Hello community, here is the log from the commit of package suse-module-tools for openSUSE:Factory checked in at 2019-02-06 14:05:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/suse-module-tools (Old) and /work/SRC/openSUSE:Factory/.suse-module-tools.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "suse-module-tools" Wed Feb 6 14:05:19 2019 rev:24 rq:670473 version:15.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/suse-module-tools/suse-module-tools.changes 2018-11-19 23:27:58.923467761 +0100 +++ /work/SRC/openSUSE:Factory/.suse-module-tools.new.28833/suse-module-tools.changes 2019-02-06 14:05:23.138671278 +0100 @@ -1,0 +2,30 @@ +Thu Jan 31 23:07:10 UTC 2019 - mwi...@suse.com + +- Update to version 15.1.0 (git 6b07b88): + * 50-blacklist.conf is not added in Leap before 15.1. + fix conditionals and bump version accordingly. + +------------------------------------------------------------------- +Wed Jan 30 23:04:26 UTC 2019 - mwi...@suse.com + +- Update to version 15.0.20 (git 1396df5): +- Fix driver-check.sh (boo#1123697, boo#1123704) +- add /etc/modprobe.d/50-blacklist.conf from sysconfig package + (boo#1107611) +- Remove hard dependency on mkinitrd (boo#1123721) +- Make sure code works also without kmod-compat +- Replace file dependency on /sbin/depmod by weak package dependency + +------------------------------------------------------------------- +Mon Dec 10 12:10:29 UTC 2018 - Martin Wilck <mwi...@suse.com> + +- Move "weak-modules" script to -legacy subpackage to avoid + dependency on binutils (bsc#1116665) + +------------------------------------------------------------------- +Fri Dec 7 12:45:36 UTC 2018 - Adrian Schröter <adr...@suse.de> + +- Require mkinitrd (provided also by dracut) directly instead of + file requires. This is fixing image build failures + +------------------------------------------------------------------- Old: ---- suse-module-tools-15.0.1.tar.xz New: ---- suse-module-tools-15.1.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ suse-module-tools.spec ++++++ --- /var/tmp/diff_new_pack.y13kKj/_old 2019-02-06 14:05:23.786671162 +0100 +++ /var/tmp/diff_new_pack.y13kKj/_new 2019-02-06 14:05:23.786671162 +0100 @@ -1,7 +1,7 @@ # # spec file for package suse-module-tools # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: suse-module-tools -Version: 15.0.1 +Version: 15.1.0 Release: 0 Summary: Configuration for module loading and SUSE-specific utilities for KMPs License: GPL-2.0-or-later @@ -25,16 +25,21 @@ Url: https://github.com/openSUSE/suse-module-tools Source0: %{name}-%{version}.tar.xz Source1: %{name}.rpmlintrc -Requires: /sbin/mkinitrd -Requires: binutils Requires: coreutils Requires: findutils Requires: grep Requires: gzip -# module-init-tools in older distros, kmod-compat in later ones -Requires: /sbin/depmod Requires: rpm Requires: sed +# Use weak dependencies for mkinitrd and kmod in order to +# keep Ring0 lean. In normal deployments, these packages +# will be available anyway. +Recommends: mkinitrd +%if 0%{?suse_version} >= 1315 +Recommends: kmod +%else +Recommends: modutils +%endif %description This package contains helper scripts for KMP installation and @@ -42,6 +47,18 @@ modprobe. These utilities are provided by kmod-compat or module-init-tools, whichever implementation you choose to install. + +%package legacy +Summary: Legacy "weak-modules" script for Code10 +Group: System/Base +Requires: %{name} +Requires: binutils + +%description legacy +This package contains the legacy "weak-modules" script for kernel +module package (KMP) support. It was replaced by "weak-modules2" in +SLE 11 and later. + %prep %setup -q @@ -61,6 +78,9 @@ install -pm644 "10-unsupported-modules.conf" \ "%{buildroot}%{_sysconfdir}/modprobe.d/" install -pm644 00-system.conf "%{buildroot}%{_sysconfdir}/modprobe.d/" +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150100 +install -pm644 modprobe.conf/modprobe.conf.blacklist "%{buildroot}%{_sysconfdir}/modprobe.d/50-blacklist.conf" +%endif install -pm644 modprobe.conf/modprobe.conf.local "%{buildroot}%{_sysconfdir}/modprobe.d/99-local.conf" install -d -m 755 "%{buildroot}%{_sysconfdir}/depmod.d" install -pm 644 "depmod-00-system.conf" \ @@ -76,9 +96,7 @@ install -pm 644 "macros.initrd" "%{buildroot}%{_sysconfdir}/rpm/" install -pm 755 "regenerate-initrd-posttrans" "%{buildroot}%{_libexecdir}/module-init-tools/" -# modsign-verify for verifying module signatures install -d -m 755 "%{buildroot}%{_prefix}/bin" -install -pm 755 