diff options
author | Josh Boyer <jwboyer@redhat.com> | 2012-09-25 12:02:24 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@redhat.com> | 2012-09-25 13:22:04 -0400 |
commit | f0f4ff23f140d044d079b021da98d819b910f0f9 (patch) | |
tree | 63df63dfdf530304cba44d78a4aa821dfc150fe3 /kernel.spec | |
parent | 7e6e483520994df2dfc131a0d87305da663e61c5 (diff) | |
download | kernel-f0f4ff23f140d044d079b021da98d819b910f0f9.tar.gz kernel-f0f4ff23f140d044d079b021da98d819b910f0f9.tar.xz kernel-f0f4ff23f140d044d079b021da98d819b910f0f9.zip |
Switch to using modsign-post-KS upstream with x509 certs
Diffstat (limited to 'kernel.spec')
-rw-r--r-- | kernel.spec | 76 |
1 files changed, 62 insertions, 14 deletions
diff --git a/kernel.spec b/kernel.spec index 8212eaaf6..10fb41cbc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -551,19 +551,20 @@ BuildRequires: rpm-build >= 4.9.0-1, elfutils >= elfutils-0.153-1 %endif %if %{signmodules} -BuildRequires: gnupg +BuildRequires: openssl BuildRequires: pesign >= 0.10-4 %endif Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz %if %{signmodules} -Source11: genkey +Source11: x509.genkey %endif Source15: merge.pl Source16: mod-extra.list Source17: mod-extra.sh +Source18: mod-extra-sign.sh Source19: Makefile.release Source20: Makefile.config @@ -680,10 +681,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch Patch800: linux-2.6-crash-driver.patch # crypto/ -Patch900: modsign-20120816.patch +Patch900: modsign-post-KS-jwb.patch # secure boot -Patch1000: secure-boot-20120809.patch +Patch1000: secure-boot-20120924.patch # Improve PCI support on UEFI Patch1100: handle-efi-roms.patch @@ -1393,10 +1394,10 @@ ApplyPatch linux-2.6-crash-driver.patch ApplyPatch linux-2.6-e1000-ich9-montevina.patch # crypto/ -ApplyPatch modsign-20120816.patch +ApplyPatch modsign-post-KS-jwb.patch # secure boot -ApplyPatch secure-boot-20120809.patch +ApplyPatch secure-boot-20120924.patch # Improved PCI support for UEFI ApplyPatch handle-efi-roms.patch @@ -1623,13 +1624,6 @@ BuildKernel() { # we'll get it from the linux-firmware package and we don't want conflicts make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw= -%if %{signmodules} - if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then - echo "ERROR: modules are NOT signed" >&2; - exit 1; - fi -%endif - %ifarch %{vdso_arches} make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer if [ ! -s ldconfig-kernel.conf ]; then @@ -1753,6 +1747,12 @@ BuildKernel() { # Call the modules-extra script to move things around %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16} +%if %{signmodules} + # Save off the .tmp_versions/ directory. We'll use it in the + # __debug_install_post macro below to sign the right things + cp -r .tmp_versions .tmp_versions.sign${Flavour:+.${Flavour}} +%endif + # remove files that will be auto generated by depmod at rpm -i time for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap devname softdep do @@ -1875,9 +1875,56 @@ find Documentation -type d | xargs chmod u+w # This macro is used by %%install, so we must redefine it before that. %define debug_package %{nil} +# In the modsign case, we do 3 things. 1) We check the "flavour" and hard +# code the value in the following invocations. This is somewhat sub-optimal +# but we're doing this inside of an RPM macro and it isn't as easy as it +# could be because of that. 2) We restore the .tmp_versions/ directory from +# the one we saved off in BuildKernel above. This is to make sure we're +# signing the modules we actually built/installed in that flavour. 3) We +# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh +# commands to actually sign the modules. +# +# We have to do all of those things _after_ find-debuginfo runs, otherwise +# that will strip the signature off of the modules. + %if %{with_debuginfo} %define __debug_install_post \ /usr/lib/rpm/find-debuginfo.sh %{debuginfo_args} %{_builddir}/%{?buildsubdir}\ + if [ "%{signmodules}" == "1" ]; \ + then \ + if [ "%{with_pae}" != "0" ]; \ + then \ + Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAE.config | cut -b 3-` \ + rm -rf .tmp_versions \ + mv .tmp_versions.sign.PAE .tmp_versions \ + make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \ + %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \ + fi \ + if [ "%{with_debug}" != "0" ]; \ + then \ + Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \ + rm -rf .tmp_versions \ + mv .tmp_versions.sign.debug .tmp_versions \ + make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \ + %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \ + fi \ + if [ "%{with_pae_debug}" != "0" ]; \ + then \ + Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \ + rm -rf .tmp_versions \ + mv .tmp_versions.sign.PAEdebug .tmp_versions \ + make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \ + %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \ + fi \ + if [ "%{with_up}" != "0" ]; \ + then \ + Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \ + rm -rf .tmp_versions \ + mv .tmp_versions.sign .tmp_versions \ + make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \ + %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \ + fi \ + fi \ %{nil} %ifnarch noarch @@ -2263,6 +2310,7 @@ fi * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com> - Move the modules-extra processing to a script - Prep mod-extra.sh for signed modules +- Switch to using modsign-post-KS upstream with x509 certs * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc7.git1.2 - Update team driver from net-next from Jiri Pirko |