diff options
| author | Laura Abbott <labbott@redhat.com> | 2019-10-22 10:59:19 -0400 |
|---|---|---|
| committer | Laura Abbott <labbott@redhat.com> | 2019-10-29 15:28:51 -0400 |
| commit | 5a0c912794dda84feb84b495adede3df75d0620b (patch) | |
| tree | 8ea65917bf80bfcc93479e885cda9e6d39e8a540 /kernel.spec | |
| parent | 8044841427b22ab04ec6dd8781fbe4be2be411df (diff) | |
| download | kernel-5a0c912794dda84feb84b495adede3df75d0620b.tar.gz kernel-5a0c912794dda84feb84b495adede3df75d0620b.tar.xz kernel-5a0c912794dda84feb84b495adede3df75d0620b.zip | |
Add some expanded UEFI support
Fedora currently only supports x86_64 secureboot signing.
There's ongoing work to enable other arches though. For now,
just bring in the packaging support with some of it commented
out.
Diffstat (limited to 'kernel.spec')
| -rw-r--r-- | kernel.spec | 58 |
1 files changed, 57 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec index fd3382ca9..ac0c125ed 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1313,14 +1313,53 @@ BuildKernel() { cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/%{image_install_path}/zImage.stub-$KernelVer || : cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || : fi + + %if %{signkernel} + if [ "$KernelImage" = vmlinux ]; then + # We can't strip and sign $KernelImage in place, because + # we need to preserve original vmlinux for debuginfo. + # Use a copy for signing. + $CopyKernel $KernelImage $KernelImage.tosign + KernelImage=$KernelImage.tosign + CopyKernel=cp + fi + # Sign the image if we're using EFI + # aarch64 kernels are gziped EFI images + KernelExtension=${KernelImage##*.} + if [ "$KernelExtension" == "gz" ]; then + SignImage=${KernelImage%.*} + else + SignImage=$KernelImage + fi + + %ifarch x86_64 aarch64 + %if 0%{?fedora} %pesign -s -i $KernelImage -o vmlinuz.signed + %else + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %endif # fedora + %endif # arches + %ifarch s390x ppc64le + if [ -x /usr/bin/rpm-sign ]; then + rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + elif [ $DoModules -eq 1 ]; then + chmod +x scripts/sign-file + ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed + else + mv $SignImage vmlinuz.signed + fi + %endif + if [ ! -s vmlinuz.signed ]; then echo "pesigning failed" exit 1 fi - mv vmlinuz.signed $KernelImage + mv vmlinuz.signed $SignImage + if [ "$KernelExtension" == "gz" ]; then + gzip -f9 $SignImage + fi %endif $CopyKernel $KernelImage \ $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer @@ -1609,6 +1648,23 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" +%if 0 + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer + install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch s390x ppc64le + if [ $DoModules -eq 1 ]; then + if [ -x /usr/bin/rpm-sign ]; then + install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + else + install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + fi + fi + %endif +%endif + %if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p') if [ -z "$MAXPROCS" ]; then |