On Tue, Feb 06, 2018 at 07:06:22PM -0500, Ryan Marsaw wrote:
> On Tue, 6 Feb 2018, [email protected] wrote:
>
> > > On Mon, 5 Feb 2018, [email protected] wrote:
> > > > I got the following message when I built the Linux kernel 4.15:
> > > >
> > > > fatal error: openssl/bio.h: No such file or directory
[...]
> OK. I believe I've figured this out.
>
> I spent quite a bit of time researching this today, mostly to satisfy my
> own curiosity, but also to determine whether or not OpenSSL would
> actually need to be built in LFS in order to satisfy the changes from
> Linux 4.14 to Linux 4.15.
>
> After going through the various kernel options from both the 4.14 and
> 4.15 kernels, here's what I discovered:
>
> The underlying kernel option that's giving the error
>
> "fatal error: openssl/bio.h: No such file or directory"
>
> is traced to the kernel symbol
> SYSTEM_TRUSTED_KEYRING which is located at:
>
> -*- Cryptographic API --->
> Certificates for signature checking --->
> -*- Provide system-wide ring of trusted keys
>
> In a stock Linux-4.14.7, "Provide system-wide ring of trusted keys"
> cannot actually be seen, because it doesn't satisfy all the criteria to
> make it visible.
>
> A search for the kernel symbol SYSTEM_TRUSTED_KEYRING
> shows me the following:
> [...]
> Selected by: SYSTEM_DATA_VERIFICATION [=n] || [...]
>
> and a search for the symbol SYSTEM_DATA_VERIFICATION
> shows me the following:
> [...]
> Selected by: MODULE_SIG [=n] && MODULES [=y]
>
> So, unless a user wants to sign his modules ( i.e.
> [*] Enable loadable module support --->
> [*] Module signature verification ) then
>
> SYSTEM_DATA_VERIFICATION will never be set, and therefore neither will
> SYSTEM_TRUSTED_KEYRING, and without SYSTEM_TRUSTED_KEYRING set, there's
> no build error.
>
> Next I searched for the symbol SYSTEM_DATA_VERIFICATION in the
> Linux-4.15 kernel and saw this:
> [...]
> Selected by: MODULE_SIG [=n] && MODULES [=y] ||
> CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]
>
> OK. A new symbol. I couldn't find it at first, but after doing a
> General setup --->
> [*] Configure standard kernel features (expert users)
>
> I could see it under:
>
> [*] Networking support --->
> -*- Wireless --->
> [*] cfg80211 certification onus
> [*] require regdb signature (NEW)
>
> What's weird is that even though "cfg80211 certification onus" is not
> enabled in a stock Linux 4.15 kernel, the sub-option
> "require regdb signature" does indeed appear to be enabled,
> and that can be verified by searching for the kernel module
> SYSTEM_DATA_VERIFICATION and it clearly shows:
>
> "Selected by: [...] CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]"
>
> when really, it shouldn't be enabled, as its "parent option" is not
> enabled! I would have assumed that any disabled kernel option would
> automatically disable all options beneath it.
>
> Therefore, because CFG80211_REQUIRE_SIGNED_REGDB is set, so will
> SYSTEM_DATA_VERIFICATION and then SYSTEM_TRUSTED_KEYRING is set,
> resulting in a build error.
>
> Anyway, based on my tests, the only way that I could build Linux 4.15
> without using OpenSSL was to enable "cfg80211 certification onus" AND
> disable "require regdb signature." However, according to the help
> section, doing the former is not recommended:
>
> "You should disable this option unless you are both capable and willing
> to ensure your system will remain regulatory compliant with the features
> available under this option."
>
> There might be some features of the kernel that you may not require.
> For instance, I don't need the "Wireless" stuff in the kernel
> so I'm OK to build the kernel without OpenSSL, but as Bruce said, it
> might just be easier to put OpenSSL in the LFS book and be done with it!
>
> Incidentally if anyone's interested, here's an interesting discussion
> about this very topic:
>
> https://patchwork.kernel.org/patch/10172165/
>
> Regards,
>
> Ryan
>
Thanks for the investigation - on one of my machines The first
kernel I built in chroot (before any of BLFS) was 4.15.0-rc4 on 22nd
December, so the dependency seems to have sneaked in after that (to fix
wireless regulatory problems, according to that link).
Bad news for those of us with machines which do not have wireless
connections :-(
I do build openssl before I boot, but adding it seems like a
sledgehammer to crack a kernel config problem.
ĸen
--
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
- Unseen Academicals
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
