Switch to using modsign-post-KS upstream with x509 certs

2012-09-25 12:02:24 -04:00 · 2012-09-25 12:02:24 -04:00 · f0f4ff23f1
commit f0f4ff23f1
parent 7e6e483520
7 changed files with 9497 additions and 10704 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -551,19 +551,20 @@ BuildRequires: rpm-build >= 4.9.0-1, elfutils >= elfutils-0.153-1
 %endif

 %if %{signmodules}
-BuildRequires: gnupg
+BuildRequires: openssl
 BuildRequires: pesign >= 0.10-4
 %endif

 Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz

 %if %{signmodules}
-Source11: genkey
+Source11: x509.genkey
 %endif

 Source15: merge.pl
 Source16: mod-extra.list
 Source17: mod-extra.sh
+Source18: mod-extra-sign.sh

 Source19: Makefile.release
 Source20: Makefile.config
@ -680,10 +681,10 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
 Patch800: linux-2.6-crash-driver.patch

 # crypto/
-Patch900: modsign-20120816.patch
+Patch900: modsign-post-KS-jwb.patch

 # secure boot
-Patch1000: secure-boot-20120809.patch
+Patch1000: secure-boot-20120924.patch

 # Improve PCI support on UEFI
 Patch1100: handle-efi-roms.patch
@ -1393,10 +1394,10 @@ ApplyPatch linux-2.6-crash-driver.patch
 ApplyPatch linux-2.6-e1000-ich9-montevina.patch

 # crypto/
-ApplyPatch modsign-20120816.patch
+ApplyPatch modsign-post-KS-jwb.patch

 # secure boot
-ApplyPatch secure-boot-20120809.patch
+ApplyPatch secure-boot-20120924.patch

 # Improved PCI support for UEFI
 ApplyPatch handle-efi-roms.patch
@ -1623,13 +1624,6 @@ BuildKernel() {
    # we'll get it from the linux-firmware package and we don't want conflicts
    make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=

-%if %{signmodules}
-        if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then
-            echo "ERROR: modules are NOT signed" >&2;
-            exit 1;
-        fi
-%endif
-
 %ifarch %{vdso_arches}
    make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
    if [ ! -s ldconfig-kernel.conf ]; then
@ -1753,6 +1747,12 @@ BuildKernel() {
    # Call the modules-extra script to move things around
    %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE16}

+%if %{signmodules}
+    # Save off the .tmp_versions/ directory.  We'll use it in the 
+    # __debug_install_post macro below to sign the right things
+    cp -r .tmp_versions .tmp_versions.sign${Flavour:+.${Flavour}}
+%endif
+
    # remove files that will be auto generated by depmod at rpm -i time
    for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap devname softdep
    do
@ -1875,9 +1875,56 @@ find Documentation -type d | xargs chmod u+w
 # This macro is used by %%install, so we must redefine it before that.
 %define debug_package %{nil}

+# In the modsign case, we do 3 things.  1) We check the "flavour" and hard
+# code the value in the following invocations.  This is somewhat sub-optimal
+# but we're doing this inside of an RPM macro and it isn't as easy as it
+# could be because of that.  2) We restore the .tmp_versions/ directory from
+# the one we saved off in BuildKernel above.  This is to make sure we're
+# signing the modules we actually built/installed in that flavour.  3) We
+# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh
+# commands to actually sign the modules.
+#
+# We have to do all of those things _after_ find-debuginfo runs, otherwise
+# that will strip the signature off of the modules.
+
 %if %{with_debuginfo}
 %define __debug_install_post \
  /usr/lib/rpm/find-debuginfo.sh %{debuginfo_args} %{_builddir}/%{?buildsubdir}\
+  if [ "%{signmodules}" == "1" ]; \
+  then \
+    if [ "%{with_pae}" != "0" ]; \
+    then \
+      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAE.config | cut -b 3-` \
+      rm -rf .tmp_versions \
+      mv .tmp_versions.sign.PAE .tmp_versions \
+      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \
+      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
+    fi \
+    if [ "%{with_debug}" != "0" ]; \
+    then \
+      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
+      rm -rf .tmp_versions \
+      mv .tmp_versions.sign.debug .tmp_versions \
+      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \
+      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
+    fi \
+    if [ "%{with_pae_debug}" != "0" ]; \
+    then \
+      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
+      rm -rf .tmp_versions \
+      mv .tmp_versions.sign.PAEdebug .tmp_versions \
+      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \
+      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
+    fi \
+    if [ "%{with_up}" != "0" ]; \
+    then \
+      Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
+      rm -rf .tmp_versions \
+      mv .tmp_versions.sign .tmp_versions \
+      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \
+      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
+    fi \
+  fi \
 %{nil}

 %ifnarch noarch
@ -2263,6 +2310,7 @@ fi
 * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com>
 - Move the modules-extra processing to a script
 - Prep mod-extra.sh for signed modules
+- Switch to using modsign-post-KS upstream with x509 certs

 * Tue Sep 25 2012 Josh Boyer <jwboyer@redhat.com> - 3.6.0-0.rc7.git1.2
 - Update team driver from net-next from Jiri Pirko