You are on page 1of 8

Ubuntu Precise Kernel patching and packaging

This guide documents the patching and packaging process of an official Ubuntu kernel including custom patches for SAref support. The base kernel version is from Ubuntu Lucid 10.04 LTS. Prerequisites

Install the "build" dependencies


apt-get install fakeroot build-essential crash kexec-tools makedumpfile kernelwedge libncurses5 libncurses5-dev libelf-dev asciidoc binutils-dev git

Install the "kernel and/or kernel module" build dependencies


For the kernel compilation :
apt-get build-dep --no-install-recommends linux-image-$(uname -r)

For the IPsec deb package :


apt-get install module-assistant

Get the kernel sources


export BUILD_ROOT="/vol/kernel-ubuntu-saref/ubuntu-precise" mkdir -p $BUILD_ROOT && cd $BUILD_ROOT

Only run this for the first time


git clone git://kernel.ubuntu.com/ubuntu/ubuntu-precise.git .

Otherwise just update the tree


git reset --hard git clean -xdf git checkout master

If building a SAref kernel only (no OCF)


git branch -D saref

or if building a SAref+OCF kernel


git branch -D saref+ocf

note: If this is your first time preparing (after git cloning the tree in the steps above), it is not necessary to run the git branch delete "-D" command. Especially for those new to git, if you do delete in such a scenario, it is normal to expect an error message such as, respectively:
error: branch 'saref' not found. error: branch 'saref+ocf' not found.

Regardless if you chose saref only or saref+ocf, continue with these git pull and fetch commands:
git pull git fetch -t

Get the latest official Ubuntu kernel


Branch using the latest stable version published by Ubuntu (to see available one look in debian.master/changelog) into a SAref branch. The tag to branch from is usually latest entry in debian.master/changelog that is not UNRELEASED. This must be 3.2.0-XX.XX to be an official Ubuntu Kernel kernel. If building a SAref kernel only (no OCF)
git checkout Ubuntu-3.2.0-33.52 -b saref

or if building a SAref+OCF kernel


git checkout Ubuntu-3.2.0-33.52 -b saref+ocf

Optain SAref patches from OpenSwan FTP


cd /tmp/ wget ftp://ftp.openswan.org/openswan/patches/3.2.0/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch wget ftp://ftp.openswan.org/openswan/patches/3.2.0/0002-SAREF-implement-IP_IPSEC_BINDREF.patch

The above 2 patches should be included in OpenSwan 2.6.39 and later. Apply first patch
cd $BUILD_ROOT patch -p1 < /tmp/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch

Commit changes
git commit -a -m "SAref patch 0001 applied"

Apply second patch


patch -p1 < /tmp/0002-SAREF-implement-IP_IPSEC_BINDREF.patch

Commit changes
git commit -a -m "SAref patch 0002 applied"

Edit the file net/Makefile to include KLIPS


sed -i '/^obj-$(CONFIG_XFRM).*xfrm\/$/ net/Makefile aobj-$(CONFIG_KLIPS)\t\t+= ipsec\/'

Commit changes
git commit -a -m "Fix net/Makefile to include KLIPS"

Enable CONFIG_KLIPS
cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_KLIPS=m CONFIG_KLIPS_IPIP=y CONFIG_KLIPS_AH=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y CONFIG_KLIPS_ESP=y CONFIG_KLIPS_ALG=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_ENC_CRYPTOAPI=n CONFIG_KLIPS_IPCOMP=y CONFIG_KLIPS_DEBUG=y CONFIG_KLIPS_IF_MAX=64 CONFIG_INET_IPSEC_SAREF=y EOF

Commit changes
git commit -a -m "Enable module support for KLIPS"

Obtain the OCF patch (optional and untested on Precise)


Apply first OCF patch
wget -O ocf-linux-20110720.tar.gz http://sourceforge.net/projects/ocf-linux/files/ocf-linux/20110720/ocf-linux-20110720.tar.gz/download tar zxvf ocf-linux-20110720.tar.gz patch -p1 -s < ocf-linux-20110720/patches/linux-2.6.33-ocf.patch cp -a ocf-linux-20110720/ocf crypto/

Commit changes
git add crypto/ocf/ git commit -a -m "OCF patch applied"

Enable CONFIG_OCF_OCF
cd $BUILD_ROOT cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_OCF_OCF=y EOF

Commit changes
git commit -a -m "Enable builtin support for OCF"

Enable CONFIG_KLIPS_OCF
cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_KLIPS_OCF=y EOF

Commit changes
git commit -a -m "Enable OCF support in KLIPS"

Enable CRYPTOAPI
sed -i 's/^CONFIG_KLIPS_ENC_CRYPTOAPI=.*/CONFIG_KLIPS_ENC_CRYPTOAPI=y/' debian.master/config/config.common.ubuntu debian.master/config/config.common.ports

