From: Mikhail Malyshev mike.malyshev@gmail.com
[ Upstream commit af61da281f52aba0c5b090bafb3a31c5739850ff ]
When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y, module signing fails because the private key path uses $(srctree) while the public key path uses $(objtree). Since signing keys are generated in the build directory during kernel compilation, both paths should use $(objtree) for consistency.
This causes SSL errors like: SSL error:02001002:system library:fopen:No such file or directory sign-file: /kernel-src/certs/signing_key.pem
The issue occurs because: - sig-key uses: $(srctree)/certs/signing_key.pem (source tree) - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
But both keys are generated in $(objtree) during the build.
This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for external modules") which fixed the scripts path and public key path, but missed the private key path inconsistency.
Fixes out-of-tree module signing for configurations with separate source and build directories (e.g., O=/kernel-out).
Signed-off-by: Mikhail Malyshev mike.malyshev@gmail.com Reviewed-by: Nathan Chancellor nathan@kernel.org Tested-by: Nicolas Schier nsc@kernel.org Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com Signed-off-by: Nicolas Schier nsc@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Now I have the complete picture. All stable trees that contain commit 13b25489b6f8 (v6.13+) have the incomplete fix and need this patch. Let me finalize my analysis:
## Complete Analysis
### 1. COMMIT MESSAGE ANALYSIS
The commit message is clear and well-documented: - **Subject**: "kbuild: Use objtree for module signing key path" - clearly states what it does - **Body**: Explains the problem with detailed error messages and root cause analysis - **References**: Explicitly mentions commit 25ff08aa43e37 as the incomplete fix it complements - **No Cc: stable@vger.kernel.org tag** - the maintainer did not explicitly request stable backport - **No Fixes: tag** - However, logically this fixes the same issue as 25ff08aa43e37, which has `Fixes: 13b25489b6f8` - **Has Reviewed-by and Tested-by tags** from Nicolas Schier and Nathan Chancellor
### 2. CODE CHANGE ANALYSIS
The change is a **single character change** (literally changing one word):
```makefile # Before: sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
# After: sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY) ```
**Technical mechanism of the bug:** 1. When building out-of-tree modules with `CONFIG_MODULE_SIG_FORCE=y` and separate source/build directories (e.g., `O=/kernel-out`): - `$(srctree)` points to the source tree (e.g., `/kernel-src`) - `$(objtree)` points to the build tree (e.g., `/kernel-out`)
2. Module signing keys are **generated during kernel compilation** and stored in `$(objtree)/certs/`: - Private key: `$(objtree)/certs/signing_key.pem` - Public key: `$(objtree)/certs/signing_key.x509`
3. After commit 25ff08aa43e37, `cmd_sign` correctly uses `$(objtree)/certs/signing_key.x509` for the public key, but `sig-key` still uses `$(srctree)/certs/signing_key.pem` for the private key.
4. This creates an **inconsistency**: The `sign-file` tool is called with: - Private key: `/kernel-src/certs/signing_key.pem` (WRONG - file doesn't exist there) - Public key: `/kernel-out/certs/signing_key.x509` (CORRECT)