modsign-verify "%{buildroot}%{_bindir}/" install -pm 755 kmp-install "%{buildroot}%{_bindir}/" # modhash for calculating hash of signed kernel module install -pm 755 modhash "%{buildroot}%{_bindir}/" @@ -173,16 +191,24 @@ %dir %{_sysconfdir}/modprobe.d %config %{_sysconfdir}/modprobe.d/00-system.conf %config(noreplace) %{_sysconfdir}/modprobe.d/10-unsupported-modules.conf +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150100 +%config(noreplace) %{_sysconfdir}/modprobe.d/50-blacklist.conf +%endif %config(noreplace) %{_sysconfdir}/modprobe.d/99-local.conf %dir %{_sysconfdir}/depmod.d %config %{_sysconfdir}/depmod.d/00-system.conf %config %{_sysconfdir}/rpm/macros.initrd %{_bindir}/modhash %{_bindir}/kmp-install -%{_bindir}/modsign-verify %{_libexecdir}/module-init-tools +%exclude %{_libexecdir}/module-init-tools/weak-modules %{_libexecdir}/systemd/system/systemd-sysctl.service.d %dir %{_sysconfdir}/modules-load.d %config(noreplace) %{_sysconfdir}/modules-load.d/sg.conf +%files legacy +%defattr(-,root,root) + +%{_libexecdir}/module-init-tools/weak-modules + %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.y13kKj/_old 2019-02-06 14:05:23.806671158 +0100 +++ /var/tmp/diff_new_pack.y13kKj/_new 2019-02-06 14:05:23.806671158 +0100 @@ -4,8 +4,8 @@ <param name="scm">git</param> <param name="changesgenerate">enable</param> <param name="filename">suse-module-tools</param> - <param name="version">15.0.1</param> - <param name="revision">15.0.1</param> + <param name="version">15.1.0</param> + <param name="revision">master</param> <param name="exclude">*.spec</param> <param name="exclude">*.rpmlintrc</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.y13kKj/_old 2019-02-06 14:05:23.818671157 +0100 +++ /var/tmp/diff_new_pack.y13kKj/_new 2019-02-06 14:05:23.818671157 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/suse-module-tools.git</param> - <param name="changesrevision">5c6331938afd2e9250b60450d458bd9297f0d2cf</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">6b07b8840b0e26b7f4fcaf5c5ddf17f6a3b97810</param></service></servicedata> \ No newline at end of file ++++++ suse-module-tools-15.0.1.tar.xz -> suse-module-tools-15.1.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suse-module-tools-15.0.1/driver-check.sh new/suse-module-tools-15.1.0/driver-check.sh --- old/suse-module-tools-15.0.1/driver-check.sh 2018-11-07 15:48:34.000000000 +0100 +++ new/suse-module-tools-15.1.0/driver-check.sh 2019-02-01 00:05:55.000000000 +0100 @@ -1,7 +1,7 @@ #!/bin/bash -VERSION="0.5" -MAINTAINER="Michal Marek <mma...@suse.cz>" +VERSION="0.6" +MAINTAINER="Martin Wilck <mwi...@suse.com>" USAGE="Usage: ${0##*/} [-o|--out output-file]" errors=0 @@ -10,6 +10,23 @@ trap 'rm -rf "$tmp"' EXIT tmp=$(mktemp -d) +find_depmod() { + local _d + + [[ -x "$DEPMOD" ]] && return + DEPMOD= + for _d in /usr/sbin /sbin; do + if [[ -x ${_d}/depmod ]]; then + DEPMOD=${_d}/depmod + break; + fi + done + if [[ ! "$DEPMOD" ]]; then + echo "ERROR: depmod is not installed - aborting" >&2 + exit 1 + fi +} + rpm() { # rpm tends to send localized error messages to stdout :-( @@ -62,20 +79,33 @@ fi } +check_rpm_V() +{ + local attrs flags path + + # kernel packages contain the initrd with permissions 0644, + # but dracut creates initrd with 0600. That's not an error. + while read attrs flags path; do + case $attrs in + .M.......) + if [[ "${path#/boot/initrd}" != "$path" && \ + -f "$path" && \ + $(stat -c %a "$path") = 600 ]]; then + continue + fi + ;; + esac + echo "$attrs $flags $path" + error "$rpm was not installed correctly (see above)" + done +} + check_rpm() { - local rpm=$1 name=${1%-*-*} + local rpm=$1 name=${1%-*-*} out # ignore changes to %config and %doc files and ignore changed mtimes - if rpm -V "$rpm" | grep -Ev '^[^ ]{8,} [cd] |^\.{7}T\.* '; then - error "$rpm was not installed correctly (see above)" - fi - # this is ugly. Apparently zypper insist on the progress messages and - # the ascii table, so grep for the table row. - if ! LC_ALL=C zypper -A search -t package -u -s --match-exact "$name" \ - | grep -qe ---; then - error "$rpm: no update repositories found" - fi + check_rpm_V < <(rpm -V "$rpm" | grep -Ev '^[^ ]{8,} [cd] |^\.{7}T\.* ') } check_kernel_package() @@ -109,9 +139,11 @@ explain "Each kernel must install /boot/System.map-\$version and /boot/symvers-\$version.gz to be able to check module dependencies." return fi - set -- $(/sbin/depmod --version | sed -rn 's/.* ([0-9]+)\.([0-9]+)(\..*)?/\1 \2/p') + set -- $("$DEPMOD" --version | sed -rn 's/.