Commit changes
git commit -a -m "Enable CRYPTOAPI support in KLIPS"

Enable some OCF driver modules :


cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_OCF_RANDOMHARVEST=y CONFIG_OCF_FIPS=y CONFIG_OCF_CRYPTODEV=m CONFIG_OCF_CRYPTOSOFT=m CONFIG_OCF_SAFE=m CONFIG_OCF_IXP4XX=n CONFIG_OCF_IXP4XX_SHA1_MD5=n CONFIG_OCF_HIFN=n CONFIG_OCF_HIFNHIPP=n CONFIG_OCF_TALITOS=n CONFIG_OCF_EP80579=m CONFIG_OCF_CRYPTOCTEON=n CONFIG_OCF_KIRKWOOD=n CONFIG_OCF_C7108=n CONFIG_OCF_UBSEC_SSB=n CONFIG_OCF_OCFNULL=m CONFIG_OCF_BENCH=m EOF

Note: CONFIG_OCF_C7108, CONFIG_OCF_IXP4XX, CONFIG_OCF_KIRKWOOD, CONFIG_OCF_HIFN, CONFIG_OCF_TALITOS and CONFIG_OCF_CRYPTOCTEON are known to fail to build. Commit changes
git commit -a -m "Enable some OCF driver modules"

Check for eventual misconfiguration : Note : Check debian.master/config/config.common.ubuntu and debian.master/config/config.common.ports to identify eventual duplicates. Watch out for cryptoapi as it must be =y for OCF and =n otherwise.

for f in debian.master/config/config.common.ubuntu debian.master/config/config.common.ports ; do cut -d= -f1 $f | grep -v "^#$" | sort | uniq -d ; done

Update the changelog by editing debian.master/changelog to look like this :


linux (3.2.0-33.52saref1) precise; urgency=low * SAref patches 0001 and 0002 applied * Modularized KLIPS -- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500

or like this for OCF enabled builds :


linux (3.2.0-33.52ocf+saref1) precise; urgency=low * * * * * SAref patches 0001 and 0002 applied Modularized KLIPS OCF patches applied Enable OCF support in KLIPS Enable some OCF drivers

-- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500

Note: when the version number is appended with "saref1" (or "ocf+saref1") this make sure that our kernel will supersedes the official Ubuntu kernel with the same version number. Commit changes
git commit -m "Update changelog to supersedes official Ubuntu kernel" debian.master/changelog

Compile the kernel


Start a screen as the following steps will take time
screen -S kernel-build

Compile the kernel (for amd64)


fakeroot debian/rules clean

skipabi=true skipmodule=true fakeroot debian/rules binary-indep skipabi=true skipmodule=true fakeroot debian/rules binary-perarch time skipabi=true skipmodule=true fakeroot debian/rules binary-generic

Note: According to https://wiki.ubuntu.com/KernelTeam/KernelMaintenance#Overriding %20module%20check%20failures skipmodule=true will only skip check for missing modules Compile the kernel (for i386)
fakeroot debian/rules clean skipabi=true skipmodule=true fakeroot debian/rules binary-indep skipabi=true skipmodule=true fakeroot debian/rules binary-perarch time skipabi=true skipmodule=true fakeroot debian/rules binary-generic-pae

Note: It is also possible to build for "binary-generic" (no PAE support) but this provides a less secure kernel. Ubuntu 32bit PAE kernels provide an emulation of the NX bit for greater security. Some VIA CPUs and Pentium M are known to lack this feature.

Install the kernel


On amd64 systems
cd .. dpkg -i linux-headers-3.2.0-33_3.2.0-33.52saref1_all.deb linux-headers-3.2.0-33generic_3.2.0-33.52saref1_amd64.deb linux-image-3.2.0-33-generic_3.2.033.52saref1_amd64.deb

On i386 systems
cd ..

dpkg -i linux-headers-3.2.0-33_3.2.0-33.52saref1_all.deb linux-headers-3.2.0-33generic-pae_3.2.0-33.52saref1_i386.deb linux-image-3.2.0-33-generi-paec_3.2.033.52saref1_i386.deb

Test the new kernel by rebooting into it.

Build the IPsec module deb package (aka "kmod" package)


TODO: review and refresh if needed. important note: optionally, instead of building the "kmod" package individually, installing the dkms-module will build the kmod module automatically on your behalf (which is useful in the event the pre-made deb binary package from Xelerance for the version of Openswan you needs is not readily available on the Xelerance FTP server). Quoting LetoTo:
(dkms-module package is a method for shipping/recompiling kernel modules that work on custom kernels, as opposed to kmod- packages)

