Aug 10, 2012

UEFI Secure Boot and openSUSE


UEFI Secure Boot is a feature that is coming soon with new PCs. Traditional BIOS booting is getting replaced now with UEFI and now hardware vendors are going - following requirements from Windows 8 - to use UEFI for booting and enable UEFI Secure Boot. This cases a number of problems and challenges for Open Source users.

My colleagues Vojtech Pavlik and Olaf Kirch have been looking into what UEFI Secure Boot is, what their effect on SUSE and openSUSE is and they propose a solution to handle it.
They have written three blog posts explaing SUSE's approach to secure boot:
  1. UEFI Secure Boot
  2. Our planned approach to Secure Boot
  3. SUSE and Secure Boot: the details
Matthew Garret from Red Hat is driving the Fedora implementation of Secure Boot and he blogged as well about the solution and called it "elegant" - and expects to use it for Fedora as well.


Thorsten Leemhuis has summarized this in a nice article at the H (German original at Heise).

The openSUSE community is now discussing whether we can use the SUSE proposal also for openSUSE and the first reactions seems that this is the way to go.

There's not much sense in summarizing the articles further, Thorsten did a great job, so read his article - or read the full three posts plus Matthew's comment for all the details.

Aug 3, 2012

Glibc 2.16 for openSUSE Factory

The GNU C Library (glibc 2.16) has been released a couple of weeks ago and is the first release after the changed glibc development model. It looks like the release with the most bug fixes and most contributors.
The most significant developer visible changes are IMO:
  • Support for ISO C11
  • Many bug fixes for the math library thanks to a thorough audit of all open math library bugs. The results are mor accurate exceptions and function results.
  • Support for  the x32 ABI on x86-64 which also brings unified headers for x86 and x86-64 - so there are really the same headers for all three ABIs on x86-64.
I've packaged glibc 2.16 in the openSUSE Build Service and could reduce the number of patches we had from 61 to 39 - since many of our patches were upstreamed during 2.16 development and a few backported from it. I also classified the patches to mark which ones are upstreamed and which ones are not appropriate for upstream (yet).

While the focus of openSUSE is on getting 12.2 out of the door, I worked on getting glibc 2.16 ready for the next release in a side project. The library itself builds fine and Coolo has setup a staging project called openSUSE:Factory:Staging:Glibc where the whole distribution is build with the new glibc (in this case we use 12.2 as a base since that one is moving slower).

Fixing Packages

I've had to fix a small number of packages to get them building with glibc 2.16 and pushed everything directly to factory.

The issues I encountered and fixed where:

Missing <sys/resource.h>

The include files have been updated and some programs did not have an include on <sys/resource.h> and instead include some other file that included it.

The build failure looks like:
[   89s] util_exec.cpp: In function 'void dmtcp::Util::adjustRlimitStack()':
[   89s] util_exec.cpp:374:19: error: aggregate 'dmtcp::Util::adjustRlimitStack()::rlimit rlim' has incomplete type and cannot be defined
[   89s] util_exec.cpp:375:15: error: 'RLIMIT_STACK' was not declared in this scope
[   89s] util_exec.cpp:375:34: error: 'getrlimit' was not declared in this scope
[   89s] util_exec.cpp:376:26: error: 'RLIM_INFINITY' was not declared in this scope
[   89s] util_exec.cpp:384:36: error: 'setrlimit' was not declared in this scope

No declaration anymore for gets

gets is not declared anymore as part of ISO C11 and therefore code using gets needs to be compiled using older standards - or better do not build with gets.
The packages that failed where packages using gnulib that issued a warning when gets was used - and this warning code works only if gets is declared. Once these packages update their gnulib code, everything is fine, for now the warning could just be disabled or only enabled when there is a declaration.

No more 'struct siginfo'


glibc 2.16 removes the undocumented definition of 'struct siginfo'
from <bits/siginfo.h>. This struct was always a typedef for 'siginfo_t' which is required by POSIX, so 'siginfo_t' should be used instead.

TIME_UTC from ISO C11 in boost

ISO C11 introduced the constant TIME_UTC - and boost also declares this value. This breaks building with boost and thus upstream boost now renamed its value to 'TIME_UTC_' which is an API change.
So, boost and all packages using boost's boost::TIME_UTC needed fixing.

_FORTIFY_SOURCE requires compilation with optimization

Building with -D_FORTIFY_SOURCE is done by default for openSUSE but the extra features are defined in a way that they only work with optimization. Now glibc complains if a file is compiled without optimization but with this feature macro.
There were two packages that contained -O0 for a few files that were easily fixed.

Fixing packages in the Build Service

To build locally a package with the new glibc, just issue the following osc command:
osc build --alternative-project=openSUSE:Factory:Staging:Glibc standard x86_64

Next step: Factory

Once all packages are building fine (so far I had to fix 50+ packages, the other 5000+ are fine), I'll discuss with Coolo when and how to submit this to Factory.