* ([0-9]+)(\.([0-9]+)(\..*)?)?/\1 \3/p') if test -n "$1" -a -n "$2"; then let "mit_version = $1 * 100 + $2" + elif test -n "$1" -a \! -n "$2" -a "$1" -gt 3; then + let "mit_version = $1 * 100" else warning "Cannot determine module-init-tools version, this is a bug in the script" mit_version=0 @@ -123,7 +155,7 @@ else args=(-F "$system_map") fi - msg=$(/sbin/depmod -n -e "${args[@]}" "$krel" 2>&1 >/dev/null) + msg=$("$DEPMOD" -n -e "${args[@]}" "$krel" 2>&1 >/dev/null) res=$? if test -n "$msg" -o "$res" -ne 0; then echo "$msg" @@ -242,6 +274,7 @@ exit 1 fi +find_depmod check_system # set up redirection @@ -261,7 +294,9 @@ fi echo "${0##*/} $VERSION started at $(date -R)" >&2 -check_rpm $(rpm -q --qf '%{n}-%{v}-%{r}\n' module-init-tools) +smt=$(rpm -q --qf '%{n}-%{v}-%{r}\n' module-init-tools) || \ + smt=$(rpm -q --qf '%{n}-%{v}-%{r}\n' suse-module-tools) +check_rpm "$smt" mkdir -p "$tmp/rpms" found_kernel=false @@ -270,7 +305,7 @@ case "$rpm" in kernel-source-* | kernel-syms-* | kernel-*-debug* | kernel-*-man-* | \ kernel-*-devel-* | kernel-firmware-* | kernel-coverage-* | \ - kernel-docs-* | kernel-devel-*) + kernel-docs-* | kernel-devel-* | kernel-macros-*) continue esac # store the filelist to speed up file_owner() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suse-module-tools-15.0.1/modprobe.conf/modprobe.conf.blacklist new/suse-module-tools-15.1.0/modprobe.conf/modprobe.conf.blacklist --- old/suse-module-tools-15.0.1/modprobe.conf/modprobe.conf.blacklist 1970-01-01 01:00:00.000000000 +0100 +++ new/suse-module-tools-15.1.0/modprobe.conf/modprobe.conf.blacklist 2019-02-01 00:05:55.000000000 +0100 @@ -0,0 +1,189 @@ +# +# $Id$ +# +# Listing a module here prevents modprobe from loading it via modalias (only +# aliases from /lib/modules/*/modules.alias). You may still load it explicitely. +# We blacklist some modules becaus they may harm on certain devices or they +# prevent other modules from grabbing the device. +# +# Syntax: blacklist <driver name> +# See 'man modprobe'. +# + +# usbcore ... module is loaded implicitly, ignore it otherwise +blacklist usbcore + +# tulip ... de4x5, xircom_tulip_cb, dmfe (...) handle same devices +blacklist de4x5 +# At least 2.4.3 and later xircom_tulip doesn't have that conflict +# xircom_tulip_cb +blacklist dmfe + +# list all framebuffer drivers, some of them tend to crash during boot +# they are either compiled into the kernel, or vesafb is active +# X works fine without them, rcfbset can load them if really required +# sed -e '/\/drivers\/video\/.*\.\(o\|ko\)$/{s@^.*/@@;s@\..*$@@;p};d' +blacklist aty128fb +blacklist atyfb +blacklist cyber2000fb +blacklist g450_pll +blacklist hgafb +blacklist i2c-matroxfb +blacklist i810fb +blacklist intelfbdrv +blacklist intelfbhw +blacklist matroxfb_accel +blacklist matroxfb_base +blacklist matroxfb_crtc2 +blacklist matroxfb_DAC1064 +blacklist matroxfb_g450 +blacklist matroxfb_maven +blacklist matroxfb_misc +blacklist matroxfb_proc +blacklist matroxfb_Ti3026 +blacklist mdacon +blacklist neofb +blacklist pm2fb +blacklist pm3fb +blacklist radeonfb +blacklist rivafb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vga16fb +blacklist vgastate +# for kyrofb see Bug 35810 +blacklist kyrofb +# list was not complete (bug 106715) +blacklist arcfb +blacklist backlight +blacklist lcd +blacklist cirrusfb +blacklist gx1fb +blacklist intelfb +blacklist macmodes +blacklist nvidiafb +blacklist s1d13xxxfb +blacklist savagefb +# additional modules since SLE11, bug 468964 +blacklist arkfb +blacklist carminefb +blacklist gxfb +blacklist hecubafb +blacklist lxfb +blacklist s3fb +blacklist sm501fb +blacklist viafb +blacklist vmlfb +blacklist vt8623fb +#bug 846218 +blacklist udlfb + +# ISDN modules are load from /lib/udev/isdn.sh +blacklist fcusb +blacklist fcusb2 +blacklist fxusb +blacklist fxusb_CZ +blacklist fcdslusb +blacklist fcdslusb2 +blacklist fcdslusba +blacklist fcdslslusb +blacklist fcdslslusb2 +blacklist e2220pc +blacklist e5520pc +blacklist bfusb +blacklist b1isa +blacklist b1pci +blacklist b1pcmcia +blacklist c4 +blacklist t1isa +blacklist t1pci +blacklist divas +blacklist act2000 +blacklist hfc_usb +blacklist hisax +blacklist hisax_fcpcipnp +blacklist hisax_st5481 +blacklist hysdn +blacklist icn +blacklist pcbit +blacklist sc +blacklist tpam +blacklist fcpci +blacklist fcclassic +blacklist fcdsl +blacklist fcdsl2 +# mISDN modules +blacklist hfcsusb +blacklist hfcpci +blacklist hfcmulti +blacklist l1oip +blacklist