Linux kernels patched to accommodate SAref or SAref+OCF are " custom kernels ". The advantage of dkms packages is that they can be installed on other (not just patched) kernels (as long as there is a compile environment with the requisite tools for compiling), whereas the kmods built on a customize kernel are specific to that customized kernel and not transportable to other kernels. To build the dkms-package see this page in the Wiki: Building_and_installing_DebianUbuntu_packages_from_source

or proceed with building the IPsec module deb "kmod" package ... Get the openswan-modules-source from the FTP :
export RELEASE="2.6.33" export DEBIAN_VER=$(echo $RELEASE | sed -e "s/\([0-9]\{1,3\}\)\.\([0-9]\ {1,3\}\)\.\([0-9]\{1,3\}\)\(.*\)/\1.\2.\3~\4/" -e "s/~$//") cd /tmp && wget ftp://ftp.openswan.org/openswan/binaries/ubuntu/openswanmodules-source_${DEBIAN_VER}-1xelerance1_all.deb dpkg -i /tmp/openswan-modules-source_${DEBIAN_VER}-1xelerance1_all.deb

Build the kmod package :


module-assistant prepare module-assistant build openswan

The resulting package will be under /usr/src. Install it and insert the ipsec to test it :
dpkg -i /usr/src/openswan-modules-2.6.32-25-server_2.6.30~rc11xelerance1+2.6.32-25.44saref1_all.deb modprobe ipsec && modinfo ipsec

Building and installing Debian / Ubuntu packages from source


This guide describes the steps required to build Openswan debs on a Ubuntu Lucid system.

Prerequisites
Install the build dependencies (for Ubuntu Openswan package)
apt-get install devscripts apt-get build-dep --no-install-recommends openswan apt-get install libgmp3-dev libssl-dev

Get the Openswan sources


export RELEASE="2.6.38rc2" export DEBIAN_VER=$(echo $RELEASE | sed -e "s/\([0-9]\{1,3\}\)\.\([0-9]\ {1,3\}\)\.\([0-9]\{1,3\}\)\(.*\)/\1.\2.\3~\4/" -e "s/~$//") export REMOTE_PATH=$(echo $RELEASE | awk '{ if ($1 ~ "rc") print "testing"; else if ($1 ~ "dr") print "development";}') export OPENSWAN_DIR="/tmp/openswan-debs" mkdir -p $OPENSWAN_DIR ; cd $OPENSWAN_DIR wget http://ftp.openswan.org/openswan/$REMOTE_PATH/openswan$RELEASE.tar.gz{,.asc} gpg --verify openswan-$RELEASE.tar.gz.asc && tar -xf openswan-$RELEASE.tar.gz mv openswan{-$RELEASE,_$DEBIAN_VER.orig}.tar.gz cd openswan-$RELEASE

Set custom build variables (optional)


Example :
cat << EOF >> Makefile.inc.local HAVE_STATSD=true USE_SAREF_KERNEL=true USE_MAST=true $(echo $RELEASE | awk '{ if ($1 ~ "(rc|dr)") printf "%s", "USE_LEAK_DETECTIVE=true"; }') EOF

For OCF support for IKE (optional) :


echo "HAVE_OCF=true" >> Makefile.inc.local

Apply a patch to enable OCF in the ipsec module :


patch -p1 < enable-ocf-ipsec.patch

Edit the changelog


Automatically :
sed -i '/\* Update to / a\ - SAref support enabled\n enabled\n - STATSD support enabled' debian/changelog - MAST support

or for OCF builds :

sed -i '/\* Update to / a\ - SAref support enabled\n - MAST support enabled\n - STATSD support enabled\n - OCF support for IKE enabled' debian/changelog

or manually :
vim debian/changelog

If building with OCF support enabled edit debian/changelog to look like this :
openswan (1:2.6.32~rc9+ocf-1xelerance1) lucid; urgency=low * Update to 2.6.32~rc9 - SAref support enabled - MAST support enabled - STATSD support enabled - OCF support for IKE enabled The real changelog is in /usr/share/doc/openswan/changelog.gz This package is NOT an official Debian/Ubuntu package. Please do not file any Debian/Ubuntu bug reports for this package but contact <dev@openswan.org> or <simon@xelerance.com> if you have a problem. -- Simon Deziel <simon@xelerance.com> Local variables: mode: debian-changelog End: Mon, 09 Aug 2010 11:29:42 +0200

Update the changelog and NEWS timestamp :

sed -i "1,/^ -- / s/^\( -- .* <.*> \) .*$/\1 $(date -R)/" debian/ {changelog,NEWS}

Build the binary debs


debuild -i -us -uc -b

Build the source debs (optional: to upload to a PPA)


debuild -S -sa

Install the debs


cd $OPENSWAN_DIR dpkg -i openswan_2.6.32~rc3-1xelerance1_amd64.deb openswan-modulesdkms_2.6.32~rc3-1xelerance1_amd64.deb openswan-modules-source_2.6.32~rc31xelerance1_all.deb enable-ocf-ipsec.patch - Enable OCF support in ipsec.ko (3,21 )Simon Deziel, 03.03.2011 18:14