Switch to using OBJ_obj2txt() to calculate and print the pkcs7
signature hash name. This eliminates the need to duplicate libcrypto
NID to name mapping, detect SM3 openssl compile-time support, and
enables using any hashes that openssl and kernel know about. For
example SHA3 are being added for v6.7 and with this patch are
automatically supported.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Link: https://lore.kernel.org/r/20231029010319.157390-1-dimitri.ledkov@canonical.com
Show distconfdir (where system configuration files are searched/to be
installed), sysconfdir (where user configuration files are searched),
module compressions, and module signatures supported.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/468b3f572d3b84f25bb53ec8fcb15ed4871914d4.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
There is an ongoing effort to limit use of files outside of /usr (or
${prefix} on general). Currently all modprobe.d paths are hardcoded to
outside of $prefix. Teach kmod to load modprobe.d from ${prefix}/lib.
On some distributions /usr/lib and /lib are the same directory because
of a compatibility symlink, and it is possible to craft configuration
files with sideeffects that would behave differently when loaded twice.
However, the override semantic ensures that one 'overrides' the other,
and only one configuration file of the same name is loaded from any of
the search directories.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Link: https://lore.kernel.org/r/a290343ce32e2a3c25b134e4f27c13b26e06c9e0.1689681454.git.msuchanek@suse.de
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
Add liblzma_LIBS to LIBS to avoid the following build failure when
building with a static-only liblzma.a:
/home/autobuild/autobuild/instance-5/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/11.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: libkmod/.libs/libkmod-internal.a(libkmod-file.o):(.text.xz_uncompress+0x10): undefined reference to `lzma_code'
For consistency, also update libzstd, zlib and libcrypto
Fixes:
- http://autobuild.buildroot.org/results/83a4a7ecc77f39639d3e5bc8554bd01a62a3ede0
References: https://github.com/kmod-project/kmod/pull/25
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
Replace the manual sed command, build rules and dist/clean for using
AC_CONFIG_FILES. It does the exact same thing, with an added bonus...
Currently we're missing version.py.in in the EXTRA_DIST. Thus a simple
"touch Makefile" should retrigger the regeneration of version.py. Which
would presumably fail, since the input file isn't in the distribution
tarball.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
Instead of skipping tests if sysconfdir isn't /etc, just handle it
during the rootfs setup logic.
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Otherwise, an implicit functiona declaration is used, causing
a C99 compatibility issue.
Signed-off-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
I changed the style of the hackargs variable in autogen.sh to multiline
because said line was becoming a bit long with the new --with-zstd arg
added.
A previous version of this patch has been running on my two Arch Linux
installations (with an accompanying mkinitcpio patch) for several months
over many kernel updates without any issues.
Any additional testing and/or patch review would of course be appreciated.
Signed-off-by: Torge Matthies <openglfreak@googlemail.com>
In the previous build setup, libkmod.so would link to not just
libcrypto.so, but also libssl.so:
$ readelf -d /lib/libkmod.so | grep NEEDED
0x0000000000000001 (NEEDED) Shared library: [liblzma.so.5]
0x0000000000000001 (NEEDED) Shared library: [libz.so.1]
0x0000000000000001 (NEEDED) Shared library: [libssl.so.1.1]
0x0000000000000001 (NEEDED) Shared library: [libcrypto.so.1.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
We don't need any symbols from libssl, though. This patch ensures that
we pass 'libcrypto' to pkgconfig rather than 'openssl', getting only the
library that we need:
$ readelf -d ./libkmod/.libs/libkmod.so.2.3.4 | grep NEEDED
0x0000000000000001 (NEEDED) Shared library: [liblzma.so.5]
0x0000000000000001 (NEEDED) Shared library: [libz.so.1]
0x0000000000000001 (NEEDED) Shared library: [libcrypto.so.1.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
The patch adds data fetching from the PKCS#7 certificate using
openssl library (which is used by scripts/sign-file.c in the linux
kernel to sign modules).
In general the certificate can contain many signatures, but since
kmod (modinfo) supports only one signature at the moment, only first
one is taken.
With the current sign-file.c certificate doesn't contain signer
key's fingerprint, so "serial number" is used for the key id.
Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Not all the features (i.e. those available in --enable-* or --with-*)
are really relevant to the final user. Create a KMOD_FEATURES definition
in config.h containing these features.
Reviewed-by: Andreas Mohr <andim2@users.sf.net>
Now that we are able to build our own test modules, also allow to use
cached modules so a) kernel headers are not required and b) distro
maintainers are happy. It's still need a "--disable-test-modules" in
the configure since the default is enabled.
There's no license problems anymore since all modules come from our own
repository, we ship the sources and the modules can be easily rebuilt.
Drop-in replacement to libtool: http://dolt.freedesktop.org/. More
details: http://marc.info/?l=freedesktop-xorg&m=120791871615872&w=3
kmod is relatively fast to compile, so it doesn't matter much.
Nonetheless, less forks the better.
Compilation time using ./bootstrap-configure --disable-manpages and
make -j4
libtool
real 0m6.453s
user 0m21.067s
sys 0m0.773s
dolt
real 0m4.792s
user 0m15.920s
sys 0m0.637s
Since we pass -std=gnu99 to the compiler __STDC_VERSION__ is defined to
199901. Even in this case we can use _Noreturn. Delegate the testing to
the configure phase with a compile test.
In future we want to stop using AC_PROG_CC_99 and start using the new
AC_PROG_CC from autoconf 2.70, which tries to choose the most recent
standard.
- There's no need for the various AC_PROG_CC* macros
- No need for AC_C_BIGENDIAN: the only place we care about endianness,
we use __BYTE_ORDER
- Organize calls to be in similar order as systemd
- Disable --disable-largefile. We already had possible bugs in the
index implementation if this were passed. It's now fixed, but it's
never tested. Disable it.
- Bump autoconf requirement to 2.64
Use _builtin_uaddll_overflow/_builtin_uaddl_overflow when available,
abstracting the type to use it with uint64_t.
Otherwise fallback to the implementation as added in 67466f2 ("Prevent
offset + size overflow.").
This also adds the tests for this new helper in the testsuite.
This reverts commit 27bcc9111b.
Let the distro decide about this flag. It's relatively recent and
doesn't work well with gcc 4.[678] making the testsuite to fail.
The -fdiagnostics-color flag is only available on GCC >= 4.9, for
older versions this could raise an error in certain circumstances
(such as when using ccache). Instead, since -fdiagnostic-color=auto
by default in gcc-4.9, simply set the required environment variable
to the default one if it's undefined.
Based mostly on the systemd commit f44541bc by Michal Schmidt.
Older systems may not have the be32toh function defined. Check for this
and fall back to checking the endianness and calling bswap_32 directly
if needed. This works on both old and new systems.
[Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>:
address comments raised by Lucas De Marchi [1], update commit message]
[1] http://www.spinics.net/lists/linux-modules/msg01129.html
Add --enable-python configure switch so we build the python bindings. We
also pass version.py through SED_PROCESS macro, so the version is kept
in sync with kmod.
Acked-by: Andy Grover <agrover@redhat.com>
With -Wstrict-aliasing=2 we get the following warning:
libkmod/libkmod-signature.c:124:20: note: in expansion of macro 'get_unaligned'
sig_len = be32toh(get_unaligned(&modsig->sig_len));
However there's nothing wrong with it. modsig->sig_len is uint32_t and
get_unaligned in this case returns uint32_t. There's notstrict aliasing
violation.