wiki.matoken.org

$ sudo apt install build-essential flex bison fakeroot gpg2
$ sudo apt build-dep linux

$ unxz ~/Downloads/linux-5.12.tar.xz
$ gpg --verify ~/Downloads/linux-5.12.tar.sign 
gpg: assuming signed data in '/home/matoken/Downloads/linux-5.12.tar'
gpg: Signature made Mon 26 Apr 2021 01:49:05 PM JST
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman <gregkh@linuxfoundation.org>" [unknown]
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" [undefined]
gpg:                 aka "Greg Kroah-Hartman <gregkh@kernel.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
$ tar tvf ~/Downloads/linux-5.12.tar | lv
$ tar xf ~/Downloads/linux-5.12.tar
$ cd linux-5.12

$ cp /boot/config-`uname -r` ./.config
$ make olddefconfig
$ make xconfig
$ make testconfig

証明書ファイルを探しに行って失敗するので .config の CONFIG_SYSTEM_TRUSTED_KEYS を "" にする．

@@ -9373,7 +9375,7 @@
 #
 CONFIG_MODULE_SIG_KEY=""
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 CONFIG_SECONDARY_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_BLACKLIST_KEYRING=y

Using your current Debian kernel configuration as a starting pointAlternatively, you can use the configuration from a Debian-built kernel that you already have installed by copying the /boot/config-* file to .config and then running make oldconfig to only answer new questions.
If you do this, ensure that you modify the configuration to set:

CONFIG_SYSTEM_TRUSTED_KEYS = ""otherwise the build may fail:

---

---

* BuildADebianKernelPackage \- Debian Wiki

$ time make -j`nproc` bindeb-pkg
$ ls ../*5.12.0*
../linux-5.12.0_5.12.0-1_amd64.buildinfo  ../linux-headers-5.12.0_5.12.0-1_amd64.deb    ../linux-image-5.12.0_5.12.0-1_amd64.deb
../linux-5.12.0_5.12.0-1_amd64.changes    ../linux-image-5.12.0-dbg_5.12.0-1_amd64.deb  ../linux-libc-dev_5.12.0-1_amd64.deb

ローカルバージョンのプレフィックスを付けたい場合は， LOCALVERSION を指定する

$ time make -j`nproc` bindeb-pkg LOCALVERSION=-matoken

$ sudo apt install ../linux-image-5.12.0_5.12.0-1_amd64.deb ../linux-libc-dev_5.12.0-1_amd64.deb ../linux-headers-5.12.0_5.12.0-1_amd64.deb

SecureBoot環境の場合再起動前にMOKで署名しておく．

kernelに署名

$ sudo sbsign --key ~root/MOK.priv --cert ~root/MOK.pem /boot/vmlinuz-5.12.0 --output vmlinuz-5.12.0
$ sudo mv ./vmlinuz-5.12.0 /boot/vmlinuz-5.12.0

(あれば)dkms moduleにも署名

$ find /lib/modules/5.12.0/updates/dkms/ -type f -print0 | xargs -0 -n1 sudo /usr/lib/linux-kbuild-5.10/scripts/sign-file sha256 ~root/MOK.priv ~root/MOK.der

linux-image-5.12.8-dbg_5.12.8-2_amd64.deb のようなデバッグシンボルパッケージは生成にとても時間がかかる．利用しない場合は無効にしたい．

.config の CONFIG_DEBUG_INFO を n にする．

snippet.bash

$ grep ^CONFIG_DEBUG_INFO= ./.config
CONFIG_DEBUG_INFO=n

この状態でbuildすると dbg パッケージが生成されない．

snippet.bash

$ time make -j`nproc` bindeb-pkg
$ ls ../*5.12.9*
../linux-5.12.9_5.12.9-3_amd64.buildinfo  ../linux-headers-5.12.9_5.12.9-3_amd64.deb  ../linux-libc-dev_5.12.9-3_amd64.deb
../linux-5.12.9_5.12.9-3_amd64.changes    ../linux-image-5.12.9_5.12.9-3_amd64.deb

$ make olddefconfig
   :
/bin/sh: 1: flex: not found                                                                        
make[1]: *** [scripts/Makefile.host:9: scripts/kconfig/lexer.lex.c] エラー 127                     
make: *** [Makefile:602: olddefconfig] エラー 2

$ sudo apt install flex

snippet.bash

$ make olddefconfig                                             
  LEX     scripts/kconfig/lexer.lex.c                                                              
  YACC    scripts/kconfig/parser.tab.[ch]                                                          
/bin/sh: 1: bison: not found                                                                       
make[1]: *** [scripts/Makefile.host:17: scripts/kconfig/parser.tab.h] エラー 127
make: *** [Makefile:602: olddefconfig] エラー 2

$ sudo apt install bison

snippet.bash

$ make testconfig                                               
/usr/bin/python3: No module named pytest                                                           
make[1]: *** [scripts/kconfig/Makefile:96: testconfig] エラー 1                                    
make: *** [Makefile:602: testconfig] エラー 2

$ sudo apt install python3-pytest

snippet.bash

$ time make -j`nproc` bindeb-pkg
  SYNC    include/config/auto.conf.cmd
  UPD     include/config/kernel.release
sh ./scripts/package/mkdebian
dpkg-buildpackage -r"fakeroot -u" -a$(cat debian/arch)  -b -nc -uc
dpkg-buildpackage: info: source package linux-5.12.4
dpkg-buildpackage: info: source version 5.12.4-1
dpkg-buildpackage: info: source distribution bullseye
dpkg-buildpackage: info: source changed by matoken <matoken@yoga-260.matoken.org>
dpkg-buildpackage: info: host architecture amd64
 dpkg-source --before-build .
dpkg-checkbuilddeps: error: Unmet build dependencies: bc rsync libelf-dev:native libssl-dev:native
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)
make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] エラー 3
make: *** [Makefile:1579: bindeb-pkg] エラー 2

$ sudo apt install bc rsync libelf-dev:native libssl-dev:native

snippet.bash

$ time make -j`nproc` bindeb-pkg
   :
BTF: .tmp_vmlinux.btf: pahole (pahole) is not available
Failed to generate BTF for vmlinux
Try to disable CONFIG_DEBUG_INFO_BTF
make[3]: *** [Makefile:1199: vmlinux] エラー 1
make[2]: *** [debian/rules:7: build-arch] エラー 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] エラー 2
make: *** [Makefile:1579: bindeb-pkg] エラー 2

$ sudo apt install dwarves

snippet.bash

$ sudo sbsign --key /root/MOK.priv --cert /root/MOK.pem /boot/vmlinuz-5.12.4 --output vmlinuz-5.12.4
sudo: sbsign: コマンドが見つかりません

$ sudo apt install sbsigntool