pkg: fedora: Add new package build scripts for building patched kernels
These scripts use the kernel-ark repository that upstream Fedora uses too to build their kernels.
This commit is contained in:
parent
5ef44c41d7
commit
5dffa283ee
6
pkg/fedora/kernel-surface/.gitignore
vendored
6
pkg/fedora/kernel-surface/.gitignore
vendored
|
@ -1,2 +1,4 @@
|
|||
surface.key
|
||||
surface.crt
|
||||
secureboot/MOK.key
|
||||
secureboot/MOK.crt
|
||||
kernel-ark
|
||||
out
|
||||
|
|
171
pkg/fedora/kernel-surface/build-ark.py
Executable file
171
pkg/fedora/kernel-surface/build-ark.py
Executable file
|
@ -0,0 +1,171 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import argparse
|
||||
import functools
|
||||
import operator
|
||||
import os
|
||||
import shutil
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
|
||||
def system(cmd: str) -> None:
|
||||
subprocess.run(cmd, shell=True, check=True)
|
||||
|
||||
|
||||
parser = argparse.ArgumentParser(usage="Build a patched Fedora kernel")
|
||||
|
||||
parser.add_argument(
|
||||
"--package-name",
|
||||
help="The name of the patched package (e.g. foo -> kernel-foo).",
|
||||
required=True,
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--package-tag",
|
||||
help="The upstream tag to build.",
|
||||
required=True,
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--package-release",
|
||||
help="The release suffix of the modified package.",
|
||||
required=True,
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--ark-dir",
|
||||
help="The local path to the kernel-ark repository.",
|
||||
default="kernel-ark",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--ark-url",
|
||||
help="The remote path to the kernel-ark repository.",
|
||||
default="https://gitlab.com/cki-project/kernel-ark",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--patch",
|
||||
help="Applies a patch to the kernel source.",
|
||||
action="append",
|
||||
nargs="+",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--config",
|
||||
help="Applies a KConfig fragment to the kernel source.",
|
||||
action="append",
|
||||
nargs="+",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--file",
|
||||
help="Copy a file into the RPM buildroot.",
|
||||
action="append",
|
||||
nargs="+",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--buildopts",
|
||||
help="Enable or disable options of the kernel spec file.",
|
||||
action="append",
|
||||
nargs="+",
|
||||
)
|
||||
|
||||
parser.add_argument(
|
||||
"--outdir",
|
||||
help="The directory where the built RPM files will be saved.",
|
||||
default="out",
|
||||
)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
patches = [] if not args.patch else functools.reduce(operator.add, args.patch)
|
||||
configs = [] if not args.config else functools.reduce(operator.add, args.config)
|
||||
files = [] if not args.file else functools.reduce(operator.add, args.file)
|
||||
buildopts = [] if not args.buildopts else functools.reduce(operator.add, args.buildopts)
|
||||
|
||||
# Make paths absolute.
|
||||
patches = [os.path.realpath(x) for x in patches]
|
||||
configs = [os.path.realpath(x) for x in configs]
|
||||
files = [os.path.realpath(x) for x in files]
|
||||
outdir = os.path.realpath(args.outdir)
|
||||
|
||||
# Clone the kernel-ark repository if it doesn't exist.
|
||||
if not os.path.exists(args.ark_dir):
|
||||
system("git clone '%s' '%s'" % (args.ark_url, args.ark_dir))
|
||||
|
||||
os.chdir(args.ark_dir)
|
||||
|
||||
# Check out the requested tag.
|
||||
system("git fetch --tags")
|
||||
system("git clean -dfx")
|
||||
system("git checkout -b 'build/%s'" % time.time())
|
||||
system("git reset --hard '%s'" % args.package_tag)
|
||||
|
||||
# Apply patches
|
||||
for patch in patches:
|
||||
system("git am '%s'" % patch)
|
||||
|
||||
# Copy files
|
||||
for file in files:
|
||||
shutil.copy(file, "redhat/fedora_files/")
