On Tue, 6 Feb 2018, hykw...@sina.com wrote:
On Mon, 5 Feb 2018, hykw...@sina.com wrote:
I got the following message when I built the Linux kernel 4.15:
fatal error: openssl/bio.h: No such file or directory
I found this header file is required by the file "scripts/extract-cert.c"
So, which kernel option should I uncheck in order to fix this issue?
That's because OpenSSL is not available in LFS.
OR
Do we have to install OpenSSL when we build LFS? In this atricle
(https://kernelnewbies.org/KernelBuild), it mentions libssl-dev (or
>openssl-devel or libopenssl-devel) is required to build the kernel source.
Here is my LFS Version: 20180202-systemd
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
It looks like a module signing issue. Look for the following when building
your kernel:
Enable loadable module support --->
[ ] Module signature verification
If there's a * that's probably your problem. From the kernel's help:
"Note that this option adds the OpenSSL development packages as a
kernel build dependency so that the signing tool can use its crypto
library."
Regards,
Ryan
Actually, I want to build a new kernel with my old kernal config (for the
kernel 4.9) and here is my procedure:
1. Extract Linux source codes
2. switch to the source code folder and type "make mrproper"
3. copy the old configure file to the folder: cp /sources/config-4.9 .config
4. type "make oldconfig" and apply default value for all new options
5. type "make menuconfig" and check the value of the "Module signature
verification". Also, I make sure it is OFF.
6. type "make" to build the codes.
I used Linux kernel 4.14.17, 4.15 and 4.15.1 source codes and followed the
above procedures. However, I could build the kernel 4.14.17 sucessfully only. I
got the same error message for kernel 4.15 and 4.15.1.
So, any other options should I unselect for kernel 4.15?
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
OK. I believe I've figured this out.
I spent quite a bit of time researching this today, mostly to satisfy my
own curiosity, but also to determine whether or not OpenSSL would
actually need to be built in LFS in order to satisfy the changes from
Linux 4.14 to Linux 4.15.
After going through the various kernel options from both the 4.14 and
4.15 kernels, here's what I discovered:
The underlying kernel option that's giving the error
"fatal error: openssl/bio.h: No such file or directory"
is traced to the kernel symbol
SYSTEM_TRUSTED_KEYRING which is located at:
-*- Cryptographic API --->
Certificates for signature checking --->
-*- Provide system-wide ring of trusted keys
In a stock Linux-4.14.7, "Provide system-wide ring of trusted keys"
cannot actually be seen, because it doesn't satisfy all the criteria to
make it visible.
A search for the kernel symbol SYSTEM_TRUSTED_KEYRING
shows me the following:
[...]
Selected by: SYSTEM_DATA_VERIFICATION [=n] || [...]
and a search for the symbol SYSTEM_DATA_VERIFICATION
shows me the following:
[...]
Selected by: MODULE_SIG [=n] && MODULES [=y]
So, unless a user wants to sign his modules ( i.e.
[*] Enable loadable module support --->
[*] Module signature verification ) then
SYSTEM_DATA_VERIFICATION will never be set, and therefore neither will
SYSTEM_TRUSTED_KEYRING, and without SYSTEM_TRUSTED_KEYRING set, there's
no build error.
Next I searched for the symbol SYSTEM_DATA_VERIFICATION in the
Linux-4.15 kernel and saw this:
[...]
Selected by: MODULE_SIG [=n] && MODULES [=y] ||
CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]
OK. A new symbol. I couldn't find it at first, but after doing a
General setup --->
[*] Configure standard kernel features (expert users)
I could see it under:
[*] Networking support --->
-*- Wireless --->
[*] cfg80211 certification onus
[*] require regdb signature (NEW)
What's weird is that even though "cfg80211 certification onus" is not
enabled in a stock Linux 4.15 kernel, the sub-option
"require regdb signature" does indeed appear to be enabled,
and that can be verified by searching for the kernel module
SYSTEM_DATA_VERIFICATION and it clearly shows:
"Selected by: [...] CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]"
when really, it shouldn't be enabled, as its "parent option" is not
enabled! I would have assumed that any disabled kernel option would
automatically disable all options beneath it.
Therefore, because CFG80211_REQUIRE_SIGNED_REGDB is set, so will
SYSTEM_DATA_VERIFICATION and then SYSTEM_TRUSTED_KEYRING is set,
resulting in a build error.
Anyway, based on my tests, the only way that I could build Linux 4.15
without using OpenSSL was to enable "cfg80211 certification onus" AND
disable "require regdb signature." However, according to the help
section, doing the former is not recommended:
"You should disable this option unless you are both capable and willing
to ensure your system will remain regulatory compliant with the features
available under this option."
There might be some features of the kernel that you may not require.
For instance, I don't need the "Wireless" stuff in the kernel
so I'm OK to build the kernel without OpenSSL, but as Bruce said, it
might just be easier to put OpenSSL in the LFS book and be done with it!
Incidentally if anyone's interested, here's an interesting discussion
about this very topic:
https://patchwork.kernel.org/patch/10172165/
Regards,
Ryan
--
Ryan Marsaw
rmar...@personainternet.com
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
