42

In Ubuntu 20.04 LTS, I was compiling kernel 5.11.11 after adding a new system call. I also get this with later Ubuntu versions and kernels. During the execution of make command I got this error:

make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1809: certs] Error 2

If someone can help I would really appreciate it, Thank you.

Daniel T
  • 4,594
Shehryar Ahmed
  • 523
  • 1
  • 4
  • 5

3 Answers3

71

In your kernel configuration file you will find this line:

CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"

Change it to this:

CONFIG_SYSTEM_TRUSTED_KEYS=""

Depending on your source structure you might be able to do it via command line. Examples:

scripts/config --disable SYSTEM_TRUSTED_KEYS

or

scripts/config --set-str SYSTEM_TRUSTED_KEYS ""

EDIT: Another key has been added to the default Canonical kernel configuration since this answer was posted:

CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"

So, it also needs to be dealt with for user kernel compiles to complete:

scripts/config --disable SYSTEM_REVOCATION_KEYS

See also git based mainline kernel compile notes.

Doug Smythies
  • 15,448
  • 5
  • 44
  • 61
  • Thankyou so much – Shehryar Ahmed Apr 06 '21 at 16:13
  • you can edit it through the menuconfig by running "make menuconfig" – yehudahs Jun 08 '21 at 13:42
  • 1
    Do you mind explaining a bit why you need to do this, like why do you think the canonical cert was in there to begin with and why it's ok to just remove it? – Shanteva Aug 05 '21 at 12:46
  • @Shanteva : If one does not do it, then the kernel will not compile, as per the question. I assume it was added for additional kernel security. I do not know your requirements, so can not comment if it is ok to remove it for you or if you need to provide some other trusted key. For me, and I assume some others, it is fine to remove it. Note that it has been there for a long time, but Canonical just started using it. – Doug Smythies Aug 05 '21 at 14:06
  • 1
    I mean why as in, .config explicitly says not to edit it, so why is that value set to begin with, and what would be the "proper" way of giving the build system what it wants with that value – Shanteva Aug 05 '21 at 20:36
  • I don't really expect you to answer, but I think this is a pretty obvious question to ask – Shanteva Aug 05 '21 at 20:37
  • @Shanteva : the second and third way of my answer are official ways, as is the the way in the comments using menuconfig. Myself, I rarely use menuconfig. – Doug Smythies Aug 06 '21 at 06:30
  • 1
    @DougSmythies maybe it is worth to add that the same steps are needed for CONFIG_SYSTEM_REVOCATION_KEYS. At least while compiling Kernel version 5.13. So scripts/config --disable CONFIG_SYSTEM_REVOCATION_KEYS – garlix Jan 14 '22 at 16:07
  • @garlix : Agreed. Answer edited. – Doug Smythies Jan 14 '22 at 16:49
  • @yehudahs Where in the menuconfig is this found? – Daniel W. Feb 01 '22 at 20:17
  • 1
    @Shanteva Nobody has answered WHY these values are set as they are yet, really. It's for building the Ubuntu signed kernels. BIOS boot? Don't need signed kernels. EFI? Don't need signed kernels. EFI with secure boot? The boot loader (grub), kernel, and modules, must be signed. The Ubuntu kernel source's debian/ directory does include those .pem files. – hwertz Oct 09 '23 at 03:58
8

Well, I just generated a self-signed x509 certificate with a common name as my name, put the key and certificate in the same file and pointed both lines to the file. Compiles perfectly and security should be intact. I assume it's used to sign kernel binary and you can whitelist your certificate in a secure boot to allow your kernel to boot.

openssl req -x509 -newkey rsa:4096 -keyout certs/mycert.pem -out certs/mycert.pem -nodes -days 3650

CONFIG_MODULE_SIG_KEY="certs/mycert.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="certs/mycert.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
Error404
  • 7,440
user1510055
  • 81
  • this is the way to go – vincenzopalazzo Feb 10 '22 at 00:16
  • trying this caused problem for me, check this kernel doc for more details https://www.kernel.org/doc/Documentation/admin-guide/module-signing.rst, this post helped me to fix the issue https://github.com/andikleen/simple-pt/issues/8 – Arun Kp Jul 28 '22 at 02:28
5

Just executed following two commands in after running "make menuconfig"

scripts/config --disable SYSTEM_TRUSTED_KEYS
scripts/config --disable SYSTEM_REVOCATION_KEYS

while "make" command is running, if any certificate related question arises, then simply hit Enter. That's it.

Abdullah Ibne Hanif Arean
  • 51