[PATCH 3/3] Switch to using the modsign-rusty code
Josh Boyer
jwboyer at redhat.com
Mon Sep 17 14:07:47 UTC 2012
Hopefully match what gets used upstream
---
kernel.spec | 72 +-
modsign-20120816.patch | 10434 -------------------------------------------
modsign-rusty-jwb.patch | 8425 ++++++++++++++++++++++++++++++++++
secure-boot-20120809.patch | 734 ---
secure-boot-20120830.patch | 734 +++
5 files changed, 9219 insertions(+), 11180 deletions(-)
delete mode 100644 modsign-20120816.patch
create mode 100644 modsign-rusty-jwb.patch
delete mode 100644 secure-boot-20120809.patch
create mode 100644 secure-boot-20120830.patch
diff --git a/kernel.spec b/kernel.spec
index f9af46e..617a69a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 3
+%global baserelease 4
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -680,10 +680,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch
# crypto/
-Patch900: modsign-20120816.patch
+Patch900: modsign-rusty-jwb.patch
# secure boot
-Patch1000: secure-boot-20120809.patch
+Patch1000: secure-boot-20120830.patch
# Improve PCI support on UEFI
Patch1100: handle-efi-roms.patch
@@ -1395,10 +1395,10 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# crypto/
-ApplyPatch modsign-20120816.patch
+ApplyPatch modsign-rusty-jwb.patch
# secure boot
-ApplyPatch secure-boot-20120809.patch
+ApplyPatch secure-boot-20120830.patch
# Improved PCI support for UEFI
ApplyPatch handle-efi-roms.patch
@@ -1628,13 +1628,6 @@ BuildKernel() {
# we'll get it from the linux-firmware package and we don't want conflicts
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
-%if %{signmodules}
- if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then
- echo "ERROR: modules are NOT signed" >&2;
- exit 1;
- fi
-%endif
-
%ifarch %{vdso_arches}
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
if [ ! -s ldconfig-kernel.conf ]; then
@@ -1758,6 +1751,12 @@ BuildKernel() {
# Call the modules-extra script to move things around
%{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16}
+%if %{signmodules}
+ # Save off the .tmp_versions/ directory. We'll use it in the
+ # __debug_install_post macro below to sign the right things
+ cp -r .tmp_versions .tmp_versions.sign${Flavour:+.${Flavour}}
+%endif
+
# remove files that will be auto generated by depmod at rpm -i time
for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap devname softdep
do
@@ -1880,9 +1879,56 @@ find Documentation -type d | xargs chmod u+w
# This macro is used by %%install, so we must redefine it before that.
%define debug_package %{nil}
+# In the modsign case, we do 3 things. 1) We check the "flavour" and hard
+# code the value in the following invocations. This is somewhat sub-optimal
+# but we're doing this inside of an RPM macro and it isn't as easy as it
+# could be because of that. 2) We restore the .tmp_versions/ directory from
+# the one we saved off in BuildKernel above. This is to make sure we're
+# signing the modules we actually built/installed in that flavour. 3) We
+# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh
+# commands to actually sign the modules.
+#
+# We have to do all of those things _after_ find-debuginfo runs, otherwise
+# that will strip the signature off of the modules.
+
%if %{with_debuginfo}
%define __debug_install_post \
/usr/lib/rpm/find-debuginfo.sh %{debuginfo_args} %{_builddir}/%{?buildsubdir}\
+ if [ "%{signmodules}" == "1" ]; \
+ then \
+ if [ "%{with_pae}" != "0" ]; \
+ then \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAE.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign.PAE .tmp_versions \
+ make ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \
+ %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
+ fi \
+ if [ "%{with_debug}" != "0" ]; \
+ then \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign.debug .tmp_versions \
+ make ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \
+ %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
+ fi \
+ if [ "%{with_pae_debug}" != "0" ]; \
+ then \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign.PAEdebug .tmp_versions \
+ make ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \
+ %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
+ fi \
+ if [ "%{with_up}" != "0" ]; \
+ then \
+ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
+ rm -rf .tmp_versions \
+ mv .tmp_versions.sign .tmp_versions \
+ make ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \
+ %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
+ fi \
+ fi \
%{nil}
%ifnarch noarch
@@ -2268,6 +2314,8 @@ fi
* Fri Sep 14 2012 Josh Boyer <jwboyer at redhat.com>
- Move the modules-extra processing to a script
- Add a script to allow us to sign modules in modules-extra
+- Switch to using the modsign-rusty code to hopefully match what gets used
+ upstream
* Fri Sep 14 2012 Dave Jones <davej at redhat.com>
- Fix license tag. (rhbz 450492)
More information about the kernel
mailing list