From 7ebe772124c80bb27e68ac1674658d312da1b872 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Thu, 7 Nov 2024 18:43:11 +0900 Subject: [PATCH 1/6] Fix for AL10 build - pathfix.py is no longer placed in %{_bindir} - %patchN is deprecated --- SPECS/raspberrypi2.spec | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index f90793d..c771772 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -21,6 +21,12 @@ ExclusiveArch: aarch64 %define kversion 6.6 %define patchlevel 51 +%if 0%{?rhel} >= 10 +%define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py +%else +%define pathfix pathfix.py +%endif + # standard kernel %define with_up %{?_without_up: 0} %{?!_without_up: 1} # tools @@ -165,8 +171,8 @@ glibc package. %prep %setup -q -n linux-stable_%{version_tag} -%patch100 -p1 -%patch101 -p1 +%patch -P 100 -p1 +%patch -P 101 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -177,9 +183,9 @@ perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/con # -p preserves timestamps # -n prevents creating ~backup files # -i specifies the interpreter for the shebang -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/ -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec -pathfix.py -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/ +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" scripts/diffconfig scripts/bloat-o-meter scripts/show_delta scripts/jobserver-exec +%{pathfix} -pni "%{__python3} %{py3_shbang_opts}" tools/ tools/perf/scripts/python/*.py tools/kvm/kvm_stat/kvm_stat scripts/clang-tools/*.py %endif %build -- 2.43.5 From 4ef5e3e394a978e5817f49d39bdc569c5ef1688f Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 8 Nov 2024 14:58:05 +0900 Subject: [PATCH 2/6] Fix build against OpenSSL 3.2 --- SOURCES/openssl-3.0.patch | 613 ++++++++++++++++++++++++++++++++++++++ SPECS/raspberrypi2.spec | 2 + 2 files changed, 615 insertions(+) create mode 100644 SOURCES/openssl-3.0.patch diff --git a/SOURCES/openssl-3.0.patch b/SOURCES/openssl-3.0.patch new file mode 100644 index 0000000..4629ab6 --- /dev/null +++ b/SOURCES/openssl-3.0.patch @@ -0,0 +1,613 @@ +From 1fdf61d4739f818edb85e50f7fa4c474196a0b0a Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Fri, 12 Jul 2024 09:11:14 +0200 +Subject: [PATCH 1/3] sign-file,extract-cert: move common SSL helper functions + to a header + +Couple error handling helpers are repeated in both tools, so +move them to a common header. + +Signed-off-by: Jan Stancek +Reviewed-by: Jarkko Sakkinen +Tested-by: R Nageswara Sastry +Reviewed-by: Neal Gompa +Signed-off-by: Jarkko Sakkinen +--- + MAINTAINERS | 1 + + certs/Makefile | 2 +- + certs/extract-cert.c | 37 ++----------------------------------- + scripts/sign-file.c | 37 ++----------------------------------- + scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++ + 5 files changed, 45 insertions(+), 71 deletions(-) + create mode 100644 scripts/ssl-common.h + +diff --git a/MAINTAINERS b/MAINTAINERS +index 6a6e2941c497..7aa208b18267 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -4823,6 +4823,7 @@ S: Maintained + F: Documentation/admin-guide/module-signing.rst + F: certs/ + F: scripts/sign-file.c ++F: scripts/ssl-common.h + F: tools/certs/ + + CFAG12864B LCD DRIVER +diff --git a/certs/Makefile b/certs/Makefile +index 799ad7b9e68a..67e1f2707c2f 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -84,5 +84,5 @@ targets += x509_revocation_list + + hostprogs := extract-cert + +-HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) ++HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts + HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto) +diff --git a/certs/extract-cert.c b/certs/extract-cert.c +index 70e9ec89d87d..8e7ba9974a1f 100644 +--- a/certs/extract-cert.c ++++ b/certs/extract-cert.c +@@ -23,6 +23,8 @@ + #include + #include + ++#include "ssl-common.h" ++ + /* + * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. + * +@@ -40,41 +42,6 @@ void format(void) + exit(2); + } + +-static void display_openssl_errors(int l) +-{ +- const char *file; +- char buf[120]; +- int e, line; +- +- if (ERR_peek_error() == 0) +- return; +- fprintf(stderr, "At main.c:%d:\n", l); +- +- while ((e = ERR_get_error_line(&file, &line))) { +- ERR_error_string(e, buf); +- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); +- } +-} +- +-static void drain_openssl_errors(void) +-{ +- const char *file; +- int line; +- +- if (ERR_peek_error() == 0) +- return; +- while (ERR_get_error_line(&file, &line)) {} +-} +- +-#define ERR(cond, fmt, ...) \ +- do { \ +- bool __cond = (cond); \ +- display_openssl_errors(__LINE__); \ +- if (__cond) { \ +- err(1, fmt, ## __VA_ARGS__); \ +- } \ +- } while(0) +- + static const char *key_pass; + static BIO *wb; + static char *cert_dst; +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index 3edb156ae52c..39ba58db5d4e 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -29,6 +29,8 @@ + #include + #include + ++#include "ssl-common.h" ++ + /* + * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. + * +@@ -83,41 +85,6 @@ void format(void) + exit(2); + } + +-static void display_openssl_errors(int l) +-{ +- const char *file; +- char buf[120]; +- int e, line; +- +- if (ERR_peek_error() == 0) +- return; +- fprintf(stderr, "At main.c:%d:\n", l); +- +- while ((e = ERR_get_error_line(&file, &line))) { +- ERR_error_string(e, buf); +- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); +- } +-} +- +-static void drain_openssl_errors(void) +-{ +- const char *file; +- int line; +- +- if (ERR_peek_error() == 0) +- return; +- while (ERR_get_error_line(&file, &line)) {} +-} +- +-#define ERR(cond, fmt, ...) \ +- do { \ +- bool __cond = (cond); \ +- display_openssl_errors(__LINE__); \ +- if (__cond) { \ +- errx(1, fmt, ## __VA_ARGS__); \ +- } \ +- } while(0) +- + static const char *key_pass; + + static int pem_pw_cb(char *buf, int len, int w, void *v) +diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h +new file mode 100644 +index 000000000000..e6711c75ed91 +--- /dev/null ++++ b/scripts/ssl-common.h +@@ -0,0 +1,39 @@ ++/* SPDX-License-Identifier: LGPL-2.1+ */ ++/* ++ * SSL helper functions shared by sign-file and extract-cert. ++ */ ++ ++static void display_openssl_errors(int l) ++{ ++ const char *file; ++ char buf[120]; ++ int e, line; ++ ++ if (ERR_peek_error() == 0) ++ return; ++ fprintf(stderr, "At main.c:%d:\n", l); ++ ++ while ((e = ERR_get_error_line(&file, &line))) { ++ ERR_error_string(e, buf); ++ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); ++ } ++} ++ ++static void drain_openssl_errors(void) ++{ ++ const char *file; ++ int line; ++ ++ if (ERR_peek_error() == 0) ++ return; ++ while (ERR_get_error_line(&file, &line)) {} ++} ++ ++#define ERR(cond, fmt, ...) \ ++ do { \ ++ bool __cond = (cond); \ ++ display_openssl_errors(__LINE__); \ ++ if (__cond) { \ ++ errx(1, fmt, ## __VA_ARGS__); \ ++ } \ ++ } while (0) +-- +2.46.2 + + +From 98dbd2b45aa5185d63b839f482d43c16b71f31a5 Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Fri, 12 Jul 2024 09:11:15 +0200 +Subject: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated + ERR_get_error_line() + +ERR_get_error_line() is deprecated since OpenSSL 3.0. + +Use ERR_peek_error_line() instead, and combine display_openssl_errors() +and drain_openssl_errors() to a single function where parameter decides +if it should consume errors silently. + +Signed-off-by: Jan Stancek +Reviewed-by: Jarkko Sakkinen +Tested-by: R Nageswara Sastry +Reviewed-by: Neal Gompa +Signed-off-by: Jarkko Sakkinen +--- + certs/extract-cert.c | 4 ++-- + scripts/sign-file.c | 6 +++--- + scripts/ssl-common.h | 23 ++++++++--------------- + 3 files changed, 13 insertions(+), 20 deletions(-) + +diff --git a/certs/extract-cert.c b/certs/extract-cert.c +index 8e7ba9974a1f..61bbe0085671 100644 +--- a/certs/extract-cert.c ++++ b/certs/extract-cert.c +@@ -99,11 +99,11 @@ int main(int argc, char **argv) + parms.cert = NULL; + + ENGINE_load_builtin_engines(); +- drain_openssl_errors(); ++ drain_openssl_errors(__LINE__, 1); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) +- drain_openssl_errors(); ++ drain_openssl_errors(__LINE__, 1); + else + ERR(1, "ENGINE_init"); + if (key_pass) +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index 39ba58db5d4e..bb3fdf1a617c 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name) + ENGINE *e; + + ENGINE_load_builtin_engines(); +- drain_openssl_errors(); ++ drain_openssl_errors(__LINE__, 1); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) +- drain_openssl_errors(); ++ drain_openssl_errors(__LINE__, 1); + else + ERR(1, "ENGINE_init"); + if (key_pass) +@@ -273,7 +273,7 @@ int main(int argc, char **argv) + + /* Digest the module data. */ + OpenSSL_add_all_digests(); +- display_openssl_errors(__LINE__); ++ drain_openssl_errors(__LINE__, 0); + digest_algo = EVP_get_digestbyname(hash_algo); + ERR(!digest_algo, "EVP_get_digestbyname"); + +diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h +index e6711c75ed91..2db0e181143c 100644 +--- a/scripts/ssl-common.h ++++ b/scripts/ssl-common.h +@@ -3,7 +3,7 @@ + * SSL helper functions shared by sign-file and extract-cert. + */ + +-static void display_openssl_errors(int l) ++static void drain_openssl_errors(int l, int silent) + { + const char *file; + char buf[120]; +@@ -11,28 +11,21 @@ static void display_openssl_errors(int l) + + if (ERR_peek_error() == 0) + return; +- fprintf(stderr, "At main.c:%d:\n", l); ++ if (!silent) ++ fprintf(stderr, "At main.c:%d:\n", l); + +- while ((e = ERR_get_error_line(&file, &line))) { ++ while ((e = ERR_peek_error_line(&file, &line))) { + ERR_error_string(e, buf); +- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); ++ if (!silent) ++ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); ++ ERR_get_error(); + } + } + +-static void drain_openssl_errors(void) +-{ +- const char *file; +- int line; +- +- if (ERR_peek_error() == 0) +- return; +- while (ERR_get_error_line(&file, &line)) {} +-} +- + #define ERR(cond, fmt, ...) \ + do { \ + bool __cond = (cond); \ +- display_openssl_errors(__LINE__); \ ++ drain_openssl_errors(__LINE__, 0); \ + if (__cond) { \ + errx(1, fmt, ## __VA_ARGS__); \ + } \ +-- +2.46.2 + + +From eeffebeb081fcb81ae8a85b6a774dc14791dbc56 Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Fri, 20 Sep 2024 19:52:48 +0300 +Subject: [PATCH 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL + MAJOR >= 3 + +ENGINE API has been deprecated since OpenSSL version 3.0 [1]. +Distros have started dropping support from headers and in future +it will likely disappear also from library. + +It