Ubuntu 16.04, make install leads to ssl error

Question

Ubuntu 16.04, make install leads to ssl error

hickeroar opened this issue 8 years ago · comments

root@geekbook:/home/ryan/Development/hid-apple-patched# export LINUX_HEADER_DIR=/usr/src/linux-headers-4.4.0-22-generic/

root@geekbook:/home/ryan/Development/hid-apple-patched# make
make -C /usr/src/linux-headers-4.4.0-22-generic/ M=/home/ryan/Development/hid-apple-patched modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-22-generic'
  Building modules, stage 2.
  MODPOST 1 modules
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-22-generic'

root@geekbook:/home/ryan/Development/hid-apple-patched# make install
make -C /usr/src/linux-headers-4.4.0-22-generic/ M=/home/ryan/Development/hid-apple-patched modules_install
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-22-generic'
  INSTALL /home/ryan/Development/hid-apple-patched/hid-apple.ko
At main.c:222:
- SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
sign-file: certs/signing_key.pem: No such file or directory
  DEPMOD  4.4.0-22-generic
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-22-generic'

root@geekbook:/home/ryan/Development/hid-apple-patched#

Anything obviously wrong with what I'm doing here?

Jan Meznik · Answer 1 · Tue May 10 2016 15:19:07 GMT+0800 (China Standard Time)

The new Ubuntu version uses the Linux signed kernel modules. When you compile a module, it will thus sign it with your keypair.

Maybe this can be turned off, but maybe you can just create a keypair and try again?
ssh-keygen -t rsa

Zakhar Semenov · Answer 2 · Wed May 11 2016 19:04:11 GMT+0800 (China Standard Time)

I'm new to this signed thing, so if someone practically resolve this issue, please make a post or PR for it. Thank you.

Ryan Vennell · Answer 3 · Wed May 11 2016 20:12:57 GMT+0800 (China Standard Time)

I already have ssh keys generated. This seems to be looking for a signing certificate, and not a ssh key pair. I've attempted to generate a certificate, but I seem to be doing something wrong. The certificate is generated and "should" be working, but it doesn't seem to have any effect. I'm probably screwing something up.

Aleksandr Dubinsky · Answer 4 · Tue May 17 2016 00:41:12 GMT+0800 (China Standard Time)

I installed on Ubuntu 16.04 using dkms (see here: #18) without problems.

Zakhar Semenov · Answer 5 · Tue May 17 2016 00:48:04 GMT+0800 (China Standard Time)

@hickeroar did dkms approach work for you?

Aleksandr Dubinsky · Answer 6 · Tue May 24 2016 11:04:31 GMT+0800 (China Standard Time)

I found out a couple things:

MacBooks don't support secureboot (AFAIK), and module signing is a non-issue except, I guess, for PC users of the apple keyboard. This is why my MBP wasn't affected on Ubuntu. (It's possible another distribution might demand module signing even without secure boot enabled.)
Signing your own modules is a pain. See: http://askubuntu.com/a/773852/463546 and: http://us.download.nvidia.com/XFree86/Linux-x86/361.42/README/installdriver.html#modulesigning
Signing modules has to be a pain, because the whole point of it is so that a remote attacker who's rooted your machine can't install a malicious kernel module. Therefore, the process involves things like rebooting the machine and typing passwords into the bootloader. I don't actually know what an attacker is able to do in kernel mode that he can't already do as root in Linux, so this whole module signing thing may be a waste of time for most users. (On Windows, anti-virus programs live in kernel space and can protect themselves from rogue superusers, but not from other kernel modules. Perhaps the same is sometimes true on Linux?)

There are 3 quick solutions:

The secure method: Generate temporary keys to sign the module, import the public key with mokutil (which requires confirming the action during a reboot to prove that the user has physical control over the machine), and delete the private key when you're done.
The (slightly) insecure method 1: Disable secure boot
The (slightly) less insecure method 2: Disable module signature verification with sudo mokutil --disable-validation and a reboot (ignore the "Failed to request" error).