mISDN_dsp +blacklist mISDN_core + +# OSS PCI sound modules +blacklist ad1889 +blacklist ali5455 +blacklist btaudio +blacklist cmpci +blacklist cs4281 +blacklist emu10k1 +blacklist es1370 +blacklist es1371 +blacklist esssolo1 +blacklist forte +blacklist i810_audio +blacklist maestro +blacklist maestro3 +blacklist nm256_audio +blacklist opl3sa2 # Bug 219758 +blacklist rme96xx +blacklist sonicvibes +blacklist trident +blacklist via82cxxx_audio +blacklist ymfpci + +# this is a debugging module which should only be loaded manually +blacklist evbug + +# These mtd drivers should be loaded manually. +blacklist scb2_flash +blacklist pci +blacklist l440gx +blacklist amd76xrom + +# job of rcdvb +blacklist snd-bt87x + +# This module seems to be good for nothing. See bug 129301. +blacklist dpt_i2o + +# These devices have bt878 chip without PCI Subsystem ID. Without that info bttv +# does not know how to treat them properly. Therefore we disable autoloading of +# modules for these devices. +# See https://bugzilla.novell.com/show_bug.cgi?id=149588 +# To enable your device create a hardware configuration file for your device. +# See man hwup for details. +# You will probably have to specify an option to identify your card. Have a +# look in /usr/src/linux/Documentation/video4linux/CARDLIST.bttv. +alias pci:v0000109Ed0000036Esv00000000sd00000000bc04sc00i00 bttv_skip_it +alias pci:v0000109Ed00000878sv00000000sd00000000bc04sc80i00 bttv_skip_it +install bttv_skip_it echo "module alias skipped (bt878 chip without PCI Subsystem ID)" + +# For some bridges both intel-agp and i82875p_edac are loaded. If i82875p_edac +# is loaded first it will grab the device. Then intel-agp doesn't work. +# Therefore we disable automatic loading of 82875p_edac. (Bug 213840) +blacklist i82875p_edac +# +# Blacklist the IBM s390 module for I/O dynamic configuration support +# Bug bnc#478601 +blacklist chsc_sch + +# Blacklist acpi_power_meter. The device requires processing ACPI AML code to +# update average power measurement. This may be at a high frequency and has +# been observed executing every 500ms. This has a noticable impact on latency +# sensitive applications that experience delays on workqueue executions. As +# very few applications require the data, blacklist the module by default +# (bnc#974373) +blacklist acpi_power_meter diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suse-module-tools-15.0.1/modsign-verify new/suse-module-tools-15.1.0/modsign-verify --- old/suse-module-tools-15.0.1/modsign-verify 2018-11-07 15:48:34.000000000 +0100 +++ new/suse-module-tools-15.1.0/modsign-verify 1970-01-01 01:00:00.000000000 +0100 @@ -1,620 +0,0 @@ -#!/usr/bin/perl -# -# Verify kernel module signature generated by /usr/src/linux/scripts/sign-file -# -# Parts of this script were copied from sign-file, written by David Howels -# - -my $USAGE = "Usage: modsign-verify [-v] [-q] [--certificate <x509> | --cert-dir <dir>] <module>\n"; - -use strict; -use warnings; -use IPC::Open2; -use Getopt::Long; -use File::Temp qw(tempfile); -use bigint; - -my $cert; -my $cert_dir; -my $verbose = 1; -GetOptions( - "certificate=s" => \$cert, - "cert-dir=s" => \$cert_dir, - "q|quiet" => sub { $verbose-- if $verbose; }, - "v|verbose" => sub { $verbose++; }, - "h|help" => sub { - print $USAGE; - print "Return codes: 0 good signature\n"; - print " 1 bad signature\n"; - print " 2 certificate not found\n"; - print " 3 module not signed\n"; - print " >3 other error\n"; - exit(0); - } -) or die($USAGE); - -sub _verbose { - my $level = shift; - - return if $verbose < $level; - print STDERR @_; -} - -sub info { _verbose(1, @_); } -sub verbose { _verbose(2, @_); } -sub debug { _verbose(3, @_); } - -if (@ARGV > 1) { - print STDERR "Excess arguments\n"; - die($USAGE); -} elsif (@ARGV < 1) { - print STDERR "No module supplied\n"; - die($USAGE); -} elsif ($cert && $cert_dir) { - print STDERR "Please specify either --certificate or --cert-dir, not both.\n"; - die($USAGE); -} -my $module_name = shift(@ARGV); -if (!$cert && !$cert_dir) { - $cert_dir = "/etc/uefi/certs"; - verbose("Using default certificate directory $cert_dir\n"); -} -my @certs; -if ($cert) { - push(@certs, $cert); -} else { - my $dh; - if (!opendir($dh, $cert_dir)) { - print STDERR "$cert_dir: $!\n"; - exit(2); - } - while (my $entry = readdir($dh)) { - next if $entry =~ /^\./; - next if !-f "$cert_dir/$entry"; - push(@certs, "$cert_dir/$entry"); - } - closedir($dh); - if (!