From 5ef44c41d7ef360fd605a3b3157feed1678e2ac4 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 13 May 2023 20:41:07 +0200 Subject: [PATCH] pkg: fedora: Remove old package setup --- ...secureboot-pre-signing-to-the-kernel.patch | 87 ----- pkg/fedora/kernel-surface/fedora.config | 10 - pkg/fedora/kernel-surface/kernel-surface.spec | 363 ------------------ pkg/fedora/kernel-surface/mod-sign.sh | 36 -- pkg/fedora/kernel-surface/parallel_xz.sh | 26 -- 5 files changed, 522 deletions(-) delete mode 100644 pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch delete mode 100644 pkg/fedora/kernel-surface/fedora.config delete mode 100755 pkg/fedora/kernel-surface/kernel-surface.spec delete mode 100755 pkg/fedora/kernel-surface/mod-sign.sh delete mode 100755 pkg/fedora/kernel-surface/parallel_xz.sh diff --git a/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch deleted file mode 100644 index b09636382..000000000 --- a/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 4d40b8001ac67866e49659211163ebcc0b17dd73 Mon Sep 17 00:00:00 2001 -From: Dorian Stoll -Date: Sun, 22 Sep 2019 22:44:16 +0200 -Subject: [PATCH] Add secureboot pre-signing to the kernel - -If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, -the kernel Makefile will automatically sign the vmlinux / bzImage file that -gets generated, and that is then used in packaging. - -By integrating it into the kernel build system directly, it is fully integrated -with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) -and it gets added to every tree by the same mechanism that is used to apply the -other surface patches anyways. - -Signed-off-by: Dorian Stoll ---- - .gitignore | 3 +++ - arch/x86/Makefile | 1 + - scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 34 insertions(+) - create mode 100755 scripts/sign_kernel.sh - -diff --git a/.gitignore b/.gitignore -index 2030c7a4d2f8..f0705ecd9340 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -132,6 +132,9 @@ signing_key.priv - signing_key.x509 - x509.genkey - -+# Secureboot certificate -+/keys/ -+ - # Kconfig presets - /all.config - /alldef.config -diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index 94df0868804b..2c7b7829f0c2 100644 ---- a/arch/x86/Makefile -+++ b/arch/x86/Makefile -@@ -284,6 +284,7 @@ endif - $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) - $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot - $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ -+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ - - $(BOOT_TARGETS): vmlinux - $(Q)$(MAKE) $(build)=$(boot) $@ -diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh -new file mode 100755 -index 000000000000..d2526a279254 ---- /dev/null -+++ b/scripts/sign_kernel.sh -@@ -0,0 +1,30 @@ -+#!/bin/sh -+# SPDX-License-Identifier: GPL-2.0 -+ -+# The path to the compiled kernel image is passed as the first argument -+BUILDDIR=$(dirname $(dirname $0)) -+VMLINUX=$1 -+ -+# Keys are stored in a toplevel directory called keys -+# The following files need to be there: -+# * MOK.priv (private key) -+# * MOK.pem (public key) -+# -+# If the files don't exist, this script will do nothing. -+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then -+ exit 0 -+fi -+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then -+ exit 0 -+fi -+ -+# Both required certificates were found. Check if sbsign is installed. -+echo "Keys for automatic secureboot signing found." -+if [ ! -x "$(command -v sbsign)" ]; then -+ echo "ERROR: sbsign not found!" -+ exit -2 -+fi -+ -+# Sign the kernel -+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ -+ --output $VMLINUX $VMLINUX --- -2.23.0 - diff --git a/pkg/fedora/kernel-surface/fedora.config