[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Brice Waegeneire]

* gnu/system.scm (%base-firmware): Add 'wireless-regdb'.
---
 gnu/system.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Following discussion at <https://issues.guix.gnu.org/49611>, tho there is
still an error about missing signature but now the kernel load the
regulatory.db without the help of userspace:

--8<---------------cut here---------------start------------->8---
# dmesg | grep -E '(cfg80211|regulatory)'
[    6.282015] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    6.283766] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    6.285927] platform regulatory.0: Direct firmware load for regulatory.db.p7s failed with error -2
[    6.285931] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
--8<---------------cut here---------------end--------------->8---

I'm wondering if it's worth removing 'crda' from the default udev rules.

diff --git a/gnu/system.scm b/gnu/system.scm
index a7c2b1bca4..8dc51b6ec8 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -751,7 +751,8 @@ of PROVENANCE-SERVICE-TYPE to its services."
 (define %base-firmware
   ;; Firmware usable by default.
   (list ath9k-htc-firmware
-        openfwwf-firmware))
+        openfwwf-firmware
+        wireless-regdb))
 
 (define %base-packages-utils
   ;; Default set of  utilities packages.
-- 
2.32.0

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Ludovic Courtès]

Hi,

Brice Waegeneire <brice@waegenei.re> skribis:

> * gnu/system.scm (%base-firmware): Add 'wireless-regdb'.
> ---
>  gnu/system.scm | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> Following discussion at <https://issues.guix.gnu.org/49611>, tho there is
> still an error about missing signature but now the kernel load the
> regulatory.db without the help of userspace:
>
> # dmesg | grep -E '(cfg80211|regulatory)'
> [    6.282015] cfg80211: Loading compiled-in X.509 certificates for regulatory database
> [    6.283766] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
> [    6.285927] platform regulatory.0: Direct firmware load for regulatory.db.p7s failed with error -2
> [    6.285931] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
>

Does that means that the loaded ‘regulatory.db’ is discarded right away?
Or does it proceed anyway?

In the former case, looks like we’ll have to do some more work.

Could our ‘wireless-regdb’ build things from source, hopefully getting
the exact same binary as the one provided upstream, in which case it
could install the original signature as-is.  IOW, we’d be building from
source for the explicit purpose of making sure the upstream-provided
‘regulatory.bin’ file can be built reproducibly from this source.

> I'm wondering if it's worth removing 'crda' from the default udev rules.

It was added in 68ac258b5291aee33dd11a6fd0f545f81935b633 long ago, and I
think it made sense back then.  :-)

Do you think it’s now unnecessary because the kernel can load it all by
itself?  Or does that depend on kernel build options?

Thanks,
Ludo’.

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Brice Waegeneire]

Hello Ludo’,

Ludovic Courtès <ludo@gnu.org> writes:

>> # dmesg | grep -E '(cfg80211|regulatory)'
>> [    6.282015] cfg80211: Loading compiled-in X.509 certificates for regulatory database
>> [    6.283766] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
>> [    6.285927] platform regulatory.0: Direct firmware load for regulatory.db.p7s failed with error -2
>> [    6.285931] cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
>>
>
> Does that means that the loaded ‘regulatory.db’ is discarded right away?
> Or does it proceed anyway?

I did more testing and you are right, in that case 'regulatory.db' isn't
loaded because it isn't signed correctly.

> In the former case, looks like we’ll have to do some more work.

We can either, bake the DB into the kernel at build time by replacing
the kernel's limited DB with the one from 'wireless-regdb' via the
option CONFIG_CFG80211_INTERNAL_REGDB¹. Or manage our own key, sign the
build database and add make the kernel load them as firmware file at
boot time, which is the usual way but would require a certain level off
work on or side.

> Could our ‘wireless-regdb’ build things from source, hopefully getting
> the exact same binary as the one provided upstream, in which case it
> could install the original signature as-is.  IOW, we’d be building from
> source for the explicit purpose of making sure the upstream-provided
> ‘regulatory.bin’ file can be built reproducibly from this source.

I didn't thought of that, I could give it a try as it should be lowest
hanging fruit.

>> I'm wondering if it's worth removing 'crda' from the default udev rules.
>
> It was added in 68ac258b5291aee33dd11a6fd0f545f81935b633 long ago, and I
> think it made sense back then.  :-)
>
> Do you think it’s now unnecessary because the kernel can load it all by
> itself?  Or does that depend on kernel build options?

