#930752 increases size of initrd considerably since linking with OpenSSL

Package:
libkmod2
Source:
kmod
Description:
libkmod shared library
Submitter:
Uwe Kleine-König
Date:
2022-07-02 17:18:45 UTC
Severity:
wishlist
Tags:
#930752#5
Date:
2019-06-19 20:48:17 UTC
From:
To:
Hello,

some time ago I wanted to install a kernel update on my NAS (Netgear
ReadyNAS 104/armhf). However that failed with:

        ...
        update-initramfs: Generating /boot/initrd.img-4.19.0-5-armmp
        Using DTB: armada-370-netgear-rn104.dtb
        Installing /usr/lib/linux-image-4.19.0-5-armmp/armada-370-netgear-rn104.dtb into /boot/dtbs/4.19.0-5-armmp/./armada-370-netgear-rn104.dtb
        Taking backup of armada-370-netgear-rn104.dtb.
        Installing new armada-370-netgear-rn104.dtb.
        Installing /usr/lib/linux-image-4.19.0-5-armmp/armada-370-netgear-rn104.dtb into /boot/dtbs/4.19.0-5-armmp/./armada-370-netgear-rn104.dtb
        Taking backup of armada-370-netgear-rn104.dtb.
        Installing new armada-370-netgear-rn104.dtb.
        flash-kernel: installing version 4.19.0-5-armmp

        The initial ramdisk is too large. This is often due to the unnecessary inclusion
        of all kernel modules in the image. To fix this set MODULES=dep in one or both
        /etc/initramfs-tools/conf.d/driver-policy (if it exists) and
        /etc/initramfs-tools/initramfs.conf and then run 'update-initramfs -u -k 4.19.0-5-armmp'

        Not enough space for initrd in MTD 'minirootfs' (need 4821508 but is actually 4194304).
        run-parts: /etc/initramfs/post-update.d//flash-kernel exited with return code 1
        dpkg: error processing package initramfs-tools (--configure):
         installed initramfs-tools package post-installation script subprocess returned error exit status 1
        Errors were encountered while processing:
         initramfs-tools
        E: Sub-process /usr/bin/dpkg returned an error code (1)

Looking at the difference between the working initrd for 4.19.0-4 and
the to big one for 4.19.0-5:

        $ diff -u <(lsinitramfs /boot/initrd.img-4.19.0-4-armmp | sed s/4.19.0-4-armmp/uname-r/ | sort) <(lsinitramfs /boot/initrd.img-4.19.0-5-armmp | sed s/4.19.0-5-armmp/uname-r/ | sort) | grep ^[-+]
        --- /dev/fd/63  2019-06-19 22:22:31.764750895 +0200
        +++ /dev/fd/62  2019-06-19 22:22:31.764750895 +0200
        +usr/bin/arch
        +usr/bin/bc
        +usr/bin/svok
        -usr/lib/arm-linux-gnueabihf/libacl.so.1.1.0
        +usr/lib/arm-linux-gnueabihf/libacl.so.1.1.2253
        -usr/lib/arm-linux-gnueabihf/libattr.so.1.1.0
        +usr/lib/arm-linux-gnueabihf/libattr.so.1.1.2448
        +usr/lib/arm-linux-gnueabihf/libcrypto.so.1.1
        -usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.3
        +usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.4
        -usr/lib/arm-linux-gnueabihf/liblzma.so.5.2.2
        +usr/lib/arm-linux-gnueabihf/liblzma.so.5.2.4
        +usr/lib/arm-linux-gnueabihf/libresolv-2.28.so
        +usr/lib/arm-linux-gnueabihf/libresolv.so.2
        +usr/lib/arm-linux-gnueabihf/libssl.so.1.1
        -usr/lib/arm-linux-gnueabihf/libudev.so.1.6.12
        +usr/lib/arm-linux-gnueabihf/libudev.so.1.6.13
        -usr/lib/klibc-COogfK2xWPg3hPxojsQE86cGErM.so
        +usr/lib/klibc-Tm5Kcygh62Zsrgmh7J5q50y2Vn8.so
        +usr/sbin/nologin
        +usr/sbin/run-init

Looking at the differences in more detail, the files only in the old initrd are:
        $ lsinitramfs -l /boot/initrd.img-4.19.0-4-armmp | grep -E 'usr/lib/arm-linux-gnueabihf/lib(acl.so.1.1.0|attr.so.1.1.0|kmod.so.2.3.3|lzma.so.5.2.2|udev.so.1.6.12)|usr/lib/klibc-COogfK2xWPg3hPxojsQE86cGErM.so'
        -rw-r--r--   1 root     root        22220 Feb  6  2016 usr/lib/arm-linux-gnueabihf/libacl.so.1.1.0
        -rw-r--r--   1 root     root        13884 Sep  8  2014 usr/lib/arm-linux-gnueabihf/libattr.so.1.1.0
        -rw-r--r--   1 root     root        62904 Nov 17  2018 usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.3
        -rw-r--r--   1 root     root       104260 Jun 28  2017 usr/lib/arm-linux-gnueabihf/liblzma.so.5.2.2
        -rw-r--r--   1 root     root        95828 Jan 12 21:49 usr/lib/arm-linux-gnueabihf/libudev.so.1.6.12
        -rwxr-xr-x   1 root     root        53812 Jan  6 20:33 usr/lib/klibc-COogfK2xWPg3hPxojsQE86cGErM.so

And the files only in the new are:

        $ lsinitramfs -l /boot/initrd.img-4.19.0-5-armmp | grep -E 'usr/bin/(arch|bc|svok)|usr/lib/arm-linux-gnueabihf/lib(acl.so.1.1.2253|attr.so.1.1.2448|crypto.so.1.1|kmod.so.2.3.4|lzma.so.5.2.4|resolv-2.28.so|resolv.so.2|ssl.so.1.1|udev.so.1.6.13)|usr/lib/klibc-Tm5Kcygh62Zsrgmh7J5q50y2Vn8.so|usr/sbin/(nologin|run-init)'
        -rw-r--r--   1 root     root        21864 Mar  1 23:22 usr/lib/arm-linux-gnueabihf/libacl.so.1.1.2253
        -rw-r--r--   1 root     root        13632 Mar  1 23:03 usr/lib/arm-linux-gnueabihf/libattr.so.1.1.2448
        -rw-r--r--   1 root     root      1708448 Apr 16 21:31 usr/lib/arm-linux-gnueabihf/libcrypto.so.1.1
        -rw-r--r--   1 root     root        62904 Feb 10 00:00 usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.4
        -rw-r--r--   1 root     root       104220 Jan 28 02:09 usr/lib/arm-linux-gnueabihf/liblzma.so.5.2.4
        -rw-r--r--   1 root     root        55092 May  1 19:24 usr/lib/arm-linux-gnueabihf/libresolv-2.28.so
        lrwxrwxrwx   1 root     root           17 Jun 19 22:16 usr/lib/arm-linux-gnueabihf/libresolv.so.2 -> libresolv-2.28.so
        -rw-r--r--   1 root     root       340240 Apr 16 21:31 usr/lib/arm-linux-gnueabihf/libssl.so.1.1
        -rw-r--r--   1 root     root        95828 Apr  8 12:59 usr/lib/arm-linux-gnueabihf/libudev.so.1.6.13
        -rwxr-xr-x   1 root     root        53324 Feb  1 06:00 usr/lib/klibc-Tm5Kcygh62Zsrgmh7J5q50y2Vn8.so
        -rwxr-xr-x 247 root     root            0 Apr  1 07:17 usr/sbin/run-init
        -rwxr-xr-x 247 root     root            0 Apr  1 07:17 usr/sbin/nologin
        -rwxr-xr-x 247 root     root            0 Apr  1 07:17 usr/bin/svok
        -rwxr-xr-x 247 root     root            0 Apr  1 07:17 usr/bin/bc
        -rwxr-xr-x 247 root     root            0 Apr  1 07:17 usr/bin/arch

The biggest problem is the addition of libssl and libcrypto. These are
pulled in since version 26-1 when kmod started linking with OpenSSL.

While the motivation to link with OpenSSL is fine for sure, for me it
means I cannot install new kernels any more :-| (The suggestions don't
apply, I already use MODULES=dep.)

I'm not sure what to do about this (apart from sharing my pain by
reporting this bug). Also I'm unsure about the severity, the description
for critical ("makes unrelated software on the system (or the whole
system) break, or causes serious data loss, or introduces a security
hole on systems where you install the package.") isn't completely wrong,
YMMV.

I could work around that by changing the partitioning of the flash that
holds kernel and initrd, but this is painful as I have to change the
device tree that ships with the kernel.

Best regards
Uwe

#930752#10
Date:
2019-06-23 09:48:50 UTC
From:
To:
Hello,
that installed the size of the initramfs went down to 3637508 bytes
(from 4821508 bytes as can be seen above).

Best regards
Uwe

#930752#15
Date:
2019-06-23 10:31:43 UTC
From:
To:
I am quite sure that we want crypto support in kmod to enable secure
boot.

It is way too late to change this in time for buster, so I am not sure
if there is any point it building two kmow packages for buster+1 since
I suspect that in three years hardware like your will become even more
unusual.

#930752#20
Date:
2019-07-24 19:35:39 UTC
From:
To:
Hello,
i had the same problem on my QNAP TS-219p II.
I have fixed by setting COMPRESS=xz in
/etc/initramfs-tools/initramfs.conf for now.
I'am looking forward what will happen on newer kernels.

Best Regards

#930752#25
Date:
2020-02-21 21:53:52 UTC
From:
To:
There might not only be a size issue with linking libcrypto but also a
legal issue. ftp-master considers it a serious violation if a GPL
program links with OpenSSL and does not contain a license exception.
libkmod is LGPL licensed but in my understanding the same goes for LGPL.

You should ask upstream to add a license exception and drop the libssl
dependency as long as this is not resolved. An alternative would be
using a different crypto library. I tried with libwolfssl which would
also slightly decrease the size. It has an OpenSSL compatibility layer.
Unfortunately the PKCS7_SIGNER_INFO related stuff is not available
(see also https://github.com/wolfSSL/wolfssl/issues/2816).

#930752#30
Date:
2020-02-21 22:04:47 UTC
From:
To:
But you are wrong.
#930752#35
Date:
2020-02-21 22:58:08 UTC
From:
To:
Am 21.02.20 um 23:04 schrieb Marco d'Itri:
claim at https://lists.debian.org/debian-legal/2008/06/msg00007.html.

Off-topic:
But the binary kmod package, which is GPL-2+ licensed, could be in
violation linking with libcrypto.

#930752#44
Date:
2022-07-02 16:47:55 UTC
From:
To:
Closing because nobody cared about this during the bullseye development
cycle.