b/pkg/fedora/kernel-surface/fedora.config deleted file mode 100644 index bdfade710..000000000 --- a/pkg/fedora/kernel-surface/fedora.config +++ /dev/null @@ -1,10 +0,0 @@ -## -## Forcefully disable debug symbols -## - -CONFIG_DEBUG_INFO_NONE=y -# CONFIG_DEBUG_INFO is not set -# CONFIG_DEBUG_INFO_BTF is not set -# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set -# CONFIG_DEBUG_INFO_DWARF4 is not set -# CONFIG_DEBUG_INFO_DWARF5 is not set diff --git a/pkg/fedora/kernel-surface/kernel-surface.spec b/pkg/fedora/kernel-surface/kernel-surface.spec deleted file mode 100755 index 45d13faad..000000000 --- a/pkg/fedora/kernel-surface/kernel-surface.spec +++ /dev/null @@ -1,363 +0,0 @@ -# -# Definitions to configure the kernel we want to build -# - -%global kernel_tag_fc38 kernel-6.3.5-200.fc38 -%global kernel_tag_fc37 kernel-6.3.5-100.fc37 - -%global kernel_release_fc38 1 -%global kernel_release_fc37 1 - -# This is what is printed in the GRUB menu. These cannot be fetched from the -# buildhost, because in a container this will also say container. To get the -# same text as the default kernels, just hardcode it. Hey, this is important! -%global fedora_title_fc37 38 (Thirty Eight) -%global fedora_title_fc37 37 (Thirty Seven) - -%global ls_patches_commit f6d9315b8a3ecaee9f1575d8860a46cf44e79607 - -%global sb_crt surface.crt -%global sb_key surface.key - -# -# Definitions that get automatically generated from the ones above -# - -%global kernel_tag %{kernel_tag_fc%{fedora}} -%global kernel_release %{kernel_release_fc%{fedora}} -%global fedora_title %{fedora_title_fc%{fedora}} - -%global kernel_version %(echo %{kernel_tag} | cut -d'-' -f2) -%global kernel_majorver %(echo %{kernel_version} | cut -d'.' -f1-2) -%global kernel_patches patches/%{kernel_majorver} - -%global kernel_localversion %{kernel_release}.surface%{?dist}.%{_target_cpu} -%global kernel_config kernel-%{kernel_version}-%{_target_cpu}.config -%global kernel_name %{kernel_version}-%{kernel_localversion} - -%global fedora_source https://github.com/StollD/linux-fedora -%global surface_source https://raw.githubusercontent.com/linux-surface/linux-surface/%{ls_patches_commit} - -%global kernel_modpath %{buildroot}/lib/modules/%{kernel_name} - -# -# Actual specfile starts here -# - -%bcond_with signkernel - -Name: kernel-surface -Summary: The Linux Kernel with patches for Microsoft Surface -Version: %{kernel_version} -Release: %{kernel_release}%{?dist} -License: GPLv2 -URL: https://github.com/linux-surface/linux-surface - -Provides: installonlypkg(kernel-surface) -Provides: kernel-uname-r = %{kernel_name} -Provides: kernel-core-uname-r = %{kernel_name} -Provides: kernel-modules-uname-r = %{kernel_name} - -Recommends: iptsd - -Requires(pre): coreutils, systemd >= 203-2, /usr/bin/kernel-install -Requires(pre): dracut >= 027 -Requires(pre): linux-firmware >= 20150904-56.git6ebf5d57 -Requires(preun): systemd >= 200 - -BuildRequires: openssl openssl-devel -BuildRequires: kmod, patch, bash, tar, git-core, sbsigntools -BuildRequires: bzip2, xz, findutils, gzip, m4, perl-interpreter, -BuildRequires: perl-Carp, perl-devel, perl-generators, make, diffutils, -BuildRequires: gawk, gcc, binutils, redhat-rpm-config, hmaccalc, bison -BuildRequires: flex, net-tools, hostname, bc, elfutils-devel -BuildRequires: gcc-plugin-devel dwarves - -# Used to mangle unversioned shebangs to be Python 3 -BuildRequires: python3-devel - -Conflicts: xfsprogs < 4.3.0-1 -Conflicts: xorg-x11-drv-vmmouse < 13.0.99 -BuildConflicts: rhbuildsys(DiskFree) < 500Mb -BuildConflicts: rpm < 4.13.0.1-19 -BuildConflicts: dwarves < 1.13 - -Source0: %{fedora_source}/archive/%{kernel_tag}.tar.gz -Source1: %{surface_source}/configs/surface-%{kernel_majorver}.config -Source2: fedora.config - -%if %{with signkernel} -Source20: %{sb_crt} -Source21: %{sb_key} -%endif - -Source100: mod-sign.sh -Source101: parallel_xz.sh - -Patch0: %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch -Patch1: %{surface_source}/%{kernel_patches}/0002-mwifiex.patch -Patch2: %{surface_source}/%{kernel_patches}/0003-ath10k.patch -Patch3: %{surface_source}/%{kernel_patches}/0004-ipts.patch -Patch4: %{surface_source}/%{kernel_patches}/0005-ithc.patch -Patch5: %{surface_source}/%{kernel_patches}/0006-surface-sam.patch -Patch6: %{surface_source}/%{kernel_patches}/0007-surface-sam-over-hid.patch -Patch7: %{surface_source}/%{kernel_patches}/0008-surface-button.patch -Patch8: %{surface_source}/%{kernel_patches}/0009-surface-typecover.patch -Patch9: %{surface_source}/%{kernel_patches}/0010-surface-shutdown.patch -Patch10: %{surface_source}/%{kernel_patches}/0011-surface-gpe.patch -Patch11: %{surface_source}/%{kernel_patches}/0012-cameras.patch -Patch12: %{surface_source}/%{kernel_patches}/0013-amd-gpio.patch -Patch13: %{surface_source}/%{kernel_patches}/0014-rtc.patch - -Patch100: 0001-Add-secureboot-pre-signing-to-the-kernel.patch - -ExclusiveArch: x86_64 - -%global debug_package %{nil} -%global _build_id_links alldebug - -%description -The Linux Kernel, the operating system core itself, with support for -Microsoft Surface. - -%package devel -Summary: Development package for building kernel modules for kernel-surface -AutoReqProv: no -Provides: installonlypkg(kernel-surface) -Provides: kernel-devel-uname-r = %{kernel_name} - -%description devel -This package provides kernel headers and makefiles sufficient to build modules -against the kernel-surface package. - -%prep -%autosetup -S git -n linux-fedora-%{kernel_tag} - -# Fix missing Makefile.rhelver -touch Makefile.rhelver - -scripts/kconfig/merge_config.sh \ - fedora/configs/%{kernel_config} \ - %{SOURCE1} \ - %{SOURCE2} - -echo $((%{kernel_release} - 1)) > .version - -# Copy secureboot certificates if they are available -%if %{with signkernel} -mkdir -p keys -cp %{SOURCE20} keys/MOK.crt -cp %{SOURCE21} keys/MOK.key -%endif - -# This Prevents scripts/setlocalversion from mucking with our version numbers. -touch .scmversion - -# Mangle /usr/bin/python shebangs to /usr/bin/python3 -# Mangle all Python shebangs to be Python 3 explicitly -# -p preserves timestamps -# -n prevents creating ~backup files -# -i specifies the interpreter for the shebang -# This fixes errors such as -# *** ERROR: ambiguous python shebang in /usr/bin/kvm_stat: #!/usr/bin/python. Change it to python3 (or python2) explicitly. -# We patch all sources below for which we got a report/error. -pathfix.py -i "%{__python3} %{py3_shbang_opts}" -p -n \ - tools/kvm/kvm_stat/kvm_stat \ - scripts/show_delta \ - scripts/diffconfig \ - scripts/bloat-o-meter \ - scripts/jobserver-exec \ - tools \ - Documentation \ - scripts/clang-tools - -%build - -# This ensures build-ids are unique to allow parallel debuginfo -perl -p -i -e "s/^CONFIG_BUILD_SALT.*/CONFIG_BUILD_SALT=\"%{kernel_name}\"/" .config - -make %{?_smp_mflags} all LOCALVERSION=-%{kernel_localversion} ARCH=%{_target_cpu} - -%define __modsign_install_post \ - %{SOURCE100} certs/signing_key.pem certs/signing_key.x509 %{kernel_modpath} \ - find %{kernel_modpath} -type f -name '*.ko' | %{SOURCE101} %{?