After more testing, no.  We should keep it as default, it is needed if
you want to change you region from userland, with 'iw reg set' for
example.

I don't know how zelously we want to comply to radio frenquency
regulation by being sure our wireless devices don't emit on restricted
frenquecy between the kernel being loaded and userland (crda) setting
the correct region.  If we want to be sure such spourious emssions can't
happen we need to fix the loading of 'regulatory.db' by the kernel
otherwise the current setup should be good enought for most usage.

¹ https://cateee.net/lkddb/web-lkddb/CFG80211_INTERNAL_REGDB.html

Cheers,
- Brice

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Tobias Geerinckx-Rice via Guix-patches via]

[Terse reply whilst travelling, but this stuff is extremely important to 
get right.]

Brice, Ludo',

Ludo's suggestion to leverage reproducibility sounds promising!

On 2021-07-20 23:02, Brice Waegeneire wrote:
> We can either, bake the DB into the kernel at build time

This hasn't been supported since 2015 (Linux ~4.14).

> I don't know how zelously we want to comply to radio frenquency
> regulation

Utterly.  Like our future software freedom depends on it.

Luckily, the kernel falls back to a copy of the world regulatory domain, 
the "00" that every Guix System user has been using forever.

> by being sure our wireless devices don't emit on restricted
> frenquecy between the kernel being loaded and userland (crda) setting
> the correct region.

CRDA is obsolete and only for use with the same legacy kernels.

> If we want to be sure such spourious emssions can't
> happen we need to fix the loading of 'regulatory.db' by the kernel

That's not true.  The whole point of the world regulatory domain is to 
be the subset of all other regdb entries.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Ludovic Courtès]

Hi!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

>> If we want to be sure such spourious emssions can't
>> happen we need to fix the loading of 'regulatory.db' by the kernel
>
> That's not true.  The whole point of the world regulatory domain is to
> be the subset of all other regdb entries.

In that case we have a practical interest in making db loading work, as
this would allow (some) users to use a wider part of the frequency
spectrum.

Thanks for looking into this, comrades!

Ludo’.

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Tobias Geerinckx-Rice via Guix-patches via]

On 2021-07-23 11:11, Ludovic Courtès wrote:
> In that case we have a practical interest in making db loading work, as
> this would allow (some) users to use a wider part of the frequency
> spectrum.

Absolutely.  It's still important, just not someone-could-get-arrested 
urgent.  So I hope the bit-identical build works out.

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

[bug#49649] [PATCH v2 0/4] Load wireless regulatory database in kernel

[Brice Waegeneire]

Hello Tobias, Ludo’,

Following Tobias corrections, I've extended the previous patch to correctly
enable loading of the wireless regulatory database ('regulatory.db') used by
the kernel subsystem cfg80211, for linux >4.14.  As suggested by Ludo, we now
build 'regulatory.db' ourselve to make sure it's reproducible and reuse
upstream signature.  That way the linux kernel correctly load the wireless
regulatory database at boot which allows us to use a regulatory domain
different than the "00" default by using a kernel argument such as
“cfg80211.ieee80211_regdom=FR“.

This patch doesn't change anything for kernels older than 4.15 for which the
use of CRDA is needed to load the regulatory database through the
'regulatory.bin' file.  IOW the database used by CRDA, is still unsigned and
CRDA doesn't check signatures for it.

Fixes <https://issues.guix.gnu.org/49611.

Cheers,
- Brice

Brice Waegeneire (4):
  gnu: Add regulatory.db in %base-firmware.
  gnu: wireless-regdb: Reuse 'regulatory.db' signature.
  gnu: wireless-regdb: Update to 2021.08.28.
  gnu: crda: Describe it as obsolete.

 gnu/packages/linux.scm | 81 ++++++++++++++++++++++--------------------
 gnu/system.scm         |  3 +-
 2 files changed, 44 insertions(+), 40 deletions(-)


base-commit: 1dfe8c372163d481ebebb97dd3b4cafa49906b28
prerequisite-patch-id: b07befb3646df543510b7fecf567286f53d4eaec
-- 
2.34.0

[bug#49649] [PATCH v2 1/4] gnu: Add regulatory.db in %base-firmware.

