This document provides instructions for patching and packaging an Ubuntu Precise kernel to include SAref and OCF support. It describes downloading kernel sources, applying necessary patches, enabling configuration options, compiling the kernel, and installing the new kernel packages. It also covers obtaining and building the IPsec kernel module package.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as RTF, PDF, TXT or read online from Scribd
This document provides instructions for patching and packaging an Ubuntu Precise kernel to include SAref and OCF support. It describes downloading kernel sources, applying necessary patches, enabling configuration options, compiling the kernel, and installing the new kernel packages. It also covers obtaining and building the IPsec kernel module package.
This document provides instructions for patching and packaging an Ubuntu Precise kernel to include SAref and OCF support. It describes downloading kernel sources, applying necessary patches, enabling configuration options, compiling the kernel, and installing the new kernel packages. It also covers obtaining and building the IPsec kernel module package.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as RTF, PDF, TXT or read online from Scribd
This document provides instructions for patching and packaging an Ubuntu Precise kernel to include SAref and OCF support. It describes downloading kernel sources, applying necessary patches, enabling configuration options, compiling the kernel, and installing the new kernel packages. It also covers obtaining and building the IPsec kernel module package.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as RTF, PDF, TXT or read online from Scribd
Download as rtf, pdf, or txt
You are on page 1/ 8
Ubuntu Precise Kernel patching and packaging
This guide documents the patching and packaging process of an official Ubuntu kernel including custom patches for SAref support. The base kernel version is from Ubuntu Lucid 10.04 LTS. Prerequisites
note: If this is your first time preparing (after git cloning the tree in the steps above), it is not necessary to run the git branch delete "-D" command. Especially for those new to git, if you do delete in such a scenario, it is normal to expect an error message such as, respectively: error: branch 'saref' not found. error: branch 'saref+ocf' not found.
Regardless if you chose saref only or saref+ocf, continue with these git pull and fetch commands: git pull git fetch -t
Get the latest official Ubuntu kernel
Branch using the latest stable version published by Ubuntu (to see available one look in debian.master/changelog) into a SAref branch. The tag to branch from is usually latest entry in debian.master/changelog that is not UNRELEASED. This must be 3.2.0-XX.XX to be an official Ubuntu Kernel kernel. If building a SAref kernel only (no OCF) git checkout Ubuntu-3.2.0-33.52 -b saref
or if building a SAref+OCF kernel
git checkout Ubuntu-3.2.0-33.52 -b saref+ocf
Optain SAref patches from OpenSwan FTP
cd /tmp/ wget ftp://ftp.openswan.org/openswan/patches/3.2.0/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch wget ftp://ftp.openswan.org/openswan/patches/3.2.0/0002-SAREF-implement-IP_IPSEC_BINDREF.patch
The above 2 patches should be included in OpenSwan 2.6.39 and later. Apply first patch cd $BUILD_ROOT patch -p1 < /tmp/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch
Commit changes git commit -a -m "SAref patch 0001 applied"
Enable CONFIG_OCF_OCF cd $BUILD_ROOT cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_OCF_OCF=y EOF
Commit changes git commit -a -m "Enable builtin support for OCF"
Enable CONFIG_KLIPS_OCF cat << EOF | tee -a debian.master/config/config.common.ubuntu >> debian.master/config/config.common.ports CONFIG_KLIPS_OCF=y EOF
Commit changes git commit -a -m "Enable OCF support in KLIPS"
Enable CRYPTOAPI sed -i 's/^CONFIG_KLIPS_ENC_CRYPTOAPI=.*/CONFIG_KLIPS_ENC_CRYPTOAPI=y/' debian.master/config/config.common.ubuntu debian.master/config/config.common.ports
Commit changes git commit -a -m "Enable CRYPTOAPI support in KLIPS"
Note: CONFIG_OCF_C7108, CONFIG_OCF_IXP4XX, CONFIG_OCF_KIRKWOOD, CONFIG_OCF_HIFN, CONFIG_OCF_TALITOS and CONFIG_OCF_CRYPTOCTEON are known to fail to build. Commit changes git commit -a -m "Enable some OCF driver modules"
Check for eventual misconfiguration : Note : Check debian.master/config/config.common.ubuntu and debian.master/config/config.common.ports to identify eventual duplicates. Watch out for cryptoapi as it must be =y for OCF and =n otherwise.
