 KERNELRELEASE=5.18.11-1.surface.fc36.x86_64 KDIR=/lib/modules/5.18.11-1.surface.fc36.x86_64/build...
Signing module /var/lib/dkms/ithc/0.1/build/build/ithc.ko
At main.c:160:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
sign-file: /var/lib/dkms/mok.key: No such file or directory
Cleaning build area...
dkms install `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`

ithc.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.18.11-1.surface.fc36.x86_64/extra/
depmod....
sync
[pairman@fedora ithc-linux]$ 

Is there anyway to fix it? surface-secureboot is already installed. Idk if this causes modprobe errors.

@Pairman Pairman closed this as completed Jul 31, 2022
@surli812
Copy link

@Pairman did you figure out a fix?

@StollD
Copy link
Contributor

StollD commented Aug 17, 2022

The fix is to install openssl. The error comes from DKMS not being able to generate a certificate for automatic secureboot signing. If you dont have secureboot enabled, the error wont have any impact.

@surli812
Copy link

surli812 commented Aug 18, 2022

you're right, that did fix the issue. After doing dkms-uninstall, then installing openssl, then doing dkms-install, there is no SSL error. However when I do sudo modprobe ithc it gives me the error

modprobe: ERROR: could not insert 'ithc': Key was rejected by service

I'm currently secure booting and can confirm that I have the keys for both Fedora and linux-surface when I do mokutil --list-enrolled. For reference, here was the output when I did dkms-install the second time:

mkdir -p /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
cp -r dkms.conf Makefile src /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
dkms add `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Creating symlink /var/lib/dkms/ithc/0.1/source -> /usr/src/ithc-0.1
dkms build `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Sign command: /lib/modules/5.18.16-1.surface.fc36.x86_64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...

Building module:
Cleaning build area...
make -j8 KERNELRELEASE=5.18.16-1.surface.fc36.x86_64 KDIR=/lib/modules/5.18.16-1.surface.fc36.x86_64/build...
Signing module /var/lib/dkms/ithc/0.1/build/build/ithc.ko
Cleaning build area...
dkms install `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`

ithc.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.18.16-1.surface.fc36.x86_64/extra/
depmod....
sync

@StollD
Copy link
Contributor

StollD commented Aug 18, 2022

The module is automatically signed but the cert is not automatically enrolled. Run sudo mokutil --import /var/lib/dkms/mok.pub to do that.

@Pairman
Copy link
Author

Pairman commented Aug 18, 2022

you're right, that did fix the issue. After doing dkms-uninstall, then installing openssl, then doing dkms-install, there is no SSL error. However when I do sudo modprobe ithc it gives me the error

modprobe: ERROR: could not insert 'ithc': Key was rejected by service

I'm currently secure booting and can confirm that I have the keys for both Fedora and linux-surface when I do mokutil --list-enrolled. For reference, here was the output when I did dkms-install the second time:

mkdir -p /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
cp -r dkms.conf Makefile src /usr/src/`sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`-`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
dkms add `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Creating symlink /var/lib/dkms/ithc/0.1/source -> /usr/src/ithc-0.1
dkms build `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`
Sign command: /lib/modules/5.18.16-1.surface.fc36.x86_64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...

Building module:
Cleaning build area...
make -j8 KERNELRELEASE=5.18.16-1.surface.fc36.x86_64 KDIR=/lib/modules/5.18.16-1.surface.fc36.x86_64/build...
Signing module /var/lib/dkms/ithc/0.1/build/build/ithc.ko
Cleaning build area...
dkms install `sed -n '/^PACKAGE_NAME="\(.*\)"$/s//\1/p' dkms.conf`/`sed -n '/^PACKAGE_VERSION="\(.*\)"$/s//\1/p' dkms.conf`

ithc.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.18.16-1.surface.fc36.x86_64/extra/
depmod....
sync

Installing openssl solves the ssl problem. However, I didn't know StollD's module signing method before. I'm signed my modules via #6 (comment)

@surli812
Copy link

surli812 commented Aug 22, 2022

@StollD that worked for me, thanks!! To clarify for anybody else that lands here, the full steps I did (for SP8 running Fedora 36) were:

  1. dnf install openssl
  2. git clone this ithc-linux repo
  3. in the project root, sudo make dkms-install
  4. enroll the cert: sudo mokutil --import /var/lib/dkms/mok.pub
  5. reboot, and at the MOK blue screen enroll the key using the password surface
  6. modify the file /etc/default/grub and add the lineGRUB_CMDLINE_LINUX_DEFAULT="ithc.hid=1 intremap=nosid"
    (if GRUB_CMDLINE_LINUX_DEFAULT is already defined in that file, just add the hid and intremap flags to the existing declaration)
  7. update the boot config: sudo grub2-mkconfig -o /boot/grub2/grub.cfg
  8. reboot

By now, single touch should be working. But for the SP8 if we want multi-touch we need the "dft" changes in the iptsd repo (which haven't been released yet), so I followed the github actions script to build and install a new rpm:

  1. uninstall iptsd if you have it installed
  2. git clone the linux-surface/iptsd repo
  3. go into the project root folder
  4. git checkout the dft branch
  5. update repos: dnf distro-sync
  6. install build deps: dnf install rpmdevtools rpm-sign rpkg python3-setuptools 'dnf-command(builddep)'
  7. install package deps dnf builddep *.spec
  8. make new folder for the rpm mkdir rpm
  9. build the rpm rpkg local --outdir $PWD/rpm
  10. install the new rpm sudo dnf install rpm/x86_64/iptsd-0.5.1-1.fc36.x86_64.rpm
  11. reboot, and multi-touch should be working

@StollD
Copy link
Contributor

StollD commented Aug 22, 2022

4. git checkout the dft branch

The dft branch has been merged into master for some time, so that is what you should use, since further development and bugfixes will not end up in the dft branch.

You can also download built packages from github actions directly. (e.g. https://github.com/linux-surface/iptsd/actions/runs/2895236821)

ITHC is also running in HID mode by default now, so that doesnt need to be added to the kernel commandline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants