Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[HowTo] Repeat official building process
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
[HowTo] Repeat official building process
Hey guys, sorry if i am not the first one to raise the question, but i really need the answer. I did use search... If you could point me to the complete FAQ covering the topic i will be really glad to read it.
My question is how to repeat the full procedure of a Debian kernel rebuilding. I cannot actually get a working kernel/installer.
I did:
1) Rebuilt kernel from linux-6.1.37-1 sources, by running consequently cd linux-6.1.37/; fakeroot debian/rules source; fakeroot debian/rules binary-arch. As a result i get a bunch of .deb packages, 3 of which are unsigned versions of amd64, cloud and RT
2) I install those 3 unsigned kernels, apt sourced linux-signed-amd64.dsc package with its dependencies, to generate signed kernels, buy running debuild -us -uc. As a result i get signed kernels and a couple dozens of .udebs
3) I use debian-installer sources and the .udebs from the previous step to get vmlinuz and initrd.gz compiled for installation CD. The ISO with these files is not bootable.
Some details of what i got. The unsigned kernel from step one work fine installed. The signed kernel refuses to boot, it cannot find the root FS. The installer made from the .udebs refuses to see any network interfaces and disks on the machine during the installation process.
Repeating 2nd and 3d steps with unsigned kernels from original Debian repo works fine for me, everything like a charm.
What and where i do wrong?
My question is how to repeat the full procedure of a Debian kernel rebuilding. I cannot actually get a working kernel/installer.
I did:
1) Rebuilt kernel from linux-6.1.37-1 sources, by running consequently cd linux-6.1.37/; fakeroot debian/rules source; fakeroot debian/rules binary-arch. As a result i get a bunch of .deb packages, 3 of which are unsigned versions of amd64, cloud and RT
2) I install those 3 unsigned kernels, apt sourced linux-signed-amd64.dsc package with its dependencies, to generate signed kernels, buy running debuild -us -uc. As a result i get signed kernels and a couple dozens of .udebs
3) I use debian-installer sources and the .udebs from the previous step to get vmlinuz and initrd.gz compiled for installation CD. The ISO with these files is not bootable.
Some details of what i got. The unsigned kernel from step one work fine installed. The signed kernel refuses to boot, it cannot find the root FS. The installer made from the .udebs refuses to see any network interfaces and disks on the machine during the installation process.
Repeating 2nd and 3d steps with unsigned kernels from original Debian repo works fine for me, everything like a charm.
What and where i do wrong?
- sunrat
- Administrator
- Posts: 6593
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 119 times
- Been thanked: 502 times
Re: [HowTo] Repeat official building process
As this is a support question and not an actual howto guide, moved to General Questions.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
Yes. i practically need to create full iso from the packages rebuilt with strace from the examined sources.
I am trying to create an installation iso with my custom kernel from scratch. No to add another custom kernel to it but have my own installed right away. Also, rebuilding packages is kind of necessary in the organization i work at.
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
Yesterday i used as well the next sequence `export DEB_BUILD_PROFILES='pkg.linux.nokerneldbg pkg.linux.nokerneldbginfo'; export MAKEFLAGS=-j$(nproc); dpkg-buildpackage -b -nc -uc` (found here https://kernel-team.pages.debian.net/ke ... tasks.html ). Unfortunately no luck: the rebuilt signed kernel still shows "mdadm: no device listed in conf file was found' on a system where a second ago a vanila kernel worked fine
-
- Debian Developer
- Posts: 463
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: [HowTo] Repeat official building process
Rebuilding everything is likely going to be somewhat tricky. Can you explain bit more why you want to do this exactly so that we can think about what would be the most suitable solution?alix_frolov wrote: ↑2024-04-20 05:50Yes. i practically need to create full iso from the packages rebuilt with strace from the examined sources.
I am trying to create an installation iso with my custom kernel from scratch. No to add another custom kernel to it but have my own installed right away. Also, rebuilding packages is kind of necessary in the organization i work at.
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
I have already rebuilt everything we need. Alas, at the last moment i found out that package linux-signed-amd64 does not actually build kernels, rather uses installed in the building container kernels to rsync and sign precompiled modules from unsigned kernels (i had unsigned vanila kernes installed, not my own, during my first attempts). So the only thing i suppose i have left is the kernel+installer.lindi wrote: ↑2024-04-20 09:59Rebuilding everything is likely going to be somewhat tricky. Can you explain bit more why you want to do this exactly so that we can think about what would be the most suitable solution?alix_frolov wrote: ↑2024-04-20 05:50Yes. i practically need to create full iso from the packages rebuilt with strace from the examined sources.
I am trying to create an installation iso with my custom kernel from scratch. No to add another custom kernel to it but have my own installed right away. Also, rebuilding packages is kind of necessary in the organization i work at.
I need this because the system from the ISO i am building requires to be rebuild from the sources, which were approved by our security department officers. So i pretty much have no choice
Last edited by alix_frolov on 2024-04-20 11:50, edited 2 times in total.
-
- Global Moderator
- Posts: 3082
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 417 times
Re: [HowTo] Repeat official building process
May I ask you:alix_frolov wrote: ↑2024-04-20 11:46 [..] I need this because the system from the ISO i am building requires to be rebuild from the sources, which were approved by our security department officers. [..]
- why do your security officers require package rebuild ?
- what other activities before/after the rebuild do security officers require to approve ?
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
I have no idea, actually. Probably they have somehow scanned the source code for know vulnerabilities, and now ask to rebuild those .deb files to make sure they actually are build from the source code, and will check the building logsAki wrote: ↑2024-04-20 12:01May I ask you:alix_frolov wrote: ↑2024-04-20 11:46 [..] I need this because the system from the ISO i am building requires to be rebuild from the sources, which were approved by our security department officers. [..]
- why do your security officers require package rebuild ?
- what other activities before/after the rebuild do security officers require to approve ?
-
- Global Moderator
- Posts: 3082
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 417 times
Re: [HowTo] Repeat official building process
Hello,
Strange.
Rebuilding a source code make sense only if someone doesn't trust the Debian build chain or, more probable, someone wants to modify something in the source code directly or indirectly (linking with modified libraries and shipping them).
Evasive answer (I mean not necessarily by you, but from your security officers, at least).alix_frolov wrote: ↑2024-04-20 12:08 I have no idea, actually. Probably they have somehow scanned the source code for know vulnerabilities, and now ask to rebuild those .deb files to make sure they actually are build from the source code, and will check the building logs
Strange.
Rebuilding a source code make sense only if someone doesn't trust the Debian build chain or, more probable, someone wants to modify something in the source code directly or indirectly (linking with modified libraries and shipping them).
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
No definitely no secure boot, i have asked in advance. I said from the very beginning that i need to change the IMA options and several security options about emptying memory, nothing criminal as for me(if you need the exact list of options we are gonna change in the kernel config i can provide you with it).
I was thinking to use your source linux-signed-amd, with your keys. But if that is what concerns you (this option didn't occur in my head, makes sense), we probably may use our own CA to sign the kernel. It, probably, will take some more work but i understand your concerns now. Just i am gonna need a bit more pointers of how to replace the keys/
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
The matter isn't trust or absence of such to the debian chain. And yes, you are right, the task is to have our own installation media, signed and rebuild internally (which i clearly indicated at the initial question), with our own customizations. So we are 100% certain of what we install upon our infrastructure. Does it sound strange or against Debian community rules?Aki wrote: ↑2024-04-20 12:14 Hello,Evasive answer (I mean not necessarily by you, but from your security officers, at least).alix_frolov wrote: ↑2024-04-20 12:08 I have no idea, actually. Probably they have somehow scanned the source code for know vulnerabilities, and now ask to rebuild those .deb files to make sure they actually are build from the source code, and will check the building logs
Strange.
Rebuilding a source code make sense only if someone doesn't trust the Debian build chain or, more probable, someone wants to modify something in the source code directly or indirectly (linking with modified libraries and shipping them).
-
- Global Moderator
- Posts: 3082
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 76 times
- Been thanked: 417 times
Re: [HowTo] Repeat official building process
Hello,
Your topic is about " Repeat official building process", but you are not simply repeating the building process of official Debian packages: you are modifying them.
The strange thing is not that you are asking for support to rebuild modified Debian packages (kernel packages, but maybe others too; you started asking to rebuild the entire contents of a Debian-ISO with a Debian-installer; we don't even know what architecture)
In the end, it is strange that everything is requested/approved by some "security officers" and that they will evaluate rebuilt packages by checking the logs of the build process.
This lack of transparency seems a little suspicious to me.
--
[1] https://wiki.debian.org/Derivatives/Guidelines
Just some personal thoughts.alix_frolov wrote: ↑2024-04-20 15:36 [..] the task is to have our own installation media, signed and rebuild internally (which i clearly indicated at the initial question), with our own customizations. So we are 100% certain of what we install upon our infrastructure. [..] Does it sound strange [..]
Your topic is about " Repeat official building process", but you are not simply repeating the building process of official Debian packages: you are modifying them.
The strange thing is not that you are asking for support to rebuild modified Debian packages (kernel packages, but maybe others too; you started asking to rebuild the entire contents of a Debian-ISO with a Debian-installer; we don't even know what architecture)
It is strange that you have no idea what modifications are being made to the code you are rebuilding, and you don't know why they are required (apart from general security concerns).alix_frolov wrote: ↑2024-04-20 12:08I have no idea, actually. Probably they have somehow scanned the source code for know vulnerabilities, and now ask to rebuild those .deb files to make sure they actually are build from the source code, and will check the building logs
In the end, it is strange that everything is requested/approved by some "security officers" and that they will evaluate rebuilt packages by checking the logs of the build process.
This lack of transparency seems a little suspicious to me.
As far I know, Debian community rules are not infringed in this topic (so far), but if you are planning building a derivative (or something like that) check here [1].
--
[1] https://wiki.debian.org/Derivatives/Guidelines
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
Maybe i did not make myself clear, it was purely unintentional. Sorry for that.Aki wrote: ↑2024-04-20 17:42 Hello,Just some personal thoughts.alix_frolov wrote: ↑2024-04-20 15:36 [..] the task is to have our own installation media, signed and rebuild internally (which i clearly indicated at the initial question), with our own customizations. So we are 100% certain of what we install upon our infrastructure. [..] Does it sound strange [..]
Your topic is about " Repeat official building process", but you are not simply repeating the building process of official Debian packages: you are modifying them.
The strange thing is not that you are asking for support to rebuild modified Debian packages (kernel packages, but maybe others too; you started asking to rebuild the entire contents of a Debian-ISO with a Debian-installer; we don't even know what architecture)It is strange that you have no idea what modifications are being made to the code you are rebuilding, and you don't know why they are required (apart from general security concerns).alix_frolov wrote: ↑2024-04-20 12:08I have no idea, actually. Probably they have somehow scanned the source code for know vulnerabilities, and now ask to rebuild those .deb files to make sure they actually are build from the source code, and will check the building logs
In the end, it is strange that everything is requested/approved by some "security officers" and that they will evaluate rebuilt packages by checking the logs of the build process.
This lack of transparency seems a little suspicious to me.As far I know, Debian community rules are not infringed in this topic (so far), but if you are planning building a derivative (or something like that) check here [1].
--
[1] https://wiki.debian.org/Derivatives/Guidelines
I did not realise that we would have to modify the rebuilding process, because we could not use your signature for a kernel with a different config and all the secure boot concerns, which now is clear.
We did most of job you mention in the Derivatives article(thanks you btw for the link, i forgot about something there). The installer package we are not inclined to change too, so keep everything as close to vanilla version as possible. Branding is done by a pressed file mostly, necessary files altered and the logos removed from the iso, we use automated text installer anyway.
The source code was not changed, everything i use is from a frozen repo of Debian 12.1(bookworm) + a few backports with closed vulnerabilities. The source codes underwent some testing, which, as i mention, i have no clue about, the job was done by an independent organisation and is mandatory. The changes introduced are only to kernel config file, which I add during building the unsigned kernel. The resulting package repo and building logs are also a subject for security expertise, in order to check that they are built from the source we had provided. I hope that clarifies why I have nothing to do with the security policies.
But back to my initial question.
Could you walk me through or point out the article about the process of signing kernel and building installer afterwards, if that is not to much to ask? What changes are necessary in signing process, probably, in linux-signed-amd64 for amd64 platforms? I do not expect much alternations there, probably just replace Debian keys, at least i hope it is so.
- donald
- Debian Developer, Site Admin
- Posts: 1114
- Joined: 2021-03-30 20:08
- Has thanked: 189 times
- Been thanked: 248 times
Re: [HowTo] Repeat official building process
Sounds like you are doing a blend for a specific environment more than anything really suspicious, but I'm not an expert in the field.
