Ask Your Question
0

Kernel build using mock error

asked 2016-03-10 01:25:20 -0500

seong gravatar image

Hi there. I'm building a kernel using mock. Kernel image building is ok. But the signing of the kernel image is always failed. The build log is as follows :

mkdir -p /builddir/build/BUILDROOT/kernel-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64/boot

install -m 644 .config /builddir/build/BUILDROOT/kernel-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64/boot/config-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64

install -m 644 System.map /builddir/build/BUILDROOT/kernel-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64/boot/System.map-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64

dd if=/dev/zero of=/builddir/build/BUILDROOT/kernel-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64/boot/initramfs-4.1.6-201603081020.git470e0ce.onp.fc21.x86_64.img 
bs=1M count=20

20+0 records in

20+0 records out

20971520 bytes (21 MB) copied, 0.00870134 s, 2.4 GB/s

'[' -f arch/x86_64/boot/zImage.stub ']'

'[' -x /usr/bin/pesign ']'

'[' x86_64 == x86_64 -o x86_64 == aarch64 ']'

'[' 0 -ge 7 -a -f /usr/bin/rpm-sign ']'

'[' -S /var/run/pesign/socket ']'

/usr/bin/pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o vmlinuz.signed -s

Could not initialize nss: The certificate/key database is in an old, unsupported format.


error: Bad exit status from /var/tmp/rpm-tmp.hSlPmH (%build)

 Bad exit status from /var/tmp/rpm-tmp.hSlPmH (%build)

My server is using Fedora21.

kernel.spec specifies 'BuildRequires' related pesign.

  • BuildRequires: pesign >= 0.10-4

How can I solve this problem ? Thanks in advance any comment.

edit retag flag offensive close merge delete

Comments

Could not initialize nss: The certificate/key database is in an old, unsupported format., maybe Fedora 21 is too old

sergiomb gravatar imagesergiomb ( 2016-03-10 08:37:00 -0500 )edit

Are you running the build as normal user? If so, you might have to add your user to /etc/pesign/users and run /usr/libexec/pesign/pesign-authorize-users as root

thomaswood gravatar imagethomaswood ( 2016-03-10 12:54:40 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2016-03-10 19:33:03 -0500

seong gravatar image

Let me summarize what I am doing for your reference and clarity.

[Purpose]
    - building kernel from kernel source  which includes the kernel.spec file.
    - This building is for the other target machine.
    - So, I have a build server which is named as buildserver.

[Tools and Environment]
 - On my buildserver, I am using mock for chroot(change root).
 - On buildserver, a building of kernel for buildserver itself is successful.
     - referencing [https://fedoraproject.org/wiki/Building_a_custom_kernel]
     - Building a kernel from both fedora source tree and source rpm is OK.
     - what I've done for this building is as follows:
           - yum install pesign-rh-test-certs
           - add username to /etc/pesign/users
           - systemctl start pesign <-- this is for below script running
           - /usr/libexec/pesign/pesign-authorize-users as root
           - systemctl stop pesign 

[Problem Description]
 - My final goal is to build a kernel for target machine which is also x86_64 architecture.
 - So I'm using 'mock' utility for building and creating of target filesystem image.
 - But when building the kernel, I got the error.(Could not initialize nss: ...)

[My Question]
1. Is there any way to disable kernel signing with pesign ? I think the signing is unnecessary if I don't use Secure Boot. I can edit kernel.spec and kernel configuration files like config.local. I've already test "editing of kernel.spec to '%global signmodules 0', which result another error. Actually I'm finding the solution like modifying kernel configuration file.

2. How can I do following in mock environment ?
           - yum install pesign-rh-test-certs
           - add username to /etc/pesign/users
           - systemctl start pesign <-- this is for below script running
           - /usr/libexec/pesign/pesign-authorize-users as root
           - systemctl stop pesign

regards seong.

edit flag offensive delete link more

Comments

Eventually, I'd like to disable kernel signing on building kernel. In my case, disabling CONFIG_MODULE_SIG option works for me. Thanks for people replying for my question. regards seong.

seong gravatar imageseong ( 2016-03-15 00:56:30 -0500 )edit
0

answered 2016-03-10 13:14:04 -0500

sergiomb gravatar image

updated 2016-03-11 07:35:43 -0500

I had wrote this http://www.serjux.com/build_kernel/bu... Looking for kernel.spec, I think, you may disable sign modules changing signmodules to 0

%global signmodules 0

Reply of 2016-03-11:

Signmodules is only need to UEFI bios boots or what whatever is his name, nss doesn't start, is expected since you won't sign kernel modules until you build your own CAcert, as is this signing code just work in Fedora hosts...

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2016-03-10 01:20:21 -0500

Seen: 368 times

Last updated: Mar 11 '16