Edit the wireless regdb regulatory.db

Category: Gentoo Tags: wireless regulatory db, kernel

Howto adjust your wireless regdb a.k.a regulatory.db used by linux kernel.

In a former blog post I described how to edit the regulatory.bin used by crda.
Since then a few things have changed. Most important recent linux kernels load the regulatory db themself. The construct of udev rule and crda has become obsolete.
But for the kernel to load the regulatory db it has, by default, to be signed with a certificate included in the kernel.

You can configure your kernel in expert mode to accept a unsigned regulatory db.

Also wireless-regdb tools now use python3.

So the tasks are:

  • sign the db with our private key
  • generate a certificate based on our private key
  • supply the kernel with our certificate

Sign the db with our private key

The regulatory db is installed via net-wireless/wireless-regdb ebuild. Normally db files and everything else is just copied.
We hook into the emerge process to regenerate the db and sign it with our private key.

Of course first you should extract net-wireless/wireless-regdb adjust db.txt to your needs and create a patch, which is stored in etc/portage/patches/net-wireless/wireless-regdb/.

To hook into the emerge process we supply the script etc/portage/env/net-wireless/wireless-regdb. It will be sourced by emerge and callback functions get executed. Look into the older post for more details.

#!/usr/bin/env bash

export REGDB_PRIVKEY="rapna.key.priv.pem"
export REGDB_PUBKEY="rapna.key.pub.pem"
export REGDB_PUBCERT="rapna.x509.pem"
export REGDB_AUTHOR="rapna"

Almost the same as in the old version, but lets get to it.
Global variables are set with export. I had issues with them not defined so I do it this way ... maybe it is not necessary.

post_src_prepare() {
    if [ -f "/etc/wireless-regdb/$REGDB_PRIVKEY" ]; then
        einfo "Found private distro key"
        cp "/etc/wireless-regdb/$REGDB_PRIVKEY" .

        if [ -f "/etc/wireless-regdb/certs/$REGDB_PUBCERT" ]; then
            einfo "Found distro certificate"
            cp "/etc/wireless-regdb/certs/$REGDB_PUBCERT" .

post_src_prepare is executed after sources are extracted and patches are applied. If there is already a private key and/or a certificate in the host system we copy it into the build directory.

post_src_compile() {
    if [ -f $REGDB_PRIVKEY ]; then
        einfo "Using private host key for signing"
        einfo "Generate private host key for signing"
        make $REGDB_PRIVKEY

    if [ -f $REGDB_PUBCERT ]; then
        einfo "Using distro certificate for signing"
        einfo "Generate distro certficiate host key for signing"
        openssl req -new -key "$REGDB_PRIVKEY" -days 36500 -utf8 -nodes -batch \
            -x509 -outform PEM -out "$REGDB_PUBCERT" \
            -config <(cat <<-EOF
                [ req ]
                distinguished_name = req_distinguished_name
                string_mask = utf8only
                prompt = no
                [ req_distinguished_name ]
                commonName = $REGDB_AUTHOR

    make sha1sum.txt
    make regulatory.bin
    make regulatory.db
    make regulatory.db.p7s

post_src_compile is executed after regular compiling, which doesn't happen in this ebuild.
If there is a private key use it otherwise create it. Same goes for the certificate.
The generation of the certificate is a bit more complex. It is vital to generate a pem encoded x509 certificate based on the private key. Finally use the make file and generate the checksum, the obsolete regulatory.bin, regulatory.db for the kernel and regulatory.db.p7s, the signature of regulatory.db.
In opposite to the old post there is no need to patch the tools as python3 is supported.

post_src_install() {
    if [ -f $REGDB_PUBKEY ]; then
        einfo "Install public key for signed regulatory.bin"
        insinto /etc/wireless-regdb/pubkeys
        doins $REGDB_PUBKEY

    if [ -f $REGDB_PRIVKEY ]; then
        einfo "Install private distro key"
        insinto "/etc/wireless-regdb"
        doins $REGDB_PRIVKEY

    if [ -f $REGDB_PUBCERT ]; then
        einfo "Install distro certificate"
        insinto "/etc/wireless-regdb/certs"
        doins $REGDB_PUBCERT

Finally in post_src_install install the generated public key, the private key and the certificate. The public key is obsolete.
regulatory.db and regulatory.db.p7s have been installed in lib/firmware, that's where the kernel will look for them.

So far so good

  • adjusted regulatory.db ... check
  • signed with private key ... check
  • put everything in place ... check

Download wireless-regdb script

The Kernel

The kernel sources ship with certificates and when the kernel is compiled they are statically included.
To include our own certificate, we have to hook into the emerge process.
As I use sys-kernel/gentoo-sources, I have to supply etc/portage/env/sys-kernel/gentoo-sources.

I already have the file by that name, cause I compress the kernel sources as squashfs as described here.
Anyway I will discuss only what is needed for the certificate.

#!/usr/bin/env bash
# /etc/portage/env/sys-kernel/gentoo-sources

pre_src_install() {
    for cert in "${EROOT}"/etc/wireless-regdb/certs/*.x509.pem ; do
        if [ -e "$cert" ]; then
            openssl x509 -in "$cert" -inform PEM &>/dev/null;
            if [ $? -eq 0 ]; then
                file=`basename "$cert"`
                einfo "Adding wireless certificate to kernel sources ($file)"
                openssl x509 -in "$cert" -inform PEM -outform DER | xxd -i -c 8 > "${WORKDIR}/linux-${KV_FULL}/net/wireless/certs/${inc}".hex

pre_src_install hook is used. All files in etc/wireless-regdb/certs/ ending with x509.pem are checked and if they are pem encoded x509 certificates they will recoded in DER binary format and hexdumped for use in header files. This is how the kernel needs the certificate.

I use xxd for hexdumping. xxd belongs to vim, which is not everyones favourite. Be sure to check if you got xxd or use an alternative!

Finally the certificates are copied into the kernel sources. Whether you compress the sources afterwards or not, the certificates will be installed alongside the kernel sources and included when the kernel is compiled.

That's it for the kernel.
When you build your kernel and boot it, you should see something similar to this in your log:

notice kernel: cfg80211: Loaded X.509 cert 'rapna: 00ff63db13b1b338bd'

With the certificate included in the kernel, the kernel will now load and accept your self signed regulatory.db.

Download gentoo-sources script