scripts/Makefile.modinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
From: Mikhail Malyshev <mike.malyshev@gmail.com>
When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.
This causes SSL errors like:
SSL error:02001002:system library:fopen:No such file or directory
sign-file: /kernel-src/certs/signing_key.pem
The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
But both keys are generated in $(objtree) during the build.
This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.
Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).
Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
scripts/Makefile.modinst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 1628198f3e830..9ba45e5b32b18 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -100,7 +100,7 @@ endif
# Don't stop modules_install even if we can't sign external modules.
#
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
+sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
else
sig-key := $(CONFIG_MODULE_SIG_KEY)
endif
--
2.43.0
On Wed, 15 Oct 2025 16:34:52 +0000, mike.malyshev@gmail.com wrote:
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
>
> This causes SSL errors like:
> SSL error:02001002:system library:fopen:No such file or directory
> sign-file: /kernel-src/certs/signing_key.pem
>
> [...]
Applied to kbuild-next, thanks!
[1/1] kbuild: Use objtree for module signing key path
commit: d30ea149386168d3b1a3fb213523ca6512c07e9f
Please note that commit hashes might change in case of issues with
kbuild-next branch.
Best regards,
--
Nicolas
On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@gmail.com wrote:
> From: Mikhail Malyshev <mike.malyshev@gmail.com>
>
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
>
> This causes SSL errors like:
> SSL error:02001002:system library:fopen:No such file or directory
> sign-file: /kernel-src/certs/signing_key.pem
>
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
>
> But both keys are generated in $(objtree) during the build.
>
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
>
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
>
> Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Seems reasonable to me but I have not tested to verify.
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
> ---
> scripts/Makefile.modinst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> index 1628198f3e830..9ba45e5b32b18 100644
> --- a/scripts/Makefile.modinst
> +++ b/scripts/Makefile.modinst
> @@ -100,7 +100,7 @@ endif
> # Don't stop modules_install even if we can't sign external modules.
> #
> ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
> -sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
> +sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
> else
> sig-key := $(CONFIG_MODULE_SIG_KEY)
> endif
> --
> 2.43.0
>
On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@gmail.com wrote:
> From: Mikhail Malyshev <mike.malyshev@gmail.com>
>
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
>
> This causes SSL errors like:
> SSL error:02001002:system library:fopen:No such file or directory
> sign-file: /kernel-src/certs/signing_key.pem
>
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
>
> But both keys are generated in $(objtree) during the build.
>
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
>
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
>
> Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
> ---
> scripts/Makefile.modinst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks!
Tested-by: Nicolas Schier <nsc@kernel.org>
I am going to wait a few days for possible tags and other feedback.
--
Nicolas
© 2016 - 2025 Red Hat, Inc.