You should read the kernel building section of the kernel manual which I think has the steps you need to accomplish your inquiry, chapter 4 specifically. https://kernel-team.pages.debian.net/ke ... n-building
You should read the kernel building section of the kernel manual which I think has the steps you need to accomplish your inquiry, chapter 4 specifically. https://kernel-team.pages.debian.net/ke ... n-building
Typo perfectionish.
"The advice given above is all good, and just because a new message has appeared it does not mean that a problem has arisen, just that a new gremlin hiding in the hardware has been exposed." - FreewheelinFrank
"The advice given above is all good, and just because a new message has appeared it does not mean that a problem has arisen, just that a new gremlin hiding in the hardware has been exposed." - FreewheelinFrank
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
Thank you. I did it already. And the custom kernel gets installed by preseed in the post-install section. But i would like to get rid of having 2 kernels on the ISO(first one installed by default during installation, and the other later) it does not seem pretty. And this way does not allow me to rebuild the installer, which is the crucial part of the entire idea or rebuilding everything. That is why i started the topic, i could not find information about it at all, and fruitlessly had been trying to rebuild the installer and the signed kernel with the src. packages provided in off.repo.donald wrote: ↑2024-04-22 02:45 Sounds like you are doing a blend for a specific environment more than anything really suspicious, but I'm not an expert in the field.
You should read the kernel building section of the kernel manual which I think has the steps you need to accomplish your inquiry, chapter 4 specifically. https://kernel-team.pages.debian.net/ke ... n-building
-
- Posts: 109
- Joined: 2024-04-16 18:30
- Been thanked: 8 times
Re: [HowTo] Repeat official building process
I actually found original source documentation for Linux 1.0 recently and it inspired me to start building my own kernels following the original instructions linus gave for building it.
It's much easier building the regular kernel, and it's easy to manage alongside apt managing it's own debian kernels if your boot sector is big enough
in the original source documentation linus was very sincere in emphasizing that building the kernel should be a simple process and that less was more
It's much easier building the regular kernel, and it's easy to manage alongside apt managing it's own debian kernels if your boot sector is big enough
in the original source documentation linus was very sincere in emphasizing that building the kernel should be a simple process and that less was more
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
Building own kernel, based on already tested base is better, if you dont want to spend ages looking for the right balance doing it from scratch.Linuxgaming1824 wrote: ↑2024-04-22 11:29 I actually found original source documentation for Linux 1.0 recently and it inspired me to start building my own kernels following the original instructions linus gave for building it.
It's much easier building the regular kernel, and it's easy to manage alongside apt managing it's own debian kernels if your boot sector is big enough
in the original source documentation linus was very sincere in emphasizing that building the kernel should be a simple process and that less was more
The idea is to follow debian building process as closely as possible, introducing only necessary alternations, exactly as it's said in the Derivatives link from above. That's much easier to maintain later, than having a vanilla kernel installed by the installer, and my custom kernel afterwards, then have ansible remove vanilla kernel. And repeating a Debian-like scenario of assembling ISO only seems like a natural way for most production scenarios, not looking for an easy way here, looking for less troublesome in consequences. But i cannot do it unless i got instructions of how to recreate process of signing up kernels (with my own keys) and rebuilding the installers from them, to get debian based systems meeting the requirements I have.
-
- Posts: 12
- Joined: 2024-04-19 22:36
- Has thanked: 2 times
Re: [HowTo] Repeat official building process
@Aki @lindi
Sorry for bothering you, but it seems as if only you know for sure how to build correct unsigned kernels, sign them(not necessarily by Debian keys) creating correct udebs, and building functional vmlinuz аnd initrd based on the udebs. So as the result all those components function properly(the way it work with unsigned kernels from vanilla repo).
Could you share this information or is it not for disclosing? If latter (i had Debian mailing list as a last resort), I will stop asking about debian-installer, and get to explore Debian-live. I hope all its components might be rebuilt
Sorry for bothering you, but it seems as if only you know for sure how to build correct unsigned kernels, sign them(not necessarily by Debian keys) creating correct udebs, and building functional vmlinuz аnd initrd based on the udebs. So as the result all those components function properly(the way it work with unsigned kernels from vanilla repo).
Could you share this information or is it not for disclosing? If latter (i had Debian mailing list as a last resort), I will stop asking about debian-installer, and get to explore Debian-live. I hope all its components might be rebuilt