5. Result: `fopen()` fails with "No such file or directory" when trying to open the private key.
**Why the fix is correct:** - Both signing keys are generated in `$(objtree)`, so both paths should reference `$(objtree)` - The fix is logically consistent with what commit 25ff08aa43e37 did for the other paths - The conditional `$(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)` only adds the prefix if the key path is not absolute, which is correct behavior
### 3. CLASSIFICATION
- **Type**: Bug fix (not a feature) - **Category**: Build system fix - **Severity**: Causes complete failure of out-of-tree module signing with CONFIG_MODULE_SIG_FORCE=y - **Security relevance**: Low (doesn't fix a security vulnerability per se, but affects security feature - module signing) - **Exception category**: Build fix - these are explicitly allowed in stable
### 4. SCOPE AND RISK ASSESSMENT
- **Lines changed**: 1 line (trivial) - **Files touched**: 1 file (`scripts/Makefile.modinst`) - **Complexity**: Extremely simple - just changing `srctree` to `objtree` - **Subsystem**: kbuild (build system) - **Risk level**: **VERY LOW** - Only affects out-of-tree module signing with separate source/build directories - Only affects configurations with `CONFIG_MODULE_SIG_FORCE=y` or `CONFIG_MODULE_SIG_ALL=y` - The change is logically correct and consistent with the rest of the code - Cannot break anything that was working before
### 5. USER IMPACT
- **Who is affected**: - Users building out-of-tree modules (e.g., NVIDIA drivers, VirtualBox, ZFS) - With separate source and build directories (`O=/path/to/build`) - With module signature enforcement enabled - **Severity**: HIGH for affected users - module signing completely fails - **User reports**: The commit message shows this was reported as a real user problem with specific error messages - **Prevalence**: Common scenario for distribution builders and enterprise environments
### 6. STABILITY INDICATORS
- **Tested-by: Nicolas Schier** - the kbuild maintainer tested it - **Reviewed-by: Nathan Chancellor** - well-known kernel developer reviewed it - **Link to patch discussion**: Shows proper review process - **Age in mainline**: This appears to be a recent commit (October 2025 in the patch date)
### 7. DEPENDENCY CHECK
**Critical finding**: This commit has a dependency: - It requires commit **25ff08aa43e37** ("kbuild: Fix signing issue for external modules") to be present first - 25ff08aa43e37 requires commit **13b25489b6f8** ("kbuild: change working directory to external module directory with M=")
**Affected stable versions**: - v6.13.x: Has 13b25489b6f8 (the bug) and backported 25ff08aa43e37 (partial fix) → **NEEDS this patch** - v6.14.x: Has both 13b25489b6f8 and 25ff08aa43e37 → **NEEDS this patch** - v6.15.x: Has both → **NEEDS this patch** - v6.16.x: Has both → **NEEDS this patch** - v6.17.x: Has both → **NEEDS this patch** - v6.6.x and older: Does NOT have 13b25489b6f8 → **Does NOT need this patch** (and would break if applied)
**Backport note**: This commit should ONLY be backported to stable trees that already have: 1. Commit 13b25489b6f8 (the original behavior change) 2. Commit 25ff08aa43e37 (the partial fix)
This means v6.13+ stable trees only.
### SUMMARY
This commit is an **excellent candidate for stable backport** to kernel versions v6.13+:
**Positive factors:** 1. ✅ Fixes a real bug that causes complete failure of module signing 2. ✅ Extremely small change (1 line, 1 word) 3. ✅ Zero risk of regression (only fixes broken behavior) 4. ✅ Properly reviewed and tested by kbuild maintainers 5. ✅ Complements an existing fix that was already backported to stable 6. ✅ Build fix category - explicitly allowed in stable rules 7. ✅ Clear, well-documented commit message 8. ✅ Affects users who follow best practices (separate build directory)
**Concerns:** 1. ⚠️ No explicit `Cc: stable@vger.kernel.org` tag (but the first fix also didn't have one and was still backported) 2. ⚠️ No explicit `Fixes:` tag (but logically fixes the same issue as 25ff08aa43e37) 3. ⚠️ Must only be applied to v6.13+ stable trees (where 13b25489b6f8 exists)
The commit passes all stable kernel criteria: it's obviously correct, fixes a real user-visible bug, is small and surgical, has no new features, and has been tested. The incomplete fix in stable trees is currently causing module signing to fail for users with separate source/build directories.
**YES**
scripts/Makefile.modinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst index 1628198f3e830..9ba45e5b32b18 100644 --- a/scripts/Makefile.modinst +++ b/scripts/Makefile.modinst @@ -100,7 +100,7 @@ endif # Don't stop modules_install even if we can't sign external modules. # ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),) -sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY) +sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY) else sig-key := $(CONFIG_MODULE_SIG_KEY) endif