_smp_mflags}; \ -%{nil} - -# -# Disgusting hack alert! We need to ensure we sign modules *after* all -# invocations of strip occur. -# -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}}\ - %{__arch_install_post}\ - %{__os_install_post}\ - %{__modsign_install_post} - -%install -mkdir -p %{buildroot}/boot - -# Install modules -make %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install KERNELRELEASE=%{kernel_name} - -# Install vmlinuz -image_name=$(make -s image_name) -install -m 755 $image_name %{buildroot}/boot/vmlinuz-%{kernel_name} -install -m 755 $image_name %{kernel_modpath}/vmlinuz - -# Install System.map and .config -install -m 644 System.map %{kernel_modpath}/System.map -install -m 644 System.map %{buildroot}/boot/System.map-%{kernel_name} -install -m 644 .config %{kernel_modpath}/config -install -m 644 .config %{buildroot}/boot/config-%{kernel_name} - -# hmac sign the kernel for FIPS -sha512hmac %{buildroot}/boot/vmlinuz-%{kernel_name} | sed -e "s,%{buildroot},," > %{kernel_modpath}/.vmlinuz.hmac -cp %{kernel_modpath}/.vmlinuz.hmac %{buildroot}/boot/.vmlinuz-%{kernel_name}.hmac - -# mark modules executable so that strip-to-file can strip them -find %{kernel_modpath} -name "*.ko" -type f | xargs --no-run-if-empty chmod u+x - -# Setup directories for -devel files -rm -f %{kernel_modpath}/build -rm -f %{kernel_modpath}/source -mkdir -p %{kernel_modpath}/build -pushd %{kernel_modpath} - ln -s build source -popd - -# first copy everything -cp --parents $(find -type f -name "Makefile*" -o -name "Kconfig*") %{kernel_modpath}/build -cp Module.symvers %{kernel_modpath}/build -cp System.map %{kernel_modpath}/build -if [ -s Module.markers ]; then - cp Module.markers %{kernel_modpath}/build -fi - -# then drop all but the needed Makefiles/Kconfig files -rm -rf %{kernel_modpath}/build/scripts -rm -rf %{kernel_modpath}/build/include -cp .config %{kernel_modpath}/build -cp -a scripts %{kernel_modpath}/build -rm -rf %{kernel_modpath}/build/scripts/tracing -rm -f %{kernel_modpath}/build/scripts/spdxcheck.py - -if [ -f tools/objtool/objtool ]; then - cp -a tools/objtool/objtool %{kernel_modpath}/build/tools/objtool/ || : - - # these are a few files associated with objtool - cp -a --parents tools/build/Build.include %{kernel_modpath}/build/ - cp -a --parents tools/build/Build %{kernel_modpath}/build/ - cp -a --parents tools/build/fixdep.c %{kernel_modpath}/build/ - cp -a --parents tools/scripts/utilities.mak %{kernel_modpath}/build/ - - # also more than necessary but it's not that many more files - cp -a --parents tools/objtool/* %{kernel_modpath}/build/ - cp -a --parents tools/lib/str_error_r.c %{kernel_modpath}/build/ - cp -a --parents tools/lib/string.c %{kernel_modpath}/build/ - cp -a --parents tools/lib/subcmd/* %{kernel_modpath}/build/ -fi - -if [ -d arch/x86/scripts ]; then - cp -a arch/x86/scripts %{kernel_modpath}/build/arch/x86/ || : -fi - -if [ -f arch/x86/*lds ]; then - cp -a arch/x86/*lds %{kernel_modpath}/build/arch/x86/ || : -fi - -if [ -f arch/x86/kernel/module.lds ]; then - cp -a --parents arch/x86/kernel/module.lds %{kernel_modpath}/build/ -fi - -rm -f %{kernel_modpath}/build/scripts/*.o -rm -f %{kernel_modpath}/build/scripts/*/*.o - -if [ -d arch/x86/include ]; then - cp -a --parents arch/x86/include %{kernel_modpath}/build/ -fi - -cp -a include %{kernel_modpath}/build/include - -# files for 'make prepare' to succeed with kernel-devel -cp -a --parents arch/x86/entry/syscalls/syscall_32.tbl %{kernel_modpath}/build/ -cp -a --parents arch/x86/entry/syscalls/syscall_64.tbl %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_32.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_64.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_common.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs.h %{kernel_modpath}/build/ - -cp -a --parents scripts/syscalltbl.sh %{kernel_modpath}/build/ -cp -a --parents scripts/syscallhdr.sh %{kernel_modpath}/build/ - -# Yes this is more includes than we probably need. Feel free to sort out -# dependencies if you so choose. -cp -a --parents tools/include/* %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/purgatory.