@certs) { - print STDERR "No certificates found in $cert_dir\n"; - exit(2); - } -} - -############################################################################### -## ASN.1 code copied from kernel-sign-file -############################################################################### - -my $x509; - -my $UNIV = 0 << 6; -my $APPL = 1 << 6; -my $CONT = 2 << 6; -my $PRIV = 3 << 6; - -my $CONS = 0x20; - -my $BOOLEAN = 0x01; -my $INTEGER = 0x02; -my $BIT_STRING = 0x03; -my $OCTET_STRING = 0x04; -my $NULL = 0x05; -my $OBJ_ID = 0x06; -my $UTF8String = 0x0c; -my $SEQUENCE = 0x10; -my $SET = 0x11; -my $UTCTime = 0x17; -my $GeneralizedTime = 0x18; - -sub encode_asn1_oid($) -{ - my ($o1, $o2, @oid) = split(/\./, $_[0]); - my @bytes; - - push @bytes, 40*$o1 + $o2; - - while (scalar(@oid) > 0) { - my $c = $oid[0]; - shift @oid; - my @base128 = (); - - push @base128, ($c % 128); - while ($c > 128) { - $c /= 128; - push @base128, (($c % 128) | 128); - }; - push @bytes, reverse(@base128); - } - return pack("C*", @bytes); -} - -my %OIDs = ( - # joint-iso-itu-t(2) ds(5) attributeType(4) - encode_asn1_oid("2.5.4.3") => "commonName", - encode_asn1_oid("2.5.4.6") => "countryName", - encode_asn1_oid("2.5.4.10") => "organizationName", - encode_asn1_oid("2.5.4.11") => "organizationUnitName", - # iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) - encode_asn1_oid("1.2.840.113549.1.1.1") => "rsaEncryption", - encode_asn1_oid("1.2.840.113549.1.1.5") => "sha1WithRSAEncryption", - encode_asn1_oid("1.2.840.113549.1.9.1") => "emailAddress", - # joint-iso-itu-t(2) ds(5) certificateExtension(29) - encode_asn1_oid("2.5.29.35") => "authorityKeyIdentifier", - encode_asn1_oid("2.5.29.14") => "subjectKeyIdentifier", - encode_asn1_oid("2.5.29.19") => "basicConstraints", - # iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7) - encode_asn1_oid("1.2.840.113549.1.7.1") => "pkcs7-data", - encode_asn1_oid("1.2.840.113549.1.7.2") => "pkcs7-signed-data", -); - -############################################################################### -# -# Extract an ASN.1 element from a string and return information about it. -# -############################################################################### -my $ASN1_EXTRACT_MSG = "asn1_extract"; -sub asn1_extract($$@) -{ - my ($cursor, $expected_tag, $optional) = @_; - - return [ -1 ] - if ($cursor->[1] == 0 && $optional); - - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], - ": ASN.1 data underrun (elem ", $cursor->[1], ")\n" - if ($cursor->[1] < 2); - - my ($tag, $len) = unpack("CC", substr(${$cursor->[2]}, $cursor->[0], 2)); - - if ($expected_tag != -1 && $tag != $expected_tag) { - return [ -1 ] - if ($optional); - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], - ": ASN.1 unexpected tag (", $tag, " not ", $expected_tag, ")\n"; - } - - $cursor->[0] += 2; - $cursor->[1] -= 2; - - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], ": ASN.1 long tag\n" - if (($tag & 0x1f) == 0x1f); - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], ": ASN.1 indefinite length\n" - if ($len == 0x80); - - if ($len > 0x80) { - my $l = $len - 0x80; - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], ": ASN.1 data underrun (len len $l)\n" - if ($cursor->[1] < $l); - - if ($l == 0x1) { - $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1)); - } elsif ($l == 0x2) { - $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0], 2)); - } elsif ($l == 0x3) { - $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1)) << 16; - $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0] + 1, 2)); - } elsif ($l == 0x4) { - $len = unpack("N", substr(${$cursor->[2]}, $cursor->[0], 4)); - } else { - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], - ": ASN.1 element too long (", $l, ")\n"; - } - - $cursor->[0] += $l; - $cursor->[1] -= $l; - } - - die $ASN1_EXTRACT_MSG, ": ", $cursor->[0], - ": ASN.1 data underrun (", $len, ")\n" - if ($cursor->[1] < $len); - - my $ret = [ $tag, [ $cursor->[0], $len, $cursor->[2] ] ]; - $cursor->[0] += $len; - $cursor->[1] -= $len; - - return $ret; -} - -############################################################################### -# -# Retrieve the data referred to by a cursor -# -############################################################################### -sub asn1_retrieve($) -{ - my ($cursor) = @_; - my ($offset, $len, $data) = @$cursor; - return substr($$data, $offset, $len); -} - - -# 2's complement representation of ASN1_INTEGER -sub asn1_int($) -{ - my ($p) = @_; - my @bytes = unpack("C*", $p); - my $byte; - my $neg = 0; - my $v = 0; - - if (($bytes[0] & 0x80) != 0) { - $neg = 1; - $bytes[0] &= ~0x80; - } - foreach $byte (@bytes) { - $v <<= 8; - $v += $byte; - } - if ($neg) { - $v -= (2 ** (8 * scalar(@bytes) - 1)); - }; - return $v; -} - -sub asn1_pack($@) -{ - my ($tag, @data) = @_; - my $ret = pack("C", $tag); - my $data = join('', @data); - my $l = length($data); - return pack("CC", $tag, $l) . $data if $l < 127; - my $ll = $l >> 8 ? $l >> 16 ? $l >> 24 ? 4 : 3 : 2 : 1; - return pack("CCa*", $tag, $ll | 0x80, substr(pack("N", $l), -$ll)) . $data; -} - -my %hash_algos = ( - # iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) - 2 => ["sha1", 160/8, encode_asn1_oid("1.3.14.3.2.26")], - # joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) - 4 => ["sha256", 256/8, encode_asn1_oid("2.16.840.1.101.3.4.2.1")], - 5 => ["sha384", 384/8, encode_asn1_oid("2.16.840.1.101.3.4.2.2")], - 6 => ["sha512", 512/8, encode_asn1_oid("2.16.840.1.101.3.4.2.3")], - 7 => ["sha224", 224/8, encode_asn1_oid("2.16.840.1.101.3.4.2.4")], -); - -sub hash_prologue($$) -{ - my ($hash_len, $algo) = @_; - my $obj = asn1_pack($UNIV | $OBJ_ID, $algo); - my $seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $obj . pack("CC", $NULL, 0)); - my $tail = pack("CC", $OCTET_STRING, $hash_len); - my $head = pack("CC", $UNIV | $CONS | $SEQUENCE, - length($seq) + length($tail) + $hash_len); - return $head . $seq . $tail; -} - -sub find_hash_algo_by_oid($) -{ - my ($oid) = @_; - my $key; - my $k; - - SEARCH: - foreach $k (keys %hash_algos) { - my ($_h, $_n, $_a) = @{$hash_algos{$k}}; - if ($oid eq $_a) { - $key = $k; - last SEARCH; - } - } - die "$module_name: unsupported hash algorithm OID=".sprintf("%v02x", $oid) - if !defined($key); - return $key; -} - -############################################################################### -# -# Roughly parse the X.509 certificate -# -############################################################################### -sub parse_x509_dn(@) -{ - my ($parent, $cursor) = @_; - my ($offset, $len, $data) = @$cursor; - my %result = (); - - while ($cursor->[1]> 0) { - my $_set = asn1_extract($cursor, $UNIV | $CONS | $SET); - my $_seq = asn1_extract($_set->[1], - $UNIV | $CONS | $SEQUENCE); - my $_oid = asn1_extract($_seq->[1], $UNIV | $OBJ_ID); - my $oid = asn1_retrieve($_oid->[1]); - if (defined($OIDs{$oid})) { - my $key = "$parent/$OIDs{$oid}"; - my $_x = asn1_extract($_seq->[1], -1); - - # debug "found $key at $_seq->[1][0]\n"; - $result{$key} = asn1_retrieve($_x->[1]); - }; - } - return \%result; -} - -sub parse_x509_der($) -{ - my ($bytes) = @_; - - my $cursor = [ 0, length($bytes), \$bytes ]; - - my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE); - my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE); - my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1); - my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER); - my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); - my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); - my $issuer_dn = parse_x509_dn("issuer", $issuer->[1]); - my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); - my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); - my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); - my $pubkey = asn1_pack($UNIV | $CONS | $SEQUENCE, - asn1_retrieve($key->[1])); - - my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1); - my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1); - my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1); - - my $subject_key_id = (); - my $authority_key_id = (); - - # - # Parse the extension list - # - if ($extension_list->[0] != -1) { - my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE); - - while ($extensions->[1]->[1] > 0) { - my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE); - my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID); - my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1); - my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING); - - my $raw_oid = asn1_retrieve($x_oid->[1]); - next if (!exists($OIDs{$raw_oid})); - my $x_type = $OIDs{$raw_oid}; - - my $raw_value = asn1_retrieve($x_val->[1]); - - if ($x_type eq "subjectKeyIdentifier") { - my $vcursor = [ 0, length($raw_value), \$raw_value ]; - - $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING); - } - } - } - my %result = ( - "subject_key_id" => asn1_retrieve($subject_key_id->[1]), - "serial" => asn1_int(asn1_retrieve($serial_number->[1])), - "pubkey" => $pubkey, - %$issuer_dn, - ); - return \%result; -} - -# -# Function to read the contents of a file into a variable. -# -sub read_file($) -{ - my ($file) = @_; - my $contents; - my $len; - - open(FD, "<$file") || die $file; - binmode FD; - my @st = stat(FD); - die $file if (!