[Brice Waegeneire]

* gnu/system.scm (%base-firmware): Add 'wireless-regdb'.
---
 gnu/system.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/system.scm b/gnu/system.scm
index 088c62ddde..49377e5486 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -789,7 +789,8 @@ (define* (operating-system-with-provenance os
 (define %base-firmware
   ;; Firmware usable by default.
   (list ath9k-htc-firmware
-        openfwwf-firmware))
+        openfwwf-firmware
+        wireless-regdb))
 
 (define %base-packages-artwork
   ;; Default set of artwork packages.
-- 
2.34.0

[bug#49649] [PATCH v2 2/4] gnu: wireless-regdb: Reuse 'regulatory.db' signature.

[Brice Waegeneire]

Unlike 'regulatory.bin' (used by CRDA), we can't have a valid unsigned
'regulatory.db' (used by subsystem cfg80211).  So, we reuse upstream's
signature for that file and rebuild it ourself to be sure it's
reproducible

* gnu/packages/linux.scm (wireless-regdb)[source]: Delete file
  'regulatory.db'.
  [arguments]: Remove 'omit-signature' phase, replace 'build' phase with
  make target 'regulatory.db', add phase 'build-regulatory.bin-unsigned'
  and add 'check' phase.  Enable tests and parallel builds.  Remove
  make-flags specific to 'build-regulatory.bin-unsigned'.
  [native-inputs]: Use new format and add 'openssl'.
  [description]: Add reference to the cfg80211 linux subsystem.
---
 gnu/packages/linux.scm | 72 +++++++++++++++++++++---------------------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e2be00679f..54f2682965 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4296,10 +4296,11 @@ (define-public wireless-regdb
               (sha256
                (base32
                 "0liagyi6ppf5w474qk9j4jz5gbvvn8mc8al1dq4b1xrgv28485ml"))
-
-              ;; We're building 'regulatory.bin' by ourselves.
+              ;; We're building 'regulatory.bin' and 'regulatory.db' by
+              ;; ourselves.
               (snippet '(begin
-                          (delete-file "regulatory.bin")
+                          (map delete-file '("regulatory.bin"
+                                             "regulatory.db"))
                           #t))))
     (build-system gnu-build-system)
     (arguments
@@ -4310,48 +4311,47 @@ (define-public wireless-regdb
              (substitute* "Makefile"
                (("gzip") "gzip --no-name"))
              #t))
-         (add-after 'unpack 'omit-signature
+         (replace 'build
+           (lambda* (#:key (make-flags '()) #:allow-other-keys)
+             (apply invoke "make" "regulatory.db" make-flags)))
+         (add-after 'build 'build-regulatory.bin-unsigned
+           (lambda* (#:key (make-flags '()) #:allow-other-keys)
+             (apply invoke "make" "regulatory.bin"
+                    (cons*
+                     ;; Leave this empty so that db2bin.py doesn't try to sign
+                     ;; ‘regulatory.bin’.  This allows us to avoid managing a key
+                     ;; pair for the whole distribution.
+                     "REGDB_PRIVKEY="
+                     ;; Don't generate a public key for the same reason.  These are
+                     ;; used as Makefile targets and can't be the empty string.
+                     "REGDB_PUBCERT=/dev/null"
+                     "REGDB_PUBKEY=/dev/null"
+                     make-flags))))
+         ;; We check if the 'regulatory.db' we just built is the same as the
+         ;; one that got signed by upstream.
+         (replace 'check
            (lambda _
-             (substitute* "Makefile"
-               ;; Signing requires a REGDB_PUBCERT and REGDB_PRIVKEY which we
-               ;; don't provide (see below).  Disable it.
-               ((" regulatory\\.db\\.p7s") "")
-               ;; regulatory.db is built as a dependency of regulatory.db.p7s,
-               ;; but ‘make install’ depends only on the latter while installing
-               ;; both (and failing).  Depend on it explicitly.
-               (("^install: " all) (string-append all "regulatory.db ")))
-             #t))
+             (invoke "openssl" "smime"
+                     "-verify" "-inform" "DER"
+                     "-signer" "sforshee.x509.pem"
+                     "-in" "regulatory.db.p7s" "-content" "regulatory.db"
+                     "-out" "/dev/null"
+                     "-CAfile" "sforshee.x509.pem")))
          (delete 'configure))  ; no configure script
-
-       ;; The 'all' target of the makefile depends on $(REGDB_CHANGED), which
-       ;; is computed and can be equal to 'maintainer-clean'; when that
-       ;; happens, we can end up deleting the 'regulatory.bin' file that we
-       ;; just built.  Thus, build things sequentially.
-       #:parallel-build? #f
-
-       #:tests? #f                      ; no tests
        #:make-flags
        (let ((out (assoc-ref %outputs "out")))
          (list (string-append "PREFIX=" out)
-               (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")
-
-               ;; Leave this empty so that db2bin.py doesn't try to sign
-               ;; ‘regulatory.bin’.  This allows us to avoid managing a key
-               ;; pair for the whole distribution.
-               (string-append "REGDB_PRIVKEY=")
-               ;; Don't generate a public key for the same reason.  These are
-               ;; used as Makefile targets and can't be the empty string.
-               (string-append "REGDB_PUBCERT=/dev/null")
-               (string-append "REGDB_PUBKEY=/dev/null")))))
-    (native-inputs
-     `(("python" ,python-wrapper)))
+               (string-append "FIRMWARE_PATH=$(PREFIX)/lib/firmware")))))
+    (native-inputs (list openssl        ; to verify signature
+                         python-wrapper))
     (home-page
      "https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb")
     (synopsis "Wireless regulatory database")
     (description
-     "This package contains the wireless regulatory database for the Central
-Regulatory Database Agent (CRDA).  The database contains information on
-country-specific regulations for the wireless spectrum.")
+     "This package contains the wireless regulatory database used by the Linux
+cfg80211 subsystem and the legacy Central Regulatory Database Agent (CRDA).
+The database contains information on country-specific regulations for the
+wireless spectrum.")
     (license license:isc)))
 
