-
Notifications
You must be signed in to change notification settings - Fork 213
Building and installing an saref capable klips version for ubuntu precise
This guide documents the patching and packaging process of an official Ubuntu kernel including custom patches for SAref support. The base kernel version is from Ubuntu Lucid 12.04 LTS.
Prerequisites
apt-get install fakeroot build-essential crash kexec-tools makedumpfile kernel-wedge libncurses5 libncurses5-dev libelf-dev asciidoc binutils-dev git
For the kernel compilation :
apt-get build-dep --no-install-recommends linux-image-$(uname -r)
For the IPsec deb package :
apt-get install module-assistant
export BUILD_ROOT="/vol/kernel-ubuntu-saref/ubuntu-precise" mkdir -p $BUILD_ROOT && cd $BUILD_ROOT
Only run this for the first time
git clone git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git .
Otherwise just update the tree
git reset --hard git clean -xdf git checkout master
If building a SAref kernel only (no OCF)
git branch -D saref
or if building a SAref+OCF kernel
git branch -D saref+ocf
note: If this is your first time preparing (after git cloning the tree in the steps above), it is not necessary to run the git branch delete “-D” command.
Especially for those new to git, if you do delete in such a scenario, it is normal to expect an error message such as, respectively:
error: branch 'saref' not found. error: branch 'saref+ocf' not found.
Regardless if you chose saref only or saref+ocf, continue with these git pull and fetch commands:
git pull git fetch -t
Branch using the latest stable version published by Ubuntu (to see available one look in debian.master/changelog) into a SAref branch.
The tag to branch from is usually latest entry in debian.master/changelog that is not UNRELEASED. This must be 3.2.0-XX.XX to be an official Ubuntu Kernel kernel.
If building a SAref kernel only (no OCF)
git checkout Ubuntu-3.2.0-33.52 -b saref
or if building a SAref+OCF kernel
git checkout Ubuntu-3.2.0-33.52 -b saref+ocf
Note: If building an Ubuntu kernel older than 3.2.0-36.56, use the “-pre-0c9f79be295c99ac7e4b569ca493d75fdcc19e4e” flavor of the patches which are also available on the HTTP server.
cd /tmp/ wget https://download.openswan.org/openswan/patches/3.2.0/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch wget https://download.openswan.org/openswan/patches/3.2.0/0002-SAREF-implement-IP_IPSEC_BINDREF.patch
The above 2 patches should be included in OpenSwan 2.6.39 and later.
Apply first patch
cd $BUILD_ROOT patch -p1 < /tmp/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch
Commit changes
git commit -a -m "SAref patch 0001 applied"
Apply second patch
patch -p1 < /tmp/0002-SAREF-implement-IP_IPSEC_BINDREF.patch
Commit changes
git commit -a -m "SAref patch 0002 applied"
Edit the file net/Makefile to include KLIPS
sed -i '/^obj-$(CONFIG_XFRM).*xfrm\/$/ aobj-$(CONFIG_KLIPS)\t\t+= ipsec\/' net/Makefile
Commit changes
git commit -a -m "Fix net/Makefile to include KLIPS"
Enable CONFIG_KLIPS
cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_KLIPS=m CONFIG_KLIPS_IPIP=y CONFIG_KLIPS_AH=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y CONFIG_KLIPS_ESP=y CONFIG_KLIPS_ALG=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_ENC_CRYPTOAPI=n CONFIG_KLIPS_IPCOMP=y CONFIG_KLIPS_DEBUG=y CONFIG_KLIPS_IF_MAX=64 CONFIG_INET_IPSEC_SAREF=y EOF
Commit changes
git commit -a -m "Enable module support for KLIPS"
Apply first OCF patch
wget -O ocf-linux-20110720.tar.gz http://sourceforge.net/projects/ocf-linux/files/ocf-linux/20110720/ocf-linux-20110720.tar.gz/download tar zxvf ocf-linux-20110720.tar.gz patch -p1 -s < ocf-linux-20110720/patches/linux-2.6.33-ocf.patch cp -a ocf-linux-20110720/ocf crypto/
Commit changes
git add crypto/ocf/ git commit -a -m "OCF patch applied"
Enable CONFIG_OCF_OCF
cd $BUILD_ROOT cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_OCF_OCF=y EOF
Commit changes
git commit -a -m "Enable builtin support for OCF"
Enable CONFIG_KLIPS_OCF
cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_KLIPS_OCF=y EOF
Commit changes
git commit -a -m "Enable OCF support in KLIPS"
Enable CRYPTOAPI
sed -i 's/^CONFIG_KLIPS_ENC_CRYPTOAPI=.*/CONFIG_KLIPS_ENC_CRYPTOAPI=y/' debian.master/config/config.common.ubuntu debian.master/config/config.common.ports
Commit changes
git commit -a -m "Enable CRYPTOAPI support in KLIPS"
Enable some OCF driver modules :
cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_OCF_RANDOMHARVEST=y CONFIG_OCF_FIPS=y CONFIG_OCF_CRYPTODEV=m CONFIG_OCF_CRYPTOSOFT=m CONFIG_OCF_SAFE=m CONFIG_OCF_IXP4XX=n CONFIG_OCF_IXP4XX_SHA1_MD5=n CONFIG_OCF_HIFN=n CONFIG_OCF_HIFNHIPP=n CONFIG_OCF_TALITOS=n CONFIG_OCF_EP80579=m CONFIG_OCF_CRYPTOCTEON=n CONFIG_OCF_KIRKWOOD=n CONFIG_OCF_C7108=n CONFIG_OCF_UBSEC_SSB=n CONFIG_OCF_OCFNULL=m CONFIG_OCF_BENCH=m EOF
Note: CONFIG_OCF_C7108, CONFIG_OCF_IXP4XX, CONFIG_OCF_KIRKWOOD, CONFIG_OCF_HIFN, CONFIG_OCF_TALITOS and CONFIG_OCF_CRYPTOCTEON are known to fail to build.
Commit changes
git commit -a -m "Enable some OCF driver modules"
Check for eventual misconfiguration :
Note : Check debian.master/config/config.common.ubuntu and debian.master/config/config.common.ports to identify eventual duplicates. Watch out for cryptoapi as it must be =y for OCF and =n otherwise.
for f in debian.master/config/config.common.ubuntu debian.master/config/config.common.ports ; do cut -d= -f1 $f | grep -v "^#$" | sort | uniq -d ; done
linux (3.2.0-33.52saref1) precise; urgency=low * SAref patches 0001 and 0002 applied * Modularized KLIPS -- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500
or like this for OCF enabled builds :
linux (3.2.0-33.52ocf+saref1) precise; urgency=low * SAref patches 0001 and 0002 applied * Modularized KLIPS * OCF patches applied * Enable OCF support in KLIPS * Enable some OCF drivers -- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500
Note: when the version number is appended with “saref1” (or “ocf+saref1”) this make sure that our kernel will supersedes the official Ubuntu kernel with the same version number.
Commit changes
git commit -m "Update changelog to supersedes official Ubuntu kernel" debian.master/changelog
Start a screen as the following steps will take time
screen -S kernel-build
Compile the kernel (for amd64)
fakeroot debian/rules clean skipabi=true skipmodule=true fakeroot debian/rules binary-indep skipabi=true skipmodule=true fakeroot debian/rules binary-perarch time skipabi=true skipmodule=true fakeroot debian/rules binary-generic
Note: According to https://wiki.ubuntu.com/KernelTeam/KernelMaintenance#Overriding%20module%20check%20failures skipmodule=true will only skip check for missing modules
Compile the kernel (for i386)
fakeroot debian/rules clean skipabi=true skipmodule=true fakeroot debian/rules binary-indep skipabi=true skipmodule=true fakeroot debian/rules binary-perarch time skipabi=true skipmodule=true fakeroot debian/rules binary-generic-pae
Note: It is also possible to build for “binary-generic” (no PAE support) but this provides a less secure kernel. Ubuntu 32bit PAE kernels provide an emulation of the NX bit for greater security. Some VIA CPUs and Pentium M are known to lack this feature.
On amd64 systems
cd .. dpkg -i linux-headers-3.2.0-33_3.2.0-33.52saref1_all.deb linux-headers-3.2.0-33-generic_3.2.0-33.52saref1_amd64.deb linux-image-3.2.0-33-generic_3.2.0-33.52saref1_amd64.deb
On i386 systems
cd .. dpkg -i linux-headers-3.2.0-33_3.2.0-33.52saref1_all.deb linux-headers-3.2.0-33-generic-pae_3.2.0-33.52saref1_i386.deb linux-image-3.2.0-33-generi-paec_3.2.0-33.52saref1_i386.deb
Test the new kernel by rebooting into it.
TODO: review and refresh if needed.
important note: optionally, instead of building the “kmod” package individually, installing the dkms-module will build the kmod module automatically on your behalf (which is useful in the event the pre-made deb binary package from Xelerance for the version of Openswan you needs is not readily available on the Xelerance HTTP server). Quoting LetoTo:
(dkms-module package is a method for shipping/recompiling kernel modules that work on custom kernels, as opposed to kmod- packages)
Linux kernels patched to accommodate SAref or SAref+OCF are " custom kernels ". The advantage of dkms packages is that they can be installed on other (not just patched) kernels (as long as there is a compile environment with the requisite tools for compiling), whereas the kmods built on a customize kernel are specific to that customized kernel and not transportable to other kernels.
To build the dkms-package see this page in the Wiki:
Building_and_installing_DebianUbuntu_packages_from_source
or proceed with building the IPsec module deb “kmod” package …
Get the openswan-modules-source from the HTTP server :
export RELEASE="2.6.33"
export DEBIAN_VER=$(echo $RELEASE | sed -e "s/\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\(.*\)/\1.\2.\3~\4/" -e "s/~$//")
cd /tmp && wget https://download.openswan.org/openswan/binaries/ubuntu/openswan-modules-source_${DEBIAN_VER}-1xelerance1_all.deb
dpkg -i /tmp/openswan-modules-source_${DEBIAN_VER}-1xelerance1_all.deb
Build the kmod package :
module-assistant prepare module-assistant build openswan
The resulting package will be under /usr/src. Install it and insert the ipsec to test it :
dpkg -i /usr/src/openswan-modules-2.6.32-25-server_2.6.30~rc1-1xelerance1+2.6.32-25.44saref1_all.deb modprobe ipsec && modinfo ipsec