From 5ef44c41d7ef360fd605a3b3157feed1678e2ac4 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 13 May 2023 20:41:07 +0200 Subject: [PATCH 1/9] pkg: fedora: Remove old package setup --- ...secureboot-pre-signing-to-the-kernel.patch | 87 ----- pkg/fedora/kernel-surface/fedora.config | 10 - pkg/fedora/kernel-surface/kernel-surface.spec | 363 ------------------ pkg/fedora/kernel-surface/mod-sign.sh | 36 -- pkg/fedora/kernel-surface/parallel_xz.sh | 26 -- 5 files changed, 522 deletions(-) delete mode 100644 pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch delete mode 100644 pkg/fedora/kernel-surface/fedora.config delete mode 100755 pkg/fedora/kernel-surface/kernel-surface.spec delete mode 100755 pkg/fedora/kernel-surface/mod-sign.sh delete mode 100755 pkg/fedora/kernel-surface/parallel_xz.sh diff --git a/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch deleted file mode 100644 index b09636382..000000000 --- a/pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 4d40b8001ac67866e49659211163ebcc0b17dd73 Mon Sep 17 00:00:00 2001 -From: Dorian Stoll -Date: Sun, 22 Sep 2019 22:44:16 +0200 -Subject: [PATCH] Add secureboot pre-signing to the kernel - -If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, -the kernel Makefile will automatically sign the vmlinux / bzImage file that -gets generated, and that is then used in packaging. - -By integrating it into the kernel build system directly, it is fully integrated -with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) -and it gets added to every tree by the same mechanism that is used to apply the -other surface patches anyways. - -Signed-off-by: Dorian Stoll ---- - .gitignore | 3 +++ - arch/x86/Makefile | 1 + - scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 34 insertions(+) - create mode 100755 scripts/sign_kernel.sh - -diff --git a/.gitignore b/.gitignore -index 2030c7a4d2f8..f0705ecd9340 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -132,6 +132,9 @@ signing_key.priv - signing_key.x509 - x509.genkey - -+# Secureboot certificate -+/keys/ -+ - # Kconfig presets - /all.config - /alldef.config -diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index 94df0868804b..2c7b7829f0c2 100644 ---- a/arch/x86/Makefile -+++ b/arch/x86/Makefile -@@ -284,6 +284,7 @@ endif - $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) - $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot - $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ -+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ - - $(BOOT_TARGETS): vmlinux - $(Q)$(MAKE) $(build)=$(boot) $@ -diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh -new file mode 100755 -index 000000000000..d2526a279254 ---- /dev/null -+++ b/scripts/sign_kernel.sh -@@ -0,0 +1,30 @@ -+#!/bin/sh -+# SPDX-License-Identifier: GPL-2.0 -+ -+# The path to the compiled kernel image is passed as the first argument -+BUILDDIR=$(dirname $(dirname $0)) -+VMLINUX=$1 -+ -+# Keys are stored in a toplevel directory called keys -+# The following files need to be there: -+# * MOK.priv (private key) -+# * MOK.pem (public key) -+# -+# If the files don't exist, this script will do nothing. -+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then -+ exit 0 -+fi -+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then -+ exit 0 -+fi -+ -+# Both required certificates were found. Check if sbsign is installed. -+echo "Keys for automatic secureboot signing found." -+if [ ! -x "$(command -v sbsign)" ]; then -+ echo "ERROR: sbsign not found!" -+ exit -2 -+fi -+ -+# Sign the kernel -+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ -+ --output $VMLINUX $VMLINUX --- -2.23.0 - diff --git a/pkg/fedora/kernel-surface/fedora.config b/pkg/fedora/kernel-surface/fedora.config deleted file mode 100644 index bdfade710..000000000 --- a/pkg/fedora/kernel-surface/fedora.config +++ /dev/null @@ -1,10 +0,0 @@ -## -## Forcefully disable debug symbols -## - -CONFIG_DEBUG_INFO_NONE=y -# CONFIG_DEBUG_INFO is not set -# CONFIG_DEBUG_INFO_BTF is not set -# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set -# CONFIG_DEBUG_INFO_DWARF4 is not set -# CONFIG_DEBUG_INFO_DWARF5 is not set diff --git a/pkg/fedora/kernel-surface/kernel-surface.spec b/pkg/fedora/kernel-surface/kernel-surface.spec