@st); - $len = read(FD, $contents, $st[7]) || die $file; - close(FD) || die $file; - die "$file: Wanted length ", $st[7], ", got ", $len, "\n" - if ($len != $st[7]); - return $contents; -} - -sub openssl_pipe($$) { - my ($input, $cmd) = @_; - my ($pid, $res); - - $pid = open2(*read_from, *write_to, $cmd) || die $cmd; - binmode write_to; - if (defined($input) && $input ne "") { - print write_to $input || return ""; - } - close(write_to) || die "$cmd: $!"; - - binmode read_from; - read(read_from, $res, 4096) || return ""; - close(read_from) || return ""; - waitpid($pid, 0) || die; - return "" if ($? >> 8); - return $res; -} - -sub cert_matches($$$$) { - my ($cert, $subject_key_id, $issuer, $serial) = @_; - my $bytes = read_file($cert); - - $ASN1_EXTRACT_MSG = $cert; - my $cert_props = parse_x509_der($bytes); - - if (defined($subject_key_id)) { - debug("$cert has key id " . - unpack("H*", $cert_props->{"subject_key_id"}) . "\n"); - if ($cert_props->{"subject_key_id"} eq $subject_key_id) { - return $cert_props; - } else { - return 0; - } - } - - die "missing input data in cert_matches()" - if (!defined($issuer) || !defined($serial)); - - if (!defined($cert_props->{"serial"}) || - $cert_props->{"serial"} ne $serial) { - debug "$cert: serial number mismatch: $serial != ". $cert_props->{"serial"}."\n"; - return 0; - } - foreach my $k (keys(%$issuer)) { - if (!defined($cert_props->{$k}) || - $issuer->{$k} ne $cert_props->{$k}) { - debug "$cert: $k does not match signature\n"; - return 0; - } - } - return $cert_props; -} - -my $module = read_file($module_name); -my $module_len = length($module); -my $magic_number = "~Module signature appended~\n"; -my $magic_len = length($magic_number); -my $info_len = 12; - -sub eat -{ - my $length = shift; - if ($module_len < $length) { - die "Module size too short\n"; - } - my $res = substr($module, -$length); - $module = substr($module, 0, $module_len - $length); - $module_len -= $length; - return $res; -} - -if (eat($magic_len) ne $magic_number) { - print "$module_name: module not signed\n"; - exit(3); -} -my $info = eat($info_len); -my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) = - unpack("CCCCCxxxN", $info); -my $signature = eat($sig_len); -# cert is identified either by subject key id, or by issuer DN + serial no -my $issuer_dn; -my $serial; -my $key_id; -my $name; -if ($id_type == 1) { - - if (unpack("n", $signature) != $sig_len - 2) { - die "Invalid signature format\n"; - } - $signature = substr($signature, 2); - $key_id = eat($key_len); - $name = eat($name_len); - - if ($algo != 1) { - die "Unsupported signature algorithm\n"; - } -} elsif ($id_type == 2) { - # PKCS7 signature - $ASN1_EXTRACT_MSG = $module_name; - my $cursor = [ 0, length($signature), \$signature ]; - my $seq0 = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE); - my $signed_data = asn1_extract($seq0->[1], $UNIV | $OBJ_ID); - die "$module_name: no PKCS#7 signed_data structure\n" - if $OIDs{asn1_retrieve($signed_data->[1])} !~ /^pkcs7-signed-data$/; - - my $ctx1 = asn1_extract($seq0->[1], $UNIV | $CONT | $CONS); - my $seq1 = asn1_extract($ctx1->[1], $UNIV | $CONS | $SEQUENCE); - my $sig_version = asn1_extract($seq1->[1], $UNIV | $INTEGER); - - my $digest_algo_seq_set = asn1_extract($seq1->[1], - $UNIV | $CONS | $SET); - my $digest_algo_seq = asn1_extract($digest_algo_seq_set->[1], - $UNIV | $CONS | $SEQUENCE); - my $digest_algo = asn1_extract($digest_algo_seq->[1], $UNIV | $OBJ_ID); - $hash = find_hash_algo_by_oid(asn1_retrieve($digest_algo->[1])); - - my $seq2 = asn1_extract($seq1->[1], $UNIV | $CONS | $SEQUENCE); - my $pkcs7_data = asn1_extract($seq2->[1], $UNIV | $OBJ_ID); - die "$module_name: invalid PKCS#7 data" - if $OIDs{asn1_retrieve($pkcs7_data->[1])} !