And 2 longer-term solutions:

Create a DKMS script that automates solution 1.
Somehow get this module into Ubuntu repos and have Canonical sign it.
Find Linus in an alleyway and beat him until he concedes that the process for including patches in the kernel is deeply flawed and doesn't scale.

Zakhar Semenov · Answer 7 · Wed Jun 01 2016 20:35:36 GMT+0800 (China Standard Time)

Thank you @almson, useful overview of solutions. Considering the alleyway, who has any experience of pushing patches to upstream in cases when the accountable maintainer doesn't response for patch offered?

Samir Alajmovic · Answer 8 · Wed Jun 22 2016 04:40:17 GMT+0800 (China Standard Time)

Like to add that installation via .sh worked for me and the dkms solution didn't. I'm running Ubuntu 16.04.

$ uname -a

Linux mac-name 4.4.0-24-generic #43-Ubuntu SMP Wed Jun 8 19:27:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Zakhar Semenov · Answer 9 · Wed Jun 22 2016 13:35:31 GMT+0800 (China Standard Time)

Interesting, so both ways work and don't work in some cases.

Samir Alajmovic · Answer 10 · Wed Jun 22 2016 13:57:07 GMT+0800 (China Standard Time)

I did attempt the dkms solution at first so might been a mix or something? When it was running in the console, I saw the .sh solution added 2 rows to hid-apple.conf file, does dkms work the same?

Zakhar Semenov · Answer 11 · Wed Jun 22 2016 15:12:03 GMT+0800 (China Standard Time)

@samiralajmovic no, dkms does not, you should add it manually according to your desires. That's probably why you didn't succeed with dkms-way installation.

adityaputatunda · Answer 12 · Mon Mar 13 2017 14:55:52 GMT+0800 (China Standard Time)

Hello @JanmanX
I tried to save a new key. But I don't know how to proceed with my issue. Please look here. https://github.com/patjak/bcwc_pcie/issues/70 comment. Can you please help me with the issue?

Zakhar Semenov · Answer 13 · Sun Jun 11 2017 21:28:47 GMT+0800 (China Standard Time)

DKMS installation way is considered as recommended now in Ubuntu, this this issue is not relevant anymore. I'm closing it, but free to add anything if you want.

ChristianEspinoza · Answer 14 · Wed Apr 25 2018 17:51:33 GMT+0800 (China Standard Time)

Maybe would be good to refer that DKMS is the prefered way for Ubuntu in the documentation.

Zakhar Semenov · Answer 15 · Sun May 13 2018 18:15:19 GMT+0800 (China Standard Time)

@chespinoza, installation via DKMS is already marked as recommended way in README.md, what documentation do you mean?

Eugene Pakhomov · Answer 16 · Wed Mar 20 2019 16:17:33 GMT+0800 (China Standard Time)

@free5lot So is the signing supposed to be not required if I install the module via DKMS? Because I did just that (although I've changed some code) and none of the swaps work and dmesg gives me PKCS#7 signature not signed with a trusted key.

Eugene Pakhomov · Answer 17 · Wed Mar 20 2019 16:48:03 GMT+0800 (China Standard Time)

Please excuse the noise - Secure Boot is disabled on my system, and yet I see that error. Must be something wrong with my particular setup, but I have no idea what.

♡քօֆɛɨɖօռ⇝ ♡ · Answer 18 · Sun Jun 14 2020 22:26:09 GMT+0800 (China Standard Time)

ssl error

Check old driver and unload it.
rmmod r8168
Build the module and install
At main.c:160:

SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:69
SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:76
sign-file: certs/signing_key.pem: No such file or directory
Warning: modules_install: missing 'System.map' file. Skipping depmod.
DEPMOD 5.4.0-37-generic
load module r8168
Updating initramfs. Please wait.
update-initramfs: Generating /boot/initrd.img-5.4.0-37-generic
Completed.