skip to Main Content

Compiling kernel gives error No rule to make target 'debian/certs/debian-uefi-certs.pem
I am following this tutorial https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html

CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2

3

Answers


  1. This seems to be the way to go with the current version:

    https://unix.stackexchange.com/a/649484/301245

    There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes.
    Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this:

    #
    # Certificates for signature checking
    #
    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
    CONFIG_SYSTEM_TRUSTED_KEYRING=y
    CONFIG_SYSTEM_TRUSTED_KEYS=""
    CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
    CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
    CONFIG_SECONDARY_TRUSTED_KEYRING=y
    CONFIG_SYSTEM_BLACKLIST_KEYRING=y
    CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
    CONFIG_SYSTEM_REVOCATION_LIST=y
    CONFIG_SYSTEM_REVOCATION_KEYS=""
    # end of Certificates for signature checking
    
    Login or Signup to reply.
  2. Instead of removing the kernel signature checking, I’ve just configured it correctly:

    #
    # Certificates for signature checking
    #
    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
    CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
    CONFIG_SYSTEM_TRUSTED_KEYRING=y
    CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
    CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
    CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
    CONFIG_SECONDARY_TRUSTED_KEYRING=y
    CONFIG_SYSTEM_BLACKLIST_KEYRING=y
    CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
    CONFIG_SYSTEM_REVOCATION_LIST=y
    CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
    # end of Certificates for signature checking
    

    To get there, I’ve just followed these steps:

    sudo mkdir -p /usr/local/src/debian
    sudo apt install linux-source
    sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
    sudo apt purge linux-source*
    

    …which:

    1. installs the Ubuntu Linux kernel sources
    2. copies the certificates into a dedicated non-package-managed directory
    3. removes any kernel sources package again

    This process can be repeated whenever an update is required (e.g. new certificates).

    Login or Signup to reply.
  3. Run ln -s /usr/src/linux-source-x.y.z/debian debian in the top level directory of the kernel source tree. Replace x.y.z with the appropriate kernel version.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search