|
||||
|
||||
# Apply config options
|
||||
#
|
||||
# The format that the kernel-ark tree expects is a bit different from
|
||||
# a standard kernel config. Every option is split into a single file
|
||||
# named after that config.
|
||||
#
|
||||
# Example:
|
||||
# $ cat redhat/configs/common/generic/CONFIG_PCI
|
||||
# CONFIG_PCI=y
|
||||
#
|
||||
# This supposedly makes things easier for Red Hat developers,
|
||||
# but it also ends up being really annoying for us.
|
||||
for config in configs:
|
||||
with open(config) as f:
|
||||
lines = f.readlines()
|
||||
|
||||
# Filter out comments, this means only selecting lines that look like:
|
||||
# - CONFIG_FOO=b
|
||||
# - # CONFIG_FOO is not set
|
||||
for line in lines:
|
||||
enable = line.startswith("CONFIG_")
|
||||
disable = line.startswith("# CONFIG_")
|
||||
|
||||
if not enable and not disable:
|
||||
continue
|
||||
|
||||
NAME = ""
|
||||
|
||||
if enable:
|
||||
NAME = line.split("=")[0]
|
||||
elif disable:
|
||||
NAME = line[2:].split(" ")[0]
|
||||
|
||||
print("Applying %s" % line.rstrip("\n"))
|
||||
|
||||
with open("redhat/configs/custom-overrides/generic/%s" % NAME, "w") as f:
|
||||
f.write(line)
|
||||
|
||||
system("git add redhat/configs/custom-overrides/generic")
|
||||
system("git commit -m 'Merge %s config'" % args.package_name)
|
||||
|
||||
cmd = []
|
||||
cmd.append("make")
|
||||
cmd.append("dist-rpms")
|
||||
cmd.append("SPECPACKAGE_NAME='kernel-%s'" % args.package_name)
|
||||
cmd.append("DISTLOCALVERSION='.%s'" % args.package_name)
|
||||
cmd.append("BUILD='%s'" % args.package_release)
|
||||
|
||||
if len(buildopts) > 0:
|
||||
cmd.append("BUILDOPTS='%s'" % " ".join(buildopts))
|
||||
|
||||
# Build RPMS
|
||||
system(" ".join(cmd))
|
||||
|
||||
# Copy built RPMS to output directory
|
||||
os.makedirs(outdir, exist_ok=True)
|
||||
system("cp -r redhat/rpm/RPMS/* '%s'" % outdir)
|
111
pkg/fedora/kernel-surface/build-linux-surface.py
Executable file
111
pkg/fedora/kernel-surface/build-linux-surface.py
Executable file
|
@ -0,0 +1,111 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
import subprocess
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
#####################################################################
|
||||
|
||||
##
|
||||
## The name of the modified kernel package.
|
||||
##
|
||||
PACKAGE_NAME = "surface"
|
||||
|
||||
##
|
||||
## https://gitlab.com/cki-project/kernel-ark/-/tags
|
||||
##
|
||||
## Fedora tags: kernel-X.Y.Z
|
||||
## Upstream tags: vX.Y.Z
|
||||
##
|
||||
PACKAGE_TAG = "kernel-6.3.6-0"
|
||||
|
||||
##
|
||||
## The release number of the modified kernel package.
|
||||
## e.g. 300 for kernel-6.3.1-300.fc38.foo
|
||||
##
|
||||
PACKAGE_RELEASE = "1"
|
||||
|
||||
##
|
||||
## Build options for configuring which parts of the kernel package are enabled.
|
||||
##
|
||||
## We disable all userspace components because we only want the kernel + modules.
|
||||
## We also don't care too much about debug info or UKI.
|
||||
##
|
||||
## To list the available options, run make dist-full-help in the kernel-ark tree.
|
||||
##
|
||||
KERNEL_BUILDOPTS = "+up +baseonly -debuginfo -doc -headers -efiuki"
|
||||
|
||||
#####################################################################
|
||||
|
||||
# The directory where this script is saved.
|
||||
script = Path(sys.argv[0]).resolve().parent
|
||||
|
||||
# The root of the linux-surface repository.
|
||||
linux_surface = script / ".." / ".." / ".."
|
||||
|
||||
# Determine the major version of the kernel.
|
||||
kernel_version = PACKAGE_TAG.split("-")[1]
|
||||
kernel_major = ".".join(kernel_version.split(".")[:2])
|
||||
|
||||
# Determine the patches directory and config file.
|
||||
patches = linux_surface / "patches" / kernel_major
|
||||
config = linux_surface / "configs" / ("surface-%s.config" % kernel_major)
|
||||
|
||||
sb_cert = script / "secureboot" / "MOK.crt"
|
||||
sb_key = script / "secureboot" / "MOK.key"
|
||||
|
||||
# Check if the major version is supported.
|
||||
if not patches.exists() or not config.exists():
|
||||
print("ERROR: Could not find patches / configs for kernel %s!" % kernel_major)
|
||||
sys.exit(1)
|
||||
|
||||
# Check if Secure Boot keys are available.
|
||||
sb_avail = sb_cert.exists() and sb_key.exists()
|
||||
|
||||
# If we are building without secureboot, require user input to continue.
|
||||
if not sb_avail:
|
||||
print("")
|
||||
print("Secure Boot keys were not configured! Using Red Hat testkeys.")
