0

I'm using CentOS 8.2 with Kernel (4.18.0-193.6.3.el8_2.x86_64) and I'm interested into compile the Kernel version 5.7.

Really, I need to extract some libraries for these reason I don't want to install in my machine.

I was following this steps https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html

sudo dnf upgrade -y wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.7.tar.xz unxz -v linux-5.7.tar.xz wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.7.tar.sign gpg --verify linux-5.7.tar.sign gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E gpg --verify linux-5.7.tar.sign tar xvf linux-5.7.tar cp -v /boot/config-$(uname -r) .config sudo dnf group install "Development Tools" sudo dnf install ncurses-devel bison flex elfutils-libelf-devel openssl-devel make menuconfig make

But, here in make I got this:

 CC kernel/pid_namespace.o CC kernel/stop_machine.o CC kernel/audit.o CC kernel/auditfilter.o CC kernel/auditsc.o CC kernel/audit_watch.o CC kernel/audit_fsnotify.o CC kernel/audit_tree.o CC kernel/hung_task.o CC kernel/watchdog.o CC kernel/watchdog_hld.o CC kernel/seccomp.o CC kernel/relay.o CC kernel/utsname_sysctl.o CC kernel/delayacct.o CC kernel/taskstats.o CC kernel/tsacct.o CC kernel/tracepoint.o CC kernel/irq_work.o CC kernel/padata.o CC kernel/crash_dump.o CC kernel/jump_label.o CC kernel/iomem.o CC kernel/rseq.o AR kernel/built-in.a CC certs/system_keyring.o make[1]: *** No rule to make target 'certs/rhel.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1729: certs] Error 2 [joseluisbz@centos linux-5.7]$

How solve that?

1 2

Improve this question
1

1 Answer 1

Reset to default
1

The RHEL/CentOS kernel is built to be Secure Boot compatible, so it has been signed with RedHat's private key. You aren't going to get it from RedHat, so your options are to either create your own key+certificate for Secure Boot/kernel signing, or disable Secure Boot in your system.

The relevant kernel compilation options:

  • CONFIG_MODULE_SIG_KEY (under "Cryptographic API"): specifies the file to use for signing the kernel modules. Set to certs/rhel.pem on RHEL/CentOS kernels; if set to the "factory default" value certs/signing_key.pem, the kernel compilation process will auto-generate the key and certificate for you.
  • CONFIG_MODULE_SIG (under "Enable loadable module support"): enables kernel module signature verification
  • CONFIG_MODULE_SIG_FORCE: makes the kernel reject modues whose signature cannot be verified or have no signature at all. Without this, Secure Boot would not be very effective.
  • CONFIG_MODULE_SIG_ALL: makes the kernel build process automatically sign all modules built along with the kernel.

You should read Documentation/admin-guide/module-signing.rst in the kernel source code package for more information on module signing. It includes instructions on configuring the key autogeneration process, and for generating your own long-term kernel signing key using OpenSSL. Also it tells you how to individually sign modules, in case you want to use some modules that are not included in the kernel package ("third-party modules").

If your system supports Secure Boot and you don't want to disable it, your next step should be adding the public part of the kernel signing key to either the Secure Boot db variable, or as the shim.efi bootloader's MOK key. But the simplest choice may be to disable Secure Boot for now, and first learn to compile and install a new kernel and its modules without Secure Boot complications. Once you have a kernel with signed modules works without Secure Boot, you can start figuring out the best way to use Secure Boot with custom keys on your specific hardware.

Just before running make menuconfig, you probably should run make oldconfig to have the kernel configuration tool automatically check the configuration file you copied from the standard CentOS kernel version 4.18, and ask you how any new configuration options added between version 4.18 and the kernel version you're compiling should be set. (This will be a fairly long list of very technical questions, but by typing a question mark to the prompt will display the help text for the configuration option it's asking about.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.