~ /^pkcs7-data$/; - - my $si_set = asn1_extract($seq1->[1], $UNIV | $CONS | $SET); - my $si_seq = asn1_extract($si_set->[1], $UNIV | $CONS | $SEQUENCE); - my $si_version = asn1_extract($si_seq->[1], $UNIV | $INTEGER); - - my $_key_id = asn1_extract($si_seq->[1], -1); - my $key_id; - - if ($_key_id->[0] == ($CONT | 0)) { - # key_id: kernel-sign-file -k - $key_id = asn1_extract($_key_id->[1], $CONT | 0); - } else { - # issuer / serial - my $issuer = asn1_extract($_key_id->[1], - $UNIV | $CONS | $SEQUENCE); - my $_serial = asn1_extract($_key_id->[1], $UNIV | $INTEGER); - $serial = asn1_int(asn1_retrieve($_serial->[1])); - $issuer_dn = parse_x509_dn("issuer", $issuer->[1]); - if (defined($issuer_dn->{"issuer/commonName"})) { - $name = "cn=" . $issuer_dn->{"issuer/commonName"} . - ",serial=$serial"; - } - } - - my $seq4 = asn1_extract($si_seq->[1], $UNIV | $CONS | $SEQUENCE); - my $digest2 = asn1_extract($seq4->[1], $UNIV | $OBJ_ID); - my $hash2 = find_hash_algo_by_oid(asn1_retrieve($digest2->[1])); - die "$module_name: inconsistent hash" if $hash2 != $hash; - - my $seq5 = asn1_extract($si_seq->[1], $UNIV | $CONS | $SEQUENCE); - my $enc = asn1_extract($seq5->[1], $UNIV | $OBJ_ID); - die "$module_name: invalid encryption type". - sprintf("%v02x", asn1_retrieve($enc->[1])) - if $OIDs{asn1_retrieve($enc->[1])} ne "rsaEncryption"; - my $_sig = asn1_extract($si_seq->[1], $UNIV | $OCTET_STRING); - $signature = asn1_retrieve($_sig->[1]); -} else { - die "unsupported signature type $id_type"; -} - -# -# Digest the data -# -my ($prologue, $hash_len, $dgst, $oid); -die "Unsupported hash algorithm\n" if not exists $hash_algos{$hash}; - -($dgst, $hash_len, $oid) = @{$hash_algos{$hash}}; -$prologue = hash_prologue($hash_len, $oid); - -verbose("Signature type: ", $id_type == 1 ? "legacy" : "pkcs#7", "\n"); -verbose("Signed by: $name\n") if defined ($name); -verbose("Key id: " . unpack("H*", $key_id) . "\n") if (defined($key_id)); -verbose("Hash algorithm: $dgst\n"); - -my $digest = openssl_pipe($module, "openssl dgst -$dgst -binary"); -my $original_message = $prologue . $digest; - -my $good = 0; -my $matched = 0; -for my $cert (sort @certs) { - debug("Trying $cert\n"); - - my $cert_props = cert_matches($cert, $key_id, $issuer_dn, $serial); - next unless $cert_props; - verbose("Found matching certificate $cert\n"); - $matched = $cert; - - my ($fh, $filename) = tempfile() or die "Cannot create temporary file: $!\n"; - print $fh $cert_props->{"pubkey"}; - close($fh); - my $verified_message = openssl_pipe($signature, - "openssl rsautl -verify -inkey $filename -keyform DER -pubin"); - unlink($filename); - if ($original_message ne $verified_message) { - verbose "$module_name: signature validation failed for $cert\n"; - next; - } - print "$module_name: good signature\n"; - $good = 1; - exit(0); -} -if (!$matched) { - print "certificate not found\n"; - exit(2); -} else { - print "$module_name: bad signature\n"; - exit(1); -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suse-module-tools-15.0.1/weak-modules new/suse-module-tools-15.1.0/weak-modules --- old/suse-module-tools-15.0.1/weak-modules 2018-11-07 15:48:34.000000000 +0100 +++ new/suse-module-tools-15.1.0/weak-modules 2019-02-01 00:05:55.000000000 +0100 @@ -318,7 +318,11 @@ fi done if [ -n "$image" ]; then - /sbin/mkinitrd -k /boot/$image-$krel -i /boot/initrd-$krel + if [ -x /sbin/mkinitrd ]; then + /sbin/mkinitrd -k /boot/$image-$krel -i /boot/initrd-$krel + else + echo "Please run mkinitrd as soon as your system is complete." >&2 + fi fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suse-module-tools-15.0.1/weak-modules2 new/suse-module-tools-15.1.0/weak-modules2 --- old/suse-module-tools-15.0.1/weak-modules2 2018-11-07 15:48:34.000000000 +0100 +++ new/suse-module-tools-15.1.0/weak-modules2 2019-02-01 00:05:55.000000000 +0100 @@ -56,6 +56,23 @@ # kmps: list of kmps, newest first # +find_depmod() { + local _d + + [[ -x "$DEPMOD" ]] && return + DEPMOD= + for _d in /usr/sbin /sbin; do + if [[ -x ${_d}/depmod ]]; then + DEPMOD=${_d}/depmod + break; + fi + done + if [[ ! "$DEPMOD" ]]; then + echo "ERROR: depmod is not installed - aborting" >&2 + exit 1 + fi +} + log() { [ -n "$opt_verbose" ] && echo "$@" >&2 } @@ -156,7 +173,7 @@ echo "warning: $tmpdir/symvers-$krel not available" >&2 args=(-F /boot/System.map-$krel) fi - output="$(/sbin/depmod -b "$basedir" -ae "${args[@]}" $krel 2>&1)" + output="$("$DEPMOD" -b "$basedir" -ae "${args[@]}" $krel 2>&1)" status=$? if [ $status -ne 0 ]; then echo "$output" >&2 @@ -348,7 +365,7 @@ local status=0 if [ -d /lib/modules/$krel -a -f /boot/System.map-$krel ] ; then - doit /sbin/depmod -F /boot/System.map-$krel -ae $krel || return 1 + doit "$DEPMOD" -F /boot/System.map-$krel -ae $krel || return 1 fi if needs_mkinitrd $krel; then local image @@ -674,6 +691,7 @@ fi #unset LANG LC_ALL LC_COLLATE +find_depmod tmpdir=$(mktemp -d /var/tmp/${0##*/}.XXXXXX) trap "rm -rf $tmpdir" EXIT