for f in debian.master/config/config.common.ubuntu debian.master/config/config.common.ports ; do cut -d= -f1 $f | grep -v "^#$" | sort | uniq -d ; done
Update the changelog by editing debian.master/changelog to look like this :
linux (3.2.0-33.52saref1) precise; urgency=low * SAref patches 0001 and 0002 applied * Modularized KLIPS -- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500
or like this for OCF enabled builds :
linux (3.2.0-33.52ocf+saref1) precise; urgency=low * * * * * SAref patches 0001 and 0002 applied Modularized KLIPS OCF patches applied Enable OCF support in KLIPS Enable some OCF drivers
-- Simon Deziel <simon@xelerance.com> Tue, 20 Nov 2012 14:19:00 -0500
Note: when the version number is appended with "saref1" (or "ocf+saref1") this make sure that our kernel will supersedes the official Ubuntu kernel with the same version number. Commit changes git commit -m "Update changelog to supersedes official Ubuntu kernel" debian.master/changelog
Compile the kernel
Start a screen as the following steps will take time screen -S kernel-build
Note: According to https://wiki.ubuntu.com/KernelTeam/KernelMaintenance#Overriding %20module%20check%20failures skipmodule=true will only skip check for missing modules Compile the kernel (for i386) fakeroot debian/rules clean skipabi=true skipmodule=true fakeroot debian/rules binary-indep skipabi=true skipmodule=true fakeroot debian/rules binary-perarch time skipabi=true skipmodule=true fakeroot debian/rules binary-generic-pae
Note: It is also possible to build for "binary-generic" (no PAE support) but this provides a less secure kernel. Ubuntu 32bit PAE kernels provide an emulation of the NX bit for greater security. Some VIA CPUs and Pentium M are known to lack this feature.
Install the kernel
On amd64 systems cd .. dpkg -i linux-headers-3.2.0-33_3.2.0-33.52saref1_all.deb linux-headers-3.2.0-33generic_3.2.0-33.52saref1_amd64.deb linux-image-3.2.0-33-generic_3.2.033.52saref1_amd64.deb
Build the IPsec module deb package (aka "kmod" package)
TODO: review and refresh if needed. important note: optionally, instead of building the "kmod" package individually, installing the dkms-module will build the kmod module automatically on your behalf (which is useful in the event the pre-made deb binary package from Xelerance for the version of Openswan you needs is not readily available on the Xelerance FTP server). Quoting LetoTo: (dkms-module package is a method for shipping/recompiling kernel modules that work on custom kernels, as opposed to kmod- packages)
Linux kernels patched to accommodate SAref or SAref+OCF are " custom kernels ". The advantage of dkms packages is that they can be installed on other (not just patched) kernels (as long as there is a compile environment with the requisite tools for compiling), whereas the kmods built on a customize kernel are specific to that customized kernel and not transportable to other kernels. To build the dkms-package see this page in the Wiki: Building_and_installing_DebianUbuntu_packages_from_source
or proceed with building the IPsec module deb "kmod" package ... Get the openswan-modules-source from the FTP : export RELEASE="2.6.33" export DEBIAN_VER=$(echo $RELEASE | sed -e "s/\([0-9]\{1,3\}\)\.\([0-9]\ {1,3\}\)\.\([0-9]\{1,3\}\)\(.*\)/\1.\2.\3~\4/" -e "s/~$//") cd /tmp && wget ftp://ftp.openswan.org/openswan/binaries/ubuntu/openswanmodules-source_${DEBIAN_VER}-1xelerance1_all.deb dpkg -i /tmp/openswan-modules-source_${DEBIAN_VER}-1xelerance1_all.deb
The resulting package will be under /usr/src. Install it and insert the ipsec to test it : dpkg -i /usr/src/openswan-modules-2.6.32-25-server_2.6.30~rc11xelerance1+2.6.32-25.44saref1_all.deb modprobe ipsec && modinfo ipsec
Building and installing Debian / Ubuntu packages from source
This guide describes the steps required to build Openswan debs on a Ubuntu Lucid system.
Automatically : sed -i '/\* Update to / a\ - SAref support enabled\n enabled\n - STATSD support enabled' debian/changelog - MAST support
or for OCF builds :
sed -i '/\* Update to / a\ - SAref support enabled\n - MAST support enabled\n - STATSD support enabled\n - OCF support for IKE enabled' debian/changelog
or manually : vim debian/changelog
If building with OCF support enabled edit debian/changelog to look like this : openswan (1:2.6.32~rc9+ocf-1xelerance1) lucid; urgency=low * Update to 2.6.32~rc9 - SAref support enabled - MAST support enabled - STATSD support enabled - OCF support for IKE enabled The real changelog is in /usr/share/doc/openswan/changelog.gz This package is NOT an official Debian/Ubuntu package. Please do not file any Debian/Ubuntu bug reports for this package but contact <dev@openswan.org> or <simon@xelerance.com> if you have a problem. -- Simon Deziel <simon@xelerance.com> Local variables: mode: debian-changelog End: Mon, 09 Aug 2010 11:29:42 +0200
