Unverified Commit af61da28 authored Oct 15, 2025 by Mikhail Malyshev Committed by Nicolas Schier Nov 08, 2025

kbuild: Use objtree for module signing key path



When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.

This causes SSL errors like:
  SSL error:02001002:system library:fopen:No such file or directory
  sign-file: /kernel-src/certs/signing_key.pem

The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)

But both keys are generated in $(objtree) during the build.

This complements commit 25ff08aa ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.

Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com


Signed-off-by: Nicolas Schier <nsc@kernel.org>

parent d599f571

scripts/Makefile.modinst

+1 −1

Original line number	Diff line number	Diff line
		@@ -100,7 +100,7 @@ endif
		# Don't stop modules_install even if we can't sign external modules.
		#
		ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
		sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
		sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
		else
		sig-key := $(CONFIG_MODULE_SIG_KEY)
		endif