has been superseded by the PROVIDER API, so use it instead +for OPENSSL MAJOR >= 3. + +[1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md + +[jarkko: fixed up alignment issues reported by checkpatch.pl --strict] + +Signed-off-by: Jan Stancek +Reviewed-by: Jarkko Sakkinen +Tested-by: R Nageswara Sastry +Reviewed-by: Neal Gompa +Signed-off-by: Jarkko Sakkinen +--- + certs/extract-cert.c | 103 ++++++++++++++++++++++++++++++------------- + scripts/sign-file.c | 93 ++++++++++++++++++++++++++------------ + 2 files changed, 138 insertions(+), 58 deletions(-) + +diff --git a/certs/extract-cert.c b/certs/extract-cert.c +index 61bbe0085671..7d6d468ed612 100644 +--- a/certs/extract-cert.c ++++ b/certs/extract-cert.c +@@ -21,17 +21,18 @@ + #include + #include + #include +-#include +- ++#if OPENSSL_VERSION_MAJOR >= 3 ++# define USE_PKCS11_PROVIDER ++# include ++# include ++#else ++# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) ++# define USE_PKCS11_ENGINE ++# include ++# endif ++#endif + #include "ssl-common.h" + +-/* +- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. +- * +- * Remove this if/when that API is no longer used +- */ +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +- + #define PKEY_ID_PKCS7 2 + + static __attribute__((noreturn)) +@@ -61,6 +62,66 @@ static void write_cert(X509 *x509) + fprintf(stderr, "Extracted cert: %s\n", buf); + } + ++static X509 *load_cert_pkcs11(const char *cert_src) ++{ ++ X509 *cert = NULL; ++#ifdef USE_PKCS11_PROVIDER ++ OSSL_STORE_CTX *store; ++ ++ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) ++ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); ++ if (!OSSL_PROVIDER_try_load(NULL, "default", true)) ++ ERR(1, "OSSL_PROVIDER_try_load(default)"); ++ ++ store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL); ++ ERR(!store, "OSSL_STORE_open"); ++ ++ while (!OSSL_STORE_eof(store)) { ++ OSSL_STORE_INFO *info = OSSL_STORE_load(store); ++ ++ if (!info) { ++ drain_openssl_errors(__LINE__, 0); ++ continue; ++ } ++ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) { ++ cert = OSSL_STORE_INFO_get1_CERT(info); ++ ERR(!cert, "OSSL_STORE_INFO_get1_CERT"); ++ } ++ OSSL_STORE_INFO_free(info); ++ if (cert) ++ break; ++ } ++ OSSL_STORE_close(store); ++#elif defined(USE_PKCS11_ENGINE) ++ ENGINE *e; ++ struct { ++ const char *cert_id; ++ X509 *cert; ++ } parms; ++ ++ parms.cert_id = cert_src; ++ parms.cert = NULL; ++ ++ ENGINE_load_builtin_engines(); ++ drain_openssl_errors(__LINE__, 1); ++ e = ENGINE_by_id("pkcs11"); ++ ERR(!e, "Load PKCS#11 ENGINE"); ++ if (ENGINE_init(e)) ++ drain_openssl_errors(__LINE__, 1); ++ else ++ ERR(1, "ENGINE_init"); ++ if (key_pass) ++ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); ++ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); ++ ERR(!parms.cert, "Get X.509 from PKCS#11"); ++ cert = parms.cert; ++#else ++ fprintf(stderr, "no pkcs11 engine/provider available\n"); ++ exit(1); ++#endif ++ return cert; ++} ++ + int main(int argc, char **argv) + { + char *cert_src; +@@ -89,28 +150,10 @@ int main(int argc, char **argv) + fclose(f); + exit(0); + } else if (!strncmp(cert_src, "pkcs11:", 7)) { +- ENGINE *e; +- struct { +- const char *cert_id; +- X509 *cert; +- } parms; ++ X509 *cert = load_cert_pkcs11(cert_src); + +- parms.cert_id = cert_src; +- parms.cert = NULL; +- +- ENGINE_load_builtin_engines(); +- drain_openssl_errors(__LINE__, 1); +- e = ENGINE_by_id("pkcs11"); +- ERR(!e, "Load PKCS#11 ENGINE"); +- if (ENGINE_init(e)) +- drain_openssl_errors(__LINE__, 1); +- else +- ERR(1, "ENGINE_init"); +- if (key_pass) +- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); +- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); +- ERR(!parms.cert, "Get X.509 from PKCS#11"); +- write_cert(parms.cert); ++ ERR(!cert, "load_cert_pkcs11 failed"); ++ write_cert(cert); + } else { + BIO *b; + X509 *x509; +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index bb3fdf1a617c..7070245edfc1 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -27,17 +27,18 @@ + #include + #include + #include +-#include +- ++#if OPENSSL_VERSION_MAJOR >= 3 ++# define USE_PKCS11_PROVIDER ++# include ++# include ++#else ++# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) ++# define USE_PKCS11_ENGINE ++# include ++# endif ++#endif + #include "ssl-common.h" + +-/* +- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. +- * +- * Remove this if/when that API is no longer used +- */ +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +- + /* + * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to + * assume that it's not available and its header file is missing and that we +@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) + return pwlen; + } + +-static EVP_PKEY *read_private_key(const char *private_key_name) ++static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name) + { +- EVP_PKEY *private_key; ++ EVP_PKEY *private_key = NULL; ++#ifdef USE_PKCS11_PROVIDER ++ OSSL_STORE_CTX *store; + +- if (!strncmp(private_key_name, "pkcs11:", 7)) { +- ENGINE *e; ++ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) ++ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); ++ if (!OSSL_PROVIDER_try_load(NULL, "default", true)) ++ ERR(1, "OSSL_PROVIDER_try_load(default)"); ++ ++ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL); ++ ERR(!store, "OSSL_STORE_open"); + +- ENGINE_load_builtin_engines(); ++ while (!OSSL_STORE_eof(store)) { ++ OSSL_STORE_INFO *info = OSSL_STORE_load(store); ++ ++ if (!info) { ++ drain_openssl_errors(__LINE__, 0); ++ continue; ++ } ++ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) { ++ private_key = OSSL_STORE_INFO_get1_PKEY(info); ++ ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY"); ++ } ++ OSSL_STORE_INFO_free(info); ++ if (private_key) ++ break; ++ } ++ OSSL_STORE_close(store); ++#elif defined(USE_PKCS11_ENGINE) ++ ENGINE *e; ++ ++ ENGINE_load_builtin_engines(); ++ drain_openssl_errors(__LINE__, 1); ++ e = ENGINE_by_id("pkcs11"); ++ ERR(!e, "Load PKCS#11 ENGINE"); ++ if (ENGINE_init(e)) + drain_openssl_errors(__LINE__, 1); +- e = ENGINE_by_id("pkcs11"); +- ERR(!e, "Load PKCS#11 ENGINE"); +- if (ENGINE_init(e)) +- drain_openssl_errors(__LINE__, 1); +- else +- ERR(1, "ENGINE_init"); +- if (key_pass) +- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), +- "Set PKCS#11 PIN"); +- private_key = ENGINE_load_private_key(e, private_key_name, +- NULL, NULL); +- ERR(!private_key, "%s", private_key_name); ++ else ++ ERR(1, "ENGINE_init"); ++ if (key_pass) ++ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); ++ private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL); ++ ERR(!private_key, "%s", private_key_name); ++#else ++ fprintf(stderr, "no pkcs11 engine/provider available\n"); ++ exit(1); ++#endif ++ return private_key; ++} ++ ++static EVP_PKEY *read_private_key(const char *private_key_name) ++{ ++ if (!strncmp(private_key_name, "pkcs11:", 7)) { ++ return read_private_key_pkcs11(private_key_name); + } else { ++ EVP_PKEY *private_key; + BIO *b; + + b = BIO_new_file(private_key_name, "rb"); +@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name) + NULL); + ERR(!private_key, "%s", private_key_name); + BIO_free(b); +- } + +- return private_key; ++ return private_key; ++ } + } + + static X509 *read_x509(const char *x509_name) +-- +2.46.2 + diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index c771772..8ac3caa 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -45,6 +45,7 @@ License: GPLv2 URL: https://github.com/raspberrypi/linux Source0: https://github.com/raspberrypi/linux/archive/refs/tags/stable_%{version_tag}.tar.gz Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz +Patch1: openssl-3.0.patch Patch100: config_2711.patch Patch101: config_2712.patch # Sources for kernel-tools @@ -171,6 +172,7 @@ glibc package. %prep %setup -q -n linux-stable_%{version_tag} +%patch -P 1 -p1 %patch -P 100 -p1 %patch -P 101 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile -- 2.43.5 From 9c91b37a921733e213143221d4a15eb304f78f45 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 8 Nov 2024 14:59:53 +0900 Subject: [PATCH 3/6] Bump package version --- SPECS/raspberrypi2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 8ac3caa..959b4ec 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 1 +%define extra_version 2 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -440,6 +440,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Fri Nov 08 2024 Koichiro Iwao - 6.6.51-20241008.v8.2 +- Fix build for AL10 Kitten + * Mon Oct 21 2024 Koichiro Iwao - 6.6.51-20241008.v8.1 - Update kernel to version v6.6.51 stable_20241008 - Update firmware to 1.20241008 -- 2.43.5 From f8fd92fe0183c82172fd18e140110077976e08b1 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Tue, 12 Nov 2024 10:08:32 +0900 Subject: [PATCH 4/6] Update to 6.11.7 20241110 --- .raspberrypi2.metadata | 4 ++-- SPECS/raspberrypi2.spec | 17 ++++++++++------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index beac0b4..ca82235 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ -cf5423b4444fe7a1d4b548b4e668b6a82ed290e8 SOURCES/stable_20241008.tar.gz -ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz +ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz +7c13fdfb9aeaad427d53500612a49849afb9cc7a SOURCES/efda653d39a46aa5ed2d5f8af420c1e4eddb2dca.tar.gz diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 959b4ec..5bb5cd8 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,5 +1,5 @@ %global firmware_tag 1.20241008 -%global version_tag 20241008 +%global version_tag efda653d39a46aa5ed2d5f8af420c1e4eddb2dca ExclusiveArch: aarch64 @@ -11,15 +11,15 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 2 +%define extra_version 1 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. %define rpisuffix 2 %define ksuffix 4 -%define kversion 6.6 -%define patchlevel 51 +%define kversion 6.11 +%define patchlevel 7 %if 0%{?rhel} >= 10 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py @@ -38,12 +38,12 @@ ExclusiveArch: aarch64 Name: raspberrypi%{rpisuffix} Version: %{kversion}.%{patchlevel} -Release: %{version_tag}.%{local_version}.%{extra_version}%{?dist} +Release: 20241110.%{local_version}.