Ken Moffat wrote:
On Tue, Feb 06, 2018 at 07:06:22PM -0500, Ryan Marsaw wrote:
On Tue, 6 Feb 2018, hykw...@sina.com wrote:
On Mon, 5 Feb 2018, hykw...@sina.com wrote:
I got the following message when I built the Linux kernel 4.15:
fatal error: openssl/bio.h: No such file or directory
[...]
OK. I believe I've figured this out.
I spent quite a bit of time researching this today, mostly to satisfy my
own curiosity, but also to determine whether or not OpenSSL would
actually need to be built in LFS in order to satisfy the changes from
Linux 4.14 to Linux 4.15.
After going through the various kernel options from both the 4.14 and
4.15 kernels, here's what I discovered:
The underlying kernel option that's giving the error
"fatal error: openssl/bio.h: No such file or directory"
is traced to the kernel symbol
SYSTEM_TRUSTED_KEYRING which is located at:
-*- Cryptographic API --->
Certificates for signature checking --->
-*- Provide system-wide ring of trusted keys
In a stock Linux-4.14.7, "Provide system-wide ring of trusted keys"
cannot actually be seen, because it doesn't satisfy all the criteria to
make it visible.
A search for the kernel symbol SYSTEM_TRUSTED_KEYRING
shows me the following:
[...]
Selected by: SYSTEM_DATA_VERIFICATION [=n] || [...]
and a search for the symbol SYSTEM_DATA_VERIFICATION
shows me the following:
[...]
Selected by: MODULE_SIG [=n] && MODULES [=y]
So, unless a user wants to sign his modules ( i.e.
[*] Enable loadable module support --->
[*] Module signature verification ) then
SYSTEM_DATA_VERIFICATION will never be set, and therefore neither will
SYSTEM_TRUSTED_KEYRING, and without SYSTEM_TRUSTED_KEYRING set, there's
no build error.
Next I searched for the symbol SYSTEM_DATA_VERIFICATION in the
Linux-4.15 kernel and saw this:
[...]
Selected by: MODULE_SIG [=n] && MODULES [=y] ||
CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]
OK. A new symbol. I couldn't find it at first, but after doing a
General setup --->
[*] Configure standard kernel features (expert users)
I could see it under:
[*] Networking support --->
-*- Wireless --->
[*] cfg80211 certification onus
[*] require regdb signature (NEW)
What's weird is that even though "cfg80211 certification onus" is not
enabled in a stock Linux 4.15 kernel, the sub-option
"require regdb signature" does indeed appear to be enabled,
and that can be verified by searching for the kernel module
SYSTEM_DATA_VERIFICATION and it clearly shows:
"Selected by: [...] CFG80211_REQUIRE_SIGNED_REGDB [=y] [...]"
when really, it shouldn't be enabled, as its "parent option" is not
enabled! I would have assumed that any disabled kernel option would
automatically disable all options beneath it.
Therefore, because CFG80211_REQUIRE_SIGNED_REGDB is set, so will
SYSTEM_DATA_VERIFICATION and then SYSTEM_TRUSTED_KEYRING is set,
resulting in a build error.
Anyway, based on my tests, the only way that I could build Linux 4.15
without using OpenSSL was to enable "cfg80211 certification onus" AND
disable "require regdb signature." However, according to the help
section, doing the former is not recommended:
"You should disable this option unless you are both capable and willing
to ensure your system will remain regulatory compliant with the features
available under this option."
There might be some features of the kernel that you may not require.
For instance, I don't need the "Wireless" stuff in the kernel
so I'm OK to build the kernel without OpenSSL, but as Bruce said, it
might just be easier to put OpenSSL in the LFS book and be done with it!
Incidentally if anyone's interested, here's an interesting discussion
about this very topic:
https://patchwork.kernel.org/patch/10172165/
Regards,
Ryan
Thanks for the investigation - on one of my machines The first
kernel I built in chroot (before any of BLFS) was 4.15.0-rc4 on 22nd
December, so the dependency seems to have sneaked in after that (to fix
wireless regulatory problems, according to that link).
Bad news for those of us with machines which do not have wireless
connections :-(
I do build openssl before I boot, but adding it seems like a
sledgehammer to crack a kernel config problem.
I agree. I read the link above and the patch was rejected, but I also found:
https://cateee.net/lkddb/web-lkddb/CFG80211_CERTIFICATION_ONUS.html
It says:
"You should disable this option unless you are both capable and willing to
ensure your system will remain regulatory compliant with the features
available under this option. "
I think it should be disabled for LFS users and it is disabled by default.
The "option" CFG80211_REQUIRE_SIGNED_REGDB seems to the problem.
Turning it off is difficult. It requires enabling CONFIG_EXPERT:
General setup --->
Configure standard kernel features (expert users)
But that also says: "Only use this if you really know what you are doing."
It also turns on a lot of options we do not want, e.g. Kernel debugging
which we can't otherwise turn off.
The only options I can see for us is to either:
sed -e '/regdb signature/{N;s/y/CFG80211_CERTIFICATION_ONUS/}' \
-i net/wireless/Kconfig
before menuconfig OR
sed -e '/REQUIRE_SIGNED_REGDB/s/y/n/' \
-i .config
after menuconfig
Not tested.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
