Arch Linux User Repository

0.75-2 adds examples for kernel alerts from urlwatch in /usr/share/arch-sign-modules/urlwatch

@waruiji - arch-sign-modules reduces building a custom kernel with signed out-of-tree modules to 3 commands:

abk -u kernel-name
abk -b kernel-name
abk -i kernel-name

• for zfs just make sure you have both zfs-dkms && zfs-utils installed

• README

• I think dkms nowadays signs out-of-tree modules automatically - I just prefer building my own kernel as the kernel address space will be randomized & harder to exploit.

@itoffshore - thanks for the suggestion. I rechecked and the dkms config looks fine.

❯ ls -l /etc/dkms
total 16
-rw-r--r-- 1 root root 2160 Dec 20 15:49 framework.conf
drwxr-xr-x 1 root root    0 Dec 20 15:49 framework.conf.d
-rw-r--r-- 1 root root  209 Jan 16 07:48 kernel-sign.conf
-rwxr-xr-x 1 root root  490 Jan 16 07:48 kernel-sign.sh
lrwxrwxrwx 1 root root   26 Jan 16 15:19 zfs.conf -> /etc/dkms/kernel-sign.conf

But if I understand correctly, just installing both zfs-dkms and arch-sign-modules is not enough if I don't have the keys that were used to sign the kernel?

If so, does this mean I need to maintain my own custom kernel with my own keys to get signing working?

@waruiji - you are probably missing a symlink for zfs.conf:

[stuart@endeavour ~/$ ls -l /etc/dkms

total 28
drwxr-xr-x 1 root root    0 Jul  1  2022 framework.conf.d
-rw-r--r-- 1 root root 2160 Dec 20 14:49 framework.conf
-rw-r--r-- 1 root root  209 Oct  6 19:28 kernel-sign.conf
-rwxr-xr-x 1 root root  490 Oct  6 19:28 kernel-sign.sh
lrwxrwxrwx 1 root root   26 May  4  2022 lkrg.conf -> /etc/dkms/kernel-sign.conf
lrwxrwxrwx 1 root root   26 May  4  2022 nvidia.conf -> /etc/dkms/kernel-sign.conf
lrwxrwxrwx 1 root root   26 Sep  2 23:54 zenpower3.conf -> /etc/dkms/kernel-sign.conf
lrwxrwxrwx 1 root root   26 May  4  2022 zfs.conf -> /etc/dkms/kernel-sign.conf

• the symlinks should have been created during installation based on the dirs in /var/lib/dkms
• I suspect you installed zfs-dkms / zfs-utils at the same time as the abk script (removing / installing it should create the zfs.conf symlink)
• I'll move the symlink creation from post-install into abk & run it on every build in the next abk version.

Could you please explain how to use the package? I ran the following commands:

pikaur -Syu arch-sign-modules
pikaur -Syu zfs-dkms

But still can't load the zfs module:

Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7

0.75-2 adds examples for kernel alerts from urlwatch in /usr/share/arch-sign-modules/urlwatch

kernel 6.8 builds ok with zfs-dkms-2.2.4:

( 4/11) Install DKMS modules
==> dkms install --no-depmod lkrg/0.9.8 -k 6.8.9-hardened1-2-hardened
==> dkms install --no-depmod zfs/2.2.4 -k 6.8.9-hardened1-2-hardened
==> dkms install --no-depmod nvidia/550.78 -k 6.8.9-hardened1-2-hardened
==> depmod 6.8.9-hardened1-2-hardened

I needed to recompile the kernel as gcc-libs just changed to v14

thank you, i manually installed with "pacman -U" command.

@RashadGasimli - I just built installed & removed linux-zen so I think this is an issue with your environment:

[stuart@endeavour ~]$ sudo pacman -R linux-zen linux-zen-headers
checking dependencies...
:: dkms optionally requires linux-zen-headers: build modules against the ZEN kernel

Packages (2) linux-zen-6.8.9.zen1-1  linux-zen-headers-6.8.9.zen1-1

Total Removed Size:  268.60 MiB

:: Do you want to remove these packages? [Y/n] 
:: Running pre-transaction hooks...
(1/3) Performing snapper pre snapshots for the following configurations...
==> root: 22093
(2/3) Removing linux initcpios...
(3/3) Remove DKMS modules
==> dkms remove --no-depmod lkrg/0.9.8 -k 6.8.9-zen1-1-zen
==> dkms remove --no-depmod nvidia/550.76 -k 6.8.9-zen1-1-zen
==> depmod 6.8.9-zen1-1-zen
:: Processing package changes...
(1/2) removing linux-zen-headers                         [------------------------------] 100%
(2/2) removing linux-zen                                 [------------------------------] 100%

• These env vars are not being picked up
• PKGDEST probably not set in /etc/makepkg.conf

I think somethink is wrong in new update (0.7.3), because I can't install the built kernel:

abk -i linux-zen /usr/bin/abk: line 129: [: : integer expression expected ==> ERROR: Failed to parse PKGDEST from makepkg config find: ‘’: No such file or directory find: ‘’: No such file or directory ==> ERROR: No installable kernels found for: linux-zen

but i built the kernel with "abk -u linux-zen" command:

abk -u linux-zen ... ==> Tidying install... -> Removing libtool files... -> Purging unwanted files... -> Removing static library files... -> Compressing man and info pages... ==> Checking for packaging issues... ==> Creating package "linux-zen"... -> Generating .PKGINFO file... -> Generating .BUILDINFO file... -> Generating .MTREE file... -> Compressing package... ==> Starting package_linux-zen-headers()... ... -> Local Signing certs for out-of-tree modules... ==> Tidying install... -> Removing libtool files... -> Purging unwanted files... -> Removing static library files... -> Compressing man and info pages... ==> Checking for packaging issues... ==> WARNING: Package contains reference to $srcdir ... ==> Creating package "linux-zen-headers"... -> Generating .PKGINFO file... -> Generating .BUILDINFO file... -> Generating .MTREE file... -> Compressing package... ==> Leaving fakeroot environment. ==> Finished making: linux-zen 6.8.9.zen1-1 (Thu 02 May 2024 10:49:30 PM +04) ls: cannot access '/linux-zen6.8.9.zen1.log': No such file or directory ==> Build complete & logged to:

==> WARNING: Automated mode is skipping directory cleanup choice ==> Cleaning up: /home/rashadgasimli/makepkg...

real 41m28.351s user 389m16.917s sys 28m17.948s

@itoffshore yeah i tested with nvidia-open-dkms and it worked, thanks again!