%{extra_version}%{?dist} Summary: Specific kernel and bootcode for Raspberry Pi License: GPLv2 URL: https://github.com/raspberrypi/linux -Source0: https://github.com/raspberrypi/linux/archive/refs/tags/stable_%{version_tag}.tar.gz +Source0: https://github.com/raspberrypi/linux/archive/%{version_tag}.tar.gz Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz Patch1: openssl-3.0.patch Patch100: config_2711.patch @@ -171,7 +171,7 @@ glibc package. %endif %prep -%setup -q -n linux-stable_%{version_tag} +%setup -q -n linux-%{version_tag} %patch -P 1 -p1 %patch -P 100 -p1 %patch -P 101 -p1 @@ -440,6 +440,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Tue Nov 12 2024 Koichiro Iwao - 6.11.7-20241110.v8.1 +- Update kernel to v6.11.7 20241110 efda653d + * Fri Nov 08 2024 Koichiro Iwao - 6.6.51-20241008.v8.2 - Fix build for AL10 Kitten -- 2.43.5 From 8e0a024958c848a53ad105863c235d2cc6043e3f Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Tue, 12 Nov 2024 14:11:38 +0900 Subject: [PATCH 5/6] Update to 6.12.0-rc7 20241111 --- .raspberrypi2.metadata | 2 +- SOURCES/openssl-3.0.patch | 613 -------------------------------------- SPECS/raspberrypi2.spec | 13 +- 3 files changed, 8 insertions(+), 620 deletions(-) delete mode 100644 SOURCES/openssl-3.0.patch diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index ca82235..ccf9d62 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz -7c13fdfb9aeaad427d53500612a49849afb9cc7a SOURCES/efda653d39a46aa5ed2d5f8af420c1e4eddb2dca.tar.gz +4b879d0d4a701bbd4afa7abefe6987289ca45851 SOURCES/bf70ebd2aa440a2dc3626d6e836482a445470e64.tar.gz diff --git a/SOURCES/openssl-3.0.patch b/SOURCES/openssl-3.0.patch deleted file mode 100644 index 4629ab6..0000000 --- a/SOURCES/openssl-3.0.patch +++ /dev/null @@ -1,613 +0,0 @@ -From 1fdf61d4739f818edb85e50f7fa4c474196a0b0a Mon Sep 17 00:00:00 2001 -From: Jan Stancek -Date: Fri, 12 Jul 2024 09:11:14 +0200 -Subject: [PATCH 1/3] sign-file,extract-cert: move common SSL helper functions - to a header - -Couple error handling helpers are repeated in both tools, so -move them to a common header. - -Signed-off-by: Jan Stancek -Reviewed-by: Jarkko Sakkinen -Tested-by: R Nageswara Sastry -Reviewed-by: Neal Gompa -Signed-off-by: Jarkko Sakkinen ---- - MAINTAINERS | 1 + - certs/Makefile | 2 +- - certs/extract-cert.c | 37 ++----------------------------------- - scripts/sign-file.c | 37 ++----------------------------------- - scripts/ssl-common.h | 39 +++++++++++++++++++++++++++++++++++++++ - 5 files changed, 45 insertions(+), 71 deletions(-) - create mode 100644 scripts/ssl-common.h - -diff --git a/MAINTAINERS b/MAINTAINERS -index 6a6e2941c497..7aa208b18267 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -4823,6 +4823,7 @@ S: Maintained - F: Documentation/admin-guide/module-signing.rst - F: certs/ - F: scripts/sign-file.c -+F: scripts/ssl-common.h - F: tools/certs/ - - CFAG12864B LCD DRIVER -diff --git a/certs/Makefile b/certs/Makefile -index 799ad7b9e68a..67e1f2707c2f 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -84,5 +84,5 @@ targets += x509_revocation_list - - hostprogs := extract-cert - --HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -+HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts - HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto) -diff --git a/certs/extract-cert.c b/certs/extract-cert.c -index 70e9ec89d87d..8e7ba9974a1f 100644 ---- a/certs/extract-cert.c -+++ b/certs/extract-cert.c -@@ -23,6 +23,8 @@ - #include - #include - -+#include "ssl-common.h" -+ - /* - * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. - * -@@ -40,41 +42,6 @@ void format(void) - exit(2); - } - --static void display_openssl_errors(int l) --{ -- const char *file; -- char buf[120]; -- int e, line; -- -- if (ERR_peek_error() == 0) -- return; -- fprintf(stderr, "At main.c:%d:\n", l); -- -- while ((e = ERR_get_error_line(&file, &line))) { -- ERR_error_string(e, buf); -- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -- } --} -- --static void drain_openssl_errors(void) --{ -- const char *file; -- int line; -- -- if (ERR_peek_error() == 0) -- return; -- while (ERR_get_error_line(&file, &line)) {} --} -- --#define ERR(cond, fmt, ...) \ -- do { \ -- bool __cond = (cond); \ -- display_openssl_errors(__LINE__); \ -- if (__cond) { \ -- err(1, fmt, ## __VA_ARGS__); \ -- } \ -- } while(0) -- - static const char *key_pass; - static BIO *wb; - static char *cert_dst; -diff --git a/scripts/sign-file.c b/scripts/sign-file.c -index 3edb156ae52c..39ba58db5d4e 100644 ---- a/scripts/sign-file.c -+++ b/scripts/sign-file.c -@@ -29,6 +29,8 @@ - #include - #include - -+#include "ssl-common.h" -+ - /* - * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. - * -@@ -83,41 +85,6 @@ void format(void) - exit(2); - } - --static void display_openssl_errors(int l) --{ -- const char *file; -- char buf[120]; -- int e, line; -- -- if (ERR_peek_error() == 0) -- return; -- fprintf(stderr, "At main.c:%d:\n", l); -- -- while ((e = ERR_get_error_line(&file, &line))) { -- ERR_error_string(e, buf); -- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -- } --} -- --static void drain_openssl_errors(void) --{ -- const char *file; -- int line; -- -- if (ERR_peek_error() == 0) -- return; -- while (ERR_get_error_line(&file, &line)) {} --} -- --#define ERR(cond, fmt, ...) \ -- do { \ -- bool __cond = (cond); \ -- display_openssl_errors(__LINE__); \ -- if (__cond) { \ -- errx(1, fmt, ## __VA_ARGS__); \ -- } \ -- } while(0) -- - static const char *key_pass; - - static int pem_pw_cb(char *buf, int len, int w, void *v) -diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h -new file mode 100644 -index 000000000000..e6711c75ed91 ---- /dev/null -+++ b/scripts/ssl-common.h -@@ -0,0 +1,39 @@ -+/* SPDX-License-Identifier: LGPL-2.1+ */ -+/* -+ * SSL helper functions shared by sign-file and extract-cert. -+ */ -+ -+static void display_openssl_errors(int l) -+{ -+ const char *file; -+ char buf[120]; -+ int e, line; -+ -+ if (ERR_peek_error() == 0) -+ return; -+ fprintf(stderr, "At main.c:%d:\n", l); -+ -+ while ((e = ERR_get_error_line(&file, &line))) { -+ ERR_error_string(e, buf); -+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -+ } -+} -+ -+static void drain_openssl_errors(void) -+{ -+ const char *file; -+ int line; -+ -+ if (ERR_peek_error() == 0) -+ return; -+ while (ERR_get_error_line(&file, &line)) {} -+} -+ -+#define ERR(cond, fmt, ...) \ -+ do { \ -+ bool __cond = (cond); \ -+ display_openssl_errors(__LINE__); \ -+ if (__cond) { \ -+ errx(1, fmt, ## __VA_ARGS__); \ -+ } \ -+ } while (0) --- -2.46.2 - - -From 98dbd2b45aa5185d63b839f482d43c16b71f31a5 Mon Sep 17 00:00:00 2001 -From: Jan Stancek -Date: Fri, 12 Jul 2024 09:11:15 +0200 -Subject: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated - ERR_get_error_line() - -ERR_get_error_line() is deprecated since OpenSSL 3.0. - -Use ERR_peek_error_line() instead, and combine display_openssl_errors() -and drain_openssl_errors() to a single function where parameter decides -if it should consume errors silently. - -Signed-off-by: Jan Stancek -Reviewed-by: Jarkko Sakkinen -Tested-by: R Nageswara Sastry -Reviewed-by: Neal Gompa -Signed-off-by: Jarkko Sakkinen ---- - certs/extract-cert.c | 4 ++-- - scripts/sign-file.c | 6 +++--- - scripts/ssl-common.h | 23 ++++++++--------------- - 3 files changed, 13 insertions(+), 20 deletions(-) - -diff --git a/certs/extract-cert.c b/certs/extract-cert.c -index 8e7ba9974a1f..61bbe0085671 100644 ---- a/certs/extract-cert.c -+++ b/certs/extract-cert.c -@@ -99,11 +99,11 @@ int main(int argc, char **argv) - parms.cert = NULL; - - ENGINE_load_builtin_engines(); -- drain_openssl_errors(); -+ drain_openssl_errors(__LINE__, 1); - e = ENGINE_by_id("pkcs11"); - ERR(!e, "Load PKCS#11 ENGINE"); - if (ENGINE_init(e)) -- drain_openssl_errors(); -+ drain_openssl_errors(__LINE__, 1); - else - ERR(1, "ENGINE_init"); - if (key_pass) -diff --git a/scripts/sign-file.c b/scripts/sign-file.c -index 39ba58db5d4e..bb3fdf1a617c 100644 ---- a/scripts/sign-file.c -+++ b/scripts/sign-file.c -@@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name) - ENGINE *e; - - ENGINE_load_builtin_engines(); -- drain_openssl_errors(); -+ drain_openssl_errors(__LINE__, 1); - e = ENGINE_by_id("pkcs11"); - ERR(!e, "Load PKCS#11 ENGINE"); - if (ENGINE_init(e)) -- drain_openssl_errors(); -+ drain_openssl_errors(__LINE__, 1); - else - ERR(1, "ENGINE_init"); - if (key_pass) -@@ -273,7 +273,7 @@ int main(int argc, char **argv) - - /* Digest the module data. */ - OpenSSL_add_all_digests(); -- display_openssl_errors(__LINE__); -+ drain_openssl_errors(__LINE__, 0); - digest_algo = EVP_get_digestbyname(hash_algo); - ERR(!digest_algo, "EVP_get_digestbyname"); - -diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h -index e6711c75ed91..2db0e181143c 100644 ---- a/scripts/ssl-common.h -+++ b/scripts/ssl-common.h -@@ -3,7 +3,7 @@ - * SSL helper functions shared by sign-file and extract-cert. - */ - --static void display_openssl_errors(int l) -+static void drain_openssl_errors(int l, int silent) - { - const char *file; - char buf[120]; -@@ -11,28 +11,21 @@ static void display_openssl_errors(int l) - - if (ERR_peek_error() == 0) - return; -- fprintf(stderr, "At main.c:%d:\n", l); -+ if (!silent) -+ fprintf(stderr, "At main.c:%d:\n", l); - -- while ((e = ERR_get_error_line(&file, &line))) { -+ while ((e = ERR_peek_error_line(&file, &line))) { - ERR_error_string(e, buf); -- fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -+ if (!silent) -+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -+ ERR_get_error(); - } - } - --static void drain_openssl_errors(void) --{ -- const char *file; -- int line; -- -- if (ERR_peek_error() == 0) -- return; -- while (ERR_get_error_line(&file, &line)) {} --} -- - #define ERR(cond, fmt, ...) \ - do { \ - bool __cond = (cond); \ -- display_openssl_errors(__LINE__); \ -+ drain_openssl_errors(__LINE__, 0); \ - if (__cond) { \ - errx(1, fmt, ## __VA_ARGS__); \ - } \ --- -2.46.2 - - -From eeffebeb081fcb81ae8a85b6a774dc14791dbc56 Mon Sep 17 00:00:00 2001 -From: Jan Stancek -Date: Fri, 20 Sep 2024 19:52:48 +0300 -Subject: [PATCH 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL - MAJOR >= 3 - -ENGINE API has been deprecated since OpenSSL version 3.0 [1]. -Distros have started dropping support from headers and in future -it will likely disappear also from library. - -It has been superseded by the PROVIDER API, so use it instead -for OPENSSL MAJOR >= 3. - -[1] https://github.com/openssl/openssl/blob/master/README-ENGINES.md - -[jarkko: fixed up alignment issues reported by checkpatch.pl --strict] - -Signed-off-by: Jan Stancek -Reviewed-by: Jarkko Sakkinen -Tested-by: R Nageswara Sastry -Reviewed-by: Neal Gompa -Signed-off-by: Jarkko Sakkinen ---- - certs/extract-cert.c | 103 ++++++++++++++++++++++++++++++------------- - scripts/sign-file.c | 93 ++++++++++++++++++++++++++------------ - 2 files changed, 138 insertions(+), 58 deletions(-) - -diff --git a/certs/extract-cert.c b/certs/extract-cert.c -index 61bbe0085671..7d6d468ed612 100644 ---- a/certs/extract-cert.c -+++ b/certs/extract-cert.c -@@ -21,17 +21,18 @@ - #include - #include - #include --#include -- -+#if OPENSSL_VERSION_MAJOR >= 3 -+# define USE_PKCS11_PROVIDER -+# include -+# include -+#else -+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) -+# define USE_PKCS11_ENGINE -+# include -+# endif -+#endif - #include "ssl-common.h" - --/* -- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. -- * -- * Remove this if/when that API is no longer used -- */ --#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -- - #define PKEY_ID_PKCS7 2 - - static __attribute__((noreturn)) -@@ -61,6 +62,66 @@ static void write_cert(X509 *x509) - fprintf(stderr, "Extracted cert: %s\n", buf); - } - -+static X509 *load_cert_pkcs11(const char *cert_src) -+{ -+ X509 *cert = NULL; -+#ifdef USE_PKCS11_PROVIDER -+ OSSL_STORE_CTX *store; -+ -+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) -+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); -+ if (!OSSL_PROVIDER_try_load(NULL, "default", true)) -+ ERR(1, "OSSL_PROVIDER_try_load(default)"); -+ -+ store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL); -+ ERR(!store, "OSSL_STORE_open"); -+ -+ while (!OSSL_STORE_eof(store)) { -+ OSSL_STORE_INFO *info = OSSL_STORE_load(store); -+ -+ if (!info) { -+ drain_openssl_errors(__LINE__, 0); -+ continue; -+ } -+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) { -+ cert = OSSL_STORE_INFO_get1_CERT(info); -+ ERR(!cert, "OSSL_STORE_INFO_get1_CERT"); -+ } -+ OSSL_STORE_INFO_free(info); -+ if (cert) -+ break; -+ } -+ OSSL_STORE_close(store); -+#elif defined(USE_PKCS11_ENGINE) -+ ENGINE *e; -+ struct { -+ const char *cert_id; -+ X509 *cert; -+ } parms; -+ -+ parms.cert_id = cert_src; -+ parms.cert = NULL; -+ -+ ENGINE_load_builtin_engines(); -+ drain_openssl_errors(__LINE__, 1); -+ e = ENGINE_by_id("pkcs11"); -+ ERR(!e, "Load PKCS#11 ENGINE"); -+ if (ENGINE_init(e)) -+ drain_openssl_errors(__LINE__, 1); -+ else -+ ERR(1, "ENGINE_init"); -+ if (key_pass) -+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); -+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); -+ ERR(!parms.cert, "Get X.509 from PKCS#11"); -+ cert = parms.cert; -+#else -+ fprintf(stderr, "no pkcs11 engine/provider available\n"); -+ exit(1); -+#endif -+ return cert; -+} -+ - int main(int argc, char **argv) - { - char *cert_src; -@@ -89,28 +150,10 @@ int main(int argc, char **argv) - fclose(f); - exit(0); - } else if (!strncmp(cert_src, "pkcs11:", 7)) { -- ENGINE *e; -- struct { -- const char *cert_id; -- X509 *cert; -- } parms; -+ X509 *cert = load_cert_pkcs11(cert_src); - -- parms.cert_id = cert_src; -- parms.cert = NULL; -- -- ENGINE_load_builtin_engines(); -- drain_openssl_errors(__LINE__, 1); -- e = ENGINE_by_id("pkcs11"); -- ERR(!e, "Load PKCS#11 ENGINE"); -- if (ENGINE_init(e)) -- drain_openssl_errors(__LINE__, 1); -- else -- ERR(1, "ENGINE_init"); -- if (key_pass) -- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); -- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); -- ERR(!parms.cert, "Get X.509 from PKCS#11"); -- write_cert(parms.cert); -+ ERR(!cert, "load_cert_pkcs11 failed"); -+ write_cert(cert); - } else { - BIO *b; - X509 *x509; -diff --git a/scripts/sign-file.c b/scripts/sign-file.c -index bb3fdf1a617c..7070245edfc1 100644 ---- a/scripts/sign-file.c -+++ b/scripts/sign-file.c -@@ -27,17 +27,18 @@ - #include - #include - #include --#include -- -+#if OPENSSL_VERSION_MAJOR >= 3 -+# define USE_PKCS11_PROVIDER -+# include -+# include -+#else -+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) -+# define USE_PKCS11_ENGINE -+# include -+# endif -+#endif - #include "ssl-common.h" - --/* -- * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. -- * -- * Remove this if/when that API is no longer used -- */ --#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -- - /* - * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to - * assume that it's not available and its header file is missing and that we -@@ -106,28 +107,64 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) - return pwlen; - } - --static EVP_PKEY *read_private_key(const char *private_key_name) -+static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name) - { -- EVP_PKEY *private_key; -+ EVP_PKEY *private_key = NULL; -+#ifdef USE_PKCS11_PROVIDER -+ OSSL_STORE_CTX *store; - -- if (!strncmp(private_key_name, "pkcs11:", 7)) { -- ENGINE *e; -+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) -+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); -+ if (!OSSL_PROVIDER_try_load(NULL, "default", true)) -+ ERR(1, "OSSL_PROVIDER_try_load(default)"); -+ -+ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL); -+ ERR(!store, "OSSL_STORE_open"); - -- ENGINE_load_builtin_engines(); -+ while (!OSSL_STORE_eof(store)) { -+ OSSL_STORE_INFO *info = OSSL_STORE_load(store); -+ -+ if (!info) { -+ drain_openssl_errors(__LINE__, 0); -+ continue; -+ } -+ if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) { -+ private_key = OSSL_STORE_INFO_get1_PKEY(info); -+ ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY"); -+ } -+ OSSL_STORE_INFO_free(info); -+ if (private_key) -+ break; -+ } -+ OSSL_STORE_close(store); -+#elif