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/stack.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/setup-x86_64.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/entry64.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/string.h %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/string.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/ctype.h %{kernel_modpath}/build/ - -# Make sure the Makefile, version.h, and auto.conf have a matching -# timestamp so that external modules can be built - -touch -r %{kernel_modpath}/build/Makefile \ - %{kernel_modpath}/build/include/generated/uapi/linux/version.h \ - %{kernel_modpath}/build/include/config/auto.conf - -mkdir -p %{buildroot}/usr/src/kernels -mv %{kernel_modpath}/build %{buildroot}/usr/src/kernels/%{kernel_name} - -# This is going to create a broken link during the build, but we don't use -# it after this point. We need the link to actually point to something -# when kernel-devel is installed, and a relative link doesn't work across -# the F17 UsrMove feature. -ln -sf /usr/src/kernels/%{kernel_name} %{kernel_modpath}/build - -# prune junk from kernel-devel -find %{buildroot}/usr/src/kernels -name ".*.cmd" -delete - -# remove files that will be auto generated by depmod at rpm -i time -pushd %{kernel_modpath} - rm -f modules.{alias*,builtin.bin,dep*,*map,symbols*,devname,softdep} -popd - -# build a BLS config for this kernel -cat >%{kernel_modpath}/bls.conf < -- Initial version diff --git a/pkg/fedora/kernel-surface/mod-sign.sh b/pkg/fedora/kernel-surface/mod-sign.sh deleted file mode 100755 index 5081e77dc..000000000 --- a/pkg/fedora/kernel-surface/mod-sign.sh +++ /dev/null @@ -1,36 +0,0 @@ -#! /bin/bash - -# The modules_sign target checks for corresponding .o files for every .ko that -# is signed. This doesn't work for package builds which re-use the same build -# directory for every flavour, and the .config may change between flavours. -# So instead of using this script to just sign lib/modules/$KernelVer/extra, -# sign all .ko in the buildroot. - -# This essentially duplicates the 'modules_sign' Kbuild target and runs the -# same commands for those modules. - -MODSECKEY=$1 -MODPUBKEY=$2 - -moddir=$3 - -modules=`find $moddir -name *.ko` - -for mod in $modules -do - dir=`dirname $mod` - file=`basename $mod` - - ./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} - rm -f ${dir}/${file}.{sig,dig} -done - -RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1) -if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then - echo "*****************************" - echo "*** Modules are unsigned! ***" - echo "*****************************" - exit 1 -fi - -exit 0 diff --git a/pkg/fedora/kernel-surface/parallel_xz.sh b/pkg/fedora/kernel-surface/parallel_xz.sh deleted file mode 100755 index bc08a548d..000000000 --- a/pkg/fedora/kernel-surface/parallel_xz.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Reads filenames on stdin, xz-compresses each in place. -# Not optimal for "compress relatively few, large files" scenario! - -# How many xz's to run in parallel: -procgroup="" -while test "$#" != 0; do - # Get it from -jNUM - N="${1#-j}" - if test "$N" = "$1"; then - # Not -j - warn and ignore - echo "parallel_xz: warning: unrecognized argument: '$1'" - else - procgroup="$N" - fi - shift -done - -# If told to use only one cpu: -test "$procgroup" || exec xargs -r xz -test "$procgroup" = 1 && exec xargs -r xz - -# xz has some startup cost. If files are really small, -# this cost might be significant. To combat this, -# process several files (in sequence) by each xz process via -n 16: -exec xargs -r -n 16 -P $procgroup xz