 (define-public lm-sensors
-- 
2.34.0

[bug#49649] [PATCH v2 3/4] gnu: wireless-regdb: Update to 2021.08.28.

[Brice Waegeneire]

* gnu/packages/linux.scm (wireless-regdb): Update to 2021.08.28.
---
 gnu/packages/linux.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 54f2682965..a67eb607e4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4287,7 +4287,7 @@ (define-public crda
 (define-public wireless-regdb
   (package
     (name "wireless-regdb")
-    (version "2020.11.20")
+    (version "2021.08.28")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -4295,7 +4295,7 @@ (define-public wireless-regdb
                     "wireless-regdb-" version ".tar.xz"))
               (sha256
                (base32
-                "0liagyi6ppf5w474qk9j4jz5gbvvn8mc8al1dq4b1xrgv28485ml"))
+                "0ij4lnpjmzbwr956cgaxrbpz3zbqcanahzqamqbd7rni23271wyg"))
               ;; We're building 'regulatory.bin' and 'regulatory.db' by
               ;; ourselves.
               (snippet '(begin
-- 
2.34.0

[bug#49649] [PATCH v2 4/4] gnu: crda: Describe it as obsolete.

[Brice Waegeneire]

* gnu/packages/linux.scm (crda)[description]: Describe the package as
  obsolete.
---
 gnu/packages/linux.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a67eb607e4..40006a7465 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -4198,6 +4198,8 @@ (define-public wireless-tools
     ;; other files are distributed under gpl2.
     (license (list license:gpl2 license:lgpl2.1+))))
 
+;; NOTE Remove 'crda' package when 'linux-libre' 4.14 won't be packaged
+;; anymore.
 (define-public crda
   (package
     (name "crda")
@@ -4281,7 +4283,8 @@ (define-public crda
     (description
      "The Central Regulatory Domain Agent (CRDA) acts as the udev helper for
 communication between the kernel Linux and user space for regulatory
-compliance.")
+compliance.  It is obsolete since Linux 4.15, as the wireless regulatory
+database is now managed by the kernel susbsystem cfg80211.")
     (license license:copyleft-next)))
 
 (define-public wireless-regdb
-- 
2.34.0

[bug#49649] [PATCH v2 4/4] gnu: crda: Describe it as obsolete.

[Leo Famulari]

On Sat, Dec 25, 2021 at 07:44:38PM +0100, Brice Waegeneire wrote:
> * gnu/packages/linux.scm (crda)[description]: Describe the package as
>   obsolete.