defined(USE_PKCS11_ENGINE) -+ ENGINE *e; -+ -+ ENGINE_load_builtin_engines(); -+ drain_openssl_errors(__LINE__, 1); -+ e = ENGINE_by_id("pkcs11"); -+ ERR(!e, "Load PKCS#11 ENGINE"); -+ if (ENGINE_init(e)) - drain_openssl_errors(__LINE__, 1); -- e = ENGINE_by_id("pkcs11"); -- ERR(!e, "Load PKCS#11 ENGINE"); -- if (ENGINE_init(e)) -- drain_openssl_errors(__LINE__, 1); -- else -- ERR(1, "ENGINE_init"); -- if (key_pass) -- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), -- "Set PKCS#11 PIN"); -- private_key = ENGINE_load_private_key(e, private_key_name, -- NULL, NULL); -- ERR(!private_key, "%s", private_key_name); -+ else -+ ERR(1, "ENGINE_init"); -+ if (key_pass) -+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); -+ private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL); -+ ERR(!private_key, "%s", private_key_name); -+#else -+ fprintf(stderr, "no pkcs11 engine/provider available\n"); -+ exit(1); -+#endif -+ return private_key; -+} -+ -+static EVP_PKEY *read_private_key(const char *private_key_name) -+{ -+ if (!strncmp(private_key_name, "pkcs11:", 7)) { -+ return read_private_key_pkcs11(private_key_name); - } else { -+ EVP_PKEY *private_key; - BIO *b; - - b = BIO_new_file(private_key_name, "rb"); -@@ -136,9 +173,9 @@ static EVP_PKEY *read_private_key(const char *private_key_name) - NULL); - ERR(!private_key, "%s", private_key_name); - BIO_free(b); -- } - -- return private_key; -+ return private_key; -+ } - } - - static X509 *read_x509(const char *x509_name) --- -2.46.2 - diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 5bb5cd8..efee7d0 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,5 +1,5 @@ %global firmware_tag 1.20241008 -%global version_tag efda653d39a46aa5ed2d5f8af420c1e4eddb2dca +%global version_tag bf70ebd2aa440a2dc3626d6e836482a445470e64 ExclusiveArch: aarch64 @@ -18,8 +18,8 @@ ExclusiveArch: aarch64 %define rpisuffix 2 %define ksuffix 4 -%define kversion 6.11 -%define patchlevel 7 +%define kversion 6.12 +%define patchlevel 0 %if 0%{?rhel} >= 10 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py @@ -38,14 +38,13 @@ ExclusiveArch: aarch64 Name: raspberrypi%{rpisuffix} Version: %{kversion}.%{patchlevel} -Release: 20241110.%{local_version}.%{extra_version}%{?dist} +Release: 20241111.%{local_version}.%{extra_version}%{?dist} Summary: Specific kernel and bootcode for Raspberry Pi License: GPLv2 URL: https://github.com/raspberrypi/linux Source0: https://github.com/raspberrypi/linux/archive/%{version_tag}.tar.gz Source1: https://github.com/raspberrypi/firmware/archive/refs/tags/%{firmware_tag}.tar.gz -Patch1: openssl-3.0.patch Patch100: config_2711.patch Patch101: config_2712.patch # Sources for kernel-tools @@ -172,7 +171,6 @@ glibc package. %prep %setup -q -n linux-%{version_tag} -%patch -P 1 -p1 %patch -P 100 -p1 %patch -P 101 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile @@ -440,6 +438,9 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Tue Nov 12 2024 Koichiro Iwao - 6.12.0-20241111.v8.1 +- Update kernel to v6.12.0-rc720241110 bf70ebd2 + * Tue Nov 12 2024 Koichiro Iwao - 6.11.7-20241110.v8.1 - Update kernel to v6.11.7 20241110 efda653d -- 2.43.5 From 854eb274561632f41b5ad48932daa58e7058875d Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Wed, 25 Dec 2024 11:25:11 +0900 Subject: [PATCH 6/6] Update to 6.12.1 20241203 and update firmware to 1.20241126 --- .raspberrypi2.metadata | 4 ++-- SPECS/raspberrypi2.spec | 14 +++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.raspberrypi2.metadata b/.raspberrypi2.metadata index ccf9d62..d50f600 100644 --- a/.raspberrypi2.metadata +++ b/.raspberrypi2.metadata @@ -1,2 +1,2 @@ -ac72e2f196857ecf73167250e87d33838a3859f7 SOURCES/1.20241008.tar.gz -4b879d0d4a701bbd4afa7abefe6987289ca45851 SOURCES/bf70ebd2aa440a2dc3626d6e836482a445470e64.tar.gz +097ac2ea24117c85f5e97eca810c5fd98d3576b2 SOURCES/1.20241126.tar.gz +15d20d02cbea3641470b226ae025d8ddbdaf2913 SOURCES/rpi-6.12.y_20241206_2.tar.gz diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index efee7d0..f69973d 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -1,5 +1,5 @@ -%global firmware_tag 1.20241008 -%global version_tag bf70ebd2aa440a2dc3626d6e836482a445470e64 +%global firmware_tag 1.20241126 +%global version_tag rpi-6.12.y_20241206_2 ExclusiveArch: aarch64 @@ -19,7 +19,7 @@ ExclusiveArch: aarch64 %define ksuffix 4 %define kversion 6.12 -%define patchlevel 0 +%define patchlevel 1 %if 0%{?rhel} >= 10 %define pathfix %{__python3} %{_rpmconfigdir}/redhat/pathfix.py @@ -38,7 +38,7 @@ ExclusiveArch: aarch64 Name: raspberrypi%{rpisuffix} Version: %{kversion}.%{patchlevel} -Release: 20241111.%{local_version}.%{extra_version}%{?dist} +Release: 20241206.%{local_version}.%{extra_version}%{?dist} Summary: Specific kernel and bootcode for Raspberry Pi License: GPLv2 @@ -438,8 +438,12 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Wed Dec 25 2024 Koichiro Iwao - 6.12.1-20241206.v8.1 +- Update kernel to v6.12.1 rpi-6.12.y_20241206_2 +- Update firmware to 1.20241126 + * Tue Nov 12 2024 Koichiro Iwao - 6.12.0-20241111.v8.1 -- Update kernel to v6.12.0-rc720241110 bf70ebd2 +- Update kernel to v6.12.0-rc7 20241110 bf70ebd2 * Tue Nov 12 2024 Koichiro Iwao - 6.11.7-20241110.v8.1 - Update kernel to v6.11.7 20241110 efda653d -- 2.43.5