| Summary: | sys-apps/kmod - add LibreSSL support | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Stefan Strogin <steils> |
| Component: | Current packages | Assignee: | udev maintainers <udev-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ao, base-system, cloos, libressl, mhkbst |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://github.com/gentoo/gentoo/pull/11146 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 561854 | ||
| Attachments: | 0001-libkmod-signature-use-PKCS7-for-LibreSSL-or-older-Op.patch | ||
So kmod now uses cryptographic message syntax (CMS) that was removed from LibreSSL. I'm not sure what can be done in this case, I'll try to investigate. kmod-26 explicitly checks for >=openssl-1.1.0 in its configure file so unless upstream adds libressl support we cannot do much here. Created attachment 565446 [details]
0001-libkmod-signature-use-PKCS7-for-LibreSSL-or-older-Op.patch
Alright, here is the tale.
Linux kernel uses either PKCS-7 or CMS signing modules (scripts/sign-file.c). They are very similar standards, but CMS is not supported by LibreSSL.
As I can see there are no differences between the standards that affect module signing. The fields used are the same.
In sign-file.c #if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10000000L || defined(OPENSSL_NO_CMS)
then PKCS-7 is used, otherwise CMS.
Yet modinfo uses only CMS with no alternative.
I have made a patch for using PKCS-7 with LibreSSL or an older OpenSSL version. In fact CMS is not needed, PKCS-7 format has all the same fields that are used when a module is signed using CMS, but PKCS-7 is better supported. For example now I can sign a module using OpenSSL-1.1.1 and CMS and read its signing information with modinfo and PKCS-7, and otherwise.
I will send the patch upstream, and I would appreciate if someone here could review it as well.
Also please don't apply it for before receiving feedback from LKML.
with the above patch and the --nodeps option, sys-apps/kmod-26 installs appropriately on my amd64 system. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=1676e6c83dc843ddccbfae6424b9cf0a454ea6fa commit 1676e6c83dc843ddccbfae6424b9cf0a454ea6fa Author: Stefan Strogin <stefan.strogin@gmail.com> AuthorDate: 2019-02-24 01:43:38 +0000 Commit: Stefan Strogin <stefan.strogin@gmail.com> CommitDate: 2019-02-24 01:44:05 +0000 sys-apps/kmod: add package from gentoo.git; patch for LibreSSL Bug: https://bugs.gentoo.org/677960 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com> sys-apps/kmod/Manifest | 1 + sys-apps/kmod/files/kmod-26-libressl.patch | 186 +++++++++++++++++++++++++++ sys-apps/kmod/files/kmod-static-nodes-r1 | 18 +++ sys-apps/kmod/kmod-26-r1.ebuild | 200 +++++++++++++++++++++++++++++ sys-apps/kmod/metadata.xml | 16 +++ 5 files changed, 421 insertions(+) (In reply to Lars Wendler (Polynomial-C) from comment #2) > kmod-26 explicitly checks for >=openssl-1.1.0 in its configure file so > unless upstream adds libressl support we cannot do much here. Lars, upstream has accepted Stefan's patch. Would you mind if it were included as a backport until upstream releases a new version? https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5 I have updated the PR, so now there is the upstream-accepted patch: https://github.com/gentoo/gentoo/pull/11146 The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb2edfa0a5001ed4e3cdc406b6bcd9bb4fb1c6cb commit fb2edfa0a5001ed4e3cdc406b6bcd9bb4fb1c6cb Author: Stefan Strogin <steils@gentoo.org> AuthorDate: 2019-05-29 15:36:08 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-06-10 13:34:47 +0000 sys-apps/kmod: add patch and USE flag for LibreSSL support Closes: https://bugs.gentoo.org/677960 Package-Manager: Portage-2.3.67, Repoman-2.3.13 Signed-off-by: Stefan Strogin <steils@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/11146 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> sys-apps/kmod/files/kmod-26-libressl.patch | 143 +++++++++++++++++++++ sys-apps/kmod/kmod-26-r1.ebuild | 200 +++++++++++++++++++++++++++++ sys-apps/kmod/kmod-26.ebuild | 11 +- 3 files changed, 352 insertions(+), 2 deletions(-) |
After upgrading to kmod-26 USE=ssl was added, but without libressl support. Simply adding USE=libressl and dependency on dev-libs/libressl won't work: ./doltcompile x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I/var/tmp/portage/sys-apps/kmod-26/work/kmod-26 -include ./config.h -I/var/tmp/portage/sys-apps/kmod-26/work/kmod-26 -DSYSCONFDIR=\""/etc"\" -pipe -DANOTHER_BRICK_IN_THE -Wall -W -Wextra -Wno-inline -Wvla -Wundef -Wformat=2 -Wlogical-op -Wsign-compare -Wformat-security -Wmissing-include-dirs -Wformat-nonliteral -Wold-style-definition -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wmissing-declarations -Wmissing-noreturn -Wshadow -Wendif-labels -Wstrict-aliasing=3 -Wwrite-strings -Wno-long-long -Wno-overlength-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wnested-externs -Wchar-subscripts -Wtype-limits -Wuninitialized -fno-common -fdiagnostics-show-option -fvisibility=hidden -ffunction-sections -fdata-sections -march=skylake -O2 -pipe -c -o libkmod/libkmod-signature.lo /var/tmp/portage/sys-apps/kmod-26/work/kmod-26/libkmod/libkmod-signature.c /var/tmp/portage/sys-apps/kmod-26/work/kmod-26/libkmod/libkmod-signature.c:23:10: fatal error: openssl/cms.h: No such file or directory #include <openssl/cms.h> ^~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:1758: libkmod/libkmod-signature.lo] Error 1