[...}  

> +;; NOTE Remove 'crda' package when 'linux-libre' 4.14 won't be packaged
> +;; anymore.

To clarify, this refers to 4.14 and older, not just 4.14, right?

We have about 2 more years, unless we choose to package the super
long-term support (SLTS) 4.4 series that is sponsored by the Civil
Infrastructure Platform:

https://www.kernel.org/category/releases.html
https://wiki.linuxfoundation.org/civilinfrastructureplatform/start#kernel_maintainership

[bug#49649] [PATCH v2 0/4] Load wireless regulatory database in kernel

[Leo Famulari]

On Sat, Dec 25, 2021 at 07:44:18PM +0100, Brice Waegeneire wrote:
> Brice Waegeneire (4):
>   gnu: Add regulatory.db in %base-firmware.
>   gnu: wireless-regdb: Reuse 'regulatory.db' signature.
>   gnu: wireless-regdb: Update to 2021.08.28.
>   gnu: crda: Describe it as obsolete.

Works for me on 5.15.11, thanks!

[bug#49649] [PATCH v2 0/4] Load wireless regulatory database in kernel

[Ludovic Courtès]

Hi Brice,

Brice Waegeneire <brice@waegenei.re> skribis:

> Following Tobias corrections, I've extended the previous patch to correctly
> enable loading of the wireless regulatory database ('regulatory.db') used by
> the kernel subsystem cfg80211, for linux >4.14.  As suggested by Ludo, we now
> build 'regulatory.db' ourselve to make sure it's reproducible and reuse
> upstream signature.  That way the linux kernel correctly load the wireless
> regulatory database at boot which allows us to use a regulatory domain
> different than the "00" default by using a kernel argument such as
> “cfg80211.ieee80211_regdom=FR“.

Does that mean it’s up to users to add such an argument to
‘kernel-arguments’?  If so, we should probably document it (though
that’s not a blocker for this series.)

> This patch doesn't change anything for kernels older than 4.15 for which the
> use of CRDA is needed to load the regulatory database through the
> 'regulatory.bin' file.  IOW the database used by CRDA, is still unsigned and
> CRDA doesn't check signatures for it.

Sounds good.

I haven’t actually tested it but the patch series LGTM!  It’s a much
welcome improvement.

> Fixes <https://issues.guix.gnu.org/49611.

Make sure to add this line in the commit log of patch #2.

Thank you!

Ludo'.

[bug#49649] [PATCH] gnu: Add regulatory.db in %base-firmware.

[Ludovic Courtès]

Hi Brice,

Looks like this patch series was ready to go.

  https://issues.guix.gnu.org/49649

Could you push it?  If not, please let us know so one of us can do it on
your behalf; let us know if there are additional tests that should be
made beforehand, too.

TIA!

Ludo’.

Ludovic Courtès <ludo@gnu.org> skribis:

> Hi Brice,
>
> Brice Waegeneire <brice@waegenei.re> skribis:
>
>> Following Tobias corrections, I've extended the previous patch to correctly
>> enable loading of the wireless regulatory database ('regulatory.db') used by
>> the kernel subsystem cfg80211, for linux >4.14.  As suggested by Ludo, we now
>> build 'regulatory.db' ourselve to make sure it's reproducible and reuse
>> upstream signature.  That way the linux kernel correctly load the wireless
>> regulatory database at boot which allows us to use a regulatory domain
>> different than the "00" default by using a kernel argument such as
>> “cfg80211.ieee80211_regdom=FR“.
>
> Does that mean it’s up to users to add such an argument to
> ‘kernel-arguments’?  If so, we should probably document it (though
> that’s not a blocker for this series.)
>
>> This patch doesn't change anything for kernels older than 4.15 for which the
>> use of CRDA is needed to load the regulatory database through the
>> 'regulatory.bin' file.  IOW the database used by CRDA, is still unsigned and
>> CRDA doesn't check signatures for it.
>
> Sounds good.
>
> I haven’t actually tested it but the patch series LGTM!  It’s a much
> welcome improvement.
>
>> Fixes <https://issues.guix.gnu.org/49611.
>
> Make sure to add this line in the commit log of patch #2.
>
> Thank you!
>
> Ludo'.