|
||||
print("The compiled kernel will not boot with Secure Boot enabled!")
|
||||
print("")
|
||||
|
||||
input("Press any key to continue")
|
||||
|
||||
# Expand globs
|
||||
surface_patches = list(patches.glob("*.patch"))
|
||||
|
||||
cmd = []
|
||||
cmd += [script / "build-ark.py"]
|
||||
cmd += ["--package-name", PACKAGE_NAME]
|
||||
cmd += ["--package-tag", PACKAGE_TAG]
|
||||
cmd += ["--package-release", PACKAGE_RELEASE]
|
||||
cmd += ["--patch"] + surface_patches
|
||||
cmd += ["--config", config]
|
||||
cmd += ["--buildopts", KERNEL_BUILDOPTS]
|
||||
|
||||
local_patches = list((script / "patches").glob("*.patch"))
|
||||
local_configs = list((script / "configs").glob("*.config"))
|
||||
local_files = list((script / "files").glob("*"))
|
||||
|
||||
if len(local_patches) > 0:
|
||||
cmd += ["--patch"] + local_patches
|
||||
|
||||
if len(local_configs) > 0:
|
||||
cmd += ["--config"] + local_configs
|
||||
|
||||
if len(local_files) > 0:
|
||||
cmd += ["--file"] + local_files
|
||||
|
||||
if sb_avail:
|
||||
sb_patches = list((script / "secureboot").glob("*.patch"))
|
||||
sb_configs = list((script / "secureboot").glob("*.config"))
|
||||
|
||||
if len(sb_patches) > 0:
|
||||
cmd += ["--patch"] + sb_patches
|
||||
|
||||
if len(sb_configs) > 0:
|
||||
cmd += ["--config"] + sb_configs
|
||||
|
||||
cmd += ["--file", sb_cert, sb_key]
|
||||
|
||||
subprocess.run(cmd, check=True)
|
0
pkg/fedora/kernel-surface/configs/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/configs/.gitkeep
Normal file
7
pkg/fedora/kernel-surface/configs/fedora.config
Normal file
7
pkg/fedora/kernel-surface/configs/fedora.config
Normal file
|
@ -0,0 +1,7 @@
|
|||
##
|
||||
## Config options specific to Fedora
|
||||
##
|
||||
|
||||
# The build fails because this is not enabled in the config set for RHEL,
|
||||
# but enabled automatically by one of our patches.
|
||||
CONFIG_VIDEO_V4L2_SUBDEV_API=y
|
0
pkg/fedora/kernel-surface/files/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/files/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/patches/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/patches/.gitkeep
Normal file
60
pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch
Normal file
60
pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch
Normal file
|
@ -0,0 +1,60 @@
|
|||
From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001
|
||||
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
Date: Sat, 13 May 2023 16:39:50 +0200
|
||||
Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
|
||||
|
||||
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
---
|
||||
redhat/kernel.spec.template | 15 +++++++++------
|
||||
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||
index 51f43b21b018..76d1ad8e2818 100644
|
||||
--- a/redhat/kernel.spec.template
|
||||
+++ b/redhat/kernel.spec.template
|
||||
@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs
|
||||
%ifarch x86_64 aarch64
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: pesign >= 0.10-4
|
||||
+BuildRequires: sbsigntools
|
||||
%endif
|
||||
%endif
|
||||
%endif
|
||||
@@ -762,6 +763,13 @@ Source1: Makefile.rhelver
|
||||
%define signing_key_filename kernel-signing-s390.cer
|
||||
%endif
|
||||
|
||||
+%ifarch x86_64 aarch64
|
||||
+
|
||||
+Source7001: MOK.key
|
||||
+Source7002: MOK.crt
|
||||
+
|
||||
+%endif
|
||||
+
|
||||
%if %{?released_kernel}
|
||||
|
||||
Source10: redhatsecurebootca5.cer
|
||||
@@ -1860,9 +1868,7 @@ BuildKernel() {
|
||||
fi
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
- rm vmlinuz.tmp
|
||||
+ sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
@@ -2393,9 +2399,6 @@ BuildKernel() {
|
||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||
%ifarch x86_64 aarch64
|
||||
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%else
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%endif
|
||||
--
|
||||
2.40.1
|
||||
|
Loading…
Reference in a new issue