deleted file mode 100755 index 45d13faad..000000000 --- a/pkg/fedora/kernel-surface/kernel-surface.spec +++ /dev/null @@ -1,363 +0,0 @@ -# -# Definitions to configure the kernel we want to build -# - -%global kernel_tag_fc38 kernel-6.3.5-200.fc38 -%global kernel_tag_fc37 kernel-6.3.5-100.fc37 - -%global kernel_release_fc38 1 -%global kernel_release_fc37 1 - -# This is what is printed in the GRUB menu. These cannot be fetched from the -# buildhost, because in a container this will also say container. To get the -# same text as the default kernels, just hardcode it. Hey, this is important! -%global fedora_title_fc37 38 (Thirty Eight) -%global fedora_title_fc37 37 (Thirty Seven) - -%global ls_patches_commit f6d9315b8a3ecaee9f1575d8860a46cf44e79607 - -%global sb_crt surface.crt -%global sb_key surface.key - -# -# Definitions that get automatically generated from the ones above -# - -%global kernel_tag %{kernel_tag_fc%{fedora}} -%global kernel_release %{kernel_release_fc%{fedora}} -%global fedora_title %{fedora_title_fc%{fedora}} - -%global kernel_version %(echo %{kernel_tag} | cut -d'-' -f2) -%global kernel_majorver %(echo %{kernel_version} | cut -d'.' -f1-2) -%global kernel_patches patches/%{kernel_majorver} - -%global kernel_localversion %{kernel_release}.surface%{?dist}.%{_target_cpu} -%global kernel_config kernel-%{kernel_version}-%{_target_cpu}.config -%global kernel_name %{kernel_version}-%{kernel_localversion} - -%global fedora_source https://github.com/StollD/linux-fedora -%global surface_source https://raw.githubusercontent.com/linux-surface/linux-surface/%{ls_patches_commit} - -%global kernel_modpath %{buildroot}/lib/modules/%{kernel_name} - -# -# Actual specfile starts here -# - -%bcond_with signkernel - -Name: kernel-surface -Summary: The Linux Kernel with patches for Microsoft Surface -Version: %{kernel_version} -Release: %{kernel_release}%{?dist} -License: GPLv2 -URL: https://github.com/linux-surface/linux-surface - -Provides: installonlypkg(kernel-surface) -Provides: kernel-uname-r = %{kernel_name} -Provides: kernel-core-uname-r = %{kernel_name} -Provides: kernel-modules-uname-r = %{kernel_name} - -Recommends: iptsd - -Requires(pre): coreutils, systemd >= 203-2, /usr/bin/kernel-install -Requires(pre): dracut >= 027 -Requires(pre): linux-firmware >= 20150904-56.git6ebf5d57 -Requires(preun): systemd >= 200 - -BuildRequires: openssl openssl-devel -BuildRequires: kmod, patch, bash, tar, git-core, sbsigntools -BuildRequires: bzip2, xz, findutils, gzip, m4, perl-interpreter, -BuildRequires: perl-Carp, perl-devel, perl-generators, make, diffutils, -BuildRequires: gawk, gcc, binutils, redhat-rpm-config, hmaccalc, bison -BuildRequires: flex, net-tools, hostname, bc, elfutils-devel -BuildRequires: gcc-plugin-devel dwarves - -# Used to mangle unversioned shebangs to be Python 3 -BuildRequires: python3-devel - -Conflicts: xfsprogs < 4.3.0-1 -Conflicts: xorg-x11-drv-vmmouse < 13.0.99 -BuildConflicts: rhbuildsys(DiskFree) < 500Mb -BuildConflicts: rpm < 4.13.0.1-19 -BuildConflicts: dwarves < 1.13 - -Source0: %{fedora_source}/archive/%{kernel_tag}.tar.gz -Source1: %{surface_source}/configs/surface-%{kernel_majorver}.config -Source2: fedora.config - -%if %{with signkernel} -Source20: %{sb_crt} -Source21: %{sb_key} -%endif - -Source100: mod-sign.sh -Source101: parallel_xz.sh - -Patch0: %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch -Patch1: %{surface_source}/%{kernel_patches}/0002-mwifiex.patch -Patch2: %{surface_source}/%{kernel_patches}/0003-ath10k.patch -Patch3: %{surface_source}/%{kernel_patches}/0004-ipts.patch -Patch4: %{surface_source}/%{kernel_patches}/0005-ithc.patch -Patch5: %{surface_source}/%{kernel_patches}/0006-surface-sam.patch -Patch6: %{surface_source}/%{kernel_patches}/0007-surface-sam-over-hid.patch -Patch7: %{surface_source}/%{kernel_patches}/0008-surface-button.patch -Patch8: %{surface_source}/%{kernel_patches}/0009-surface-typecover.patch -Patch9: %{surface_source}/%{kernel_patches}/0010-surface-shutdown.patch -Patch10: %{surface_source}/%{kernel_patches}/0011-surface-gpe.patch -Patch11: %{surface_source}/%{kernel_patches}/0012-cameras.patch -Patch12: %{surface_source}/%{kernel_patches}/0013-amd-gpio.patch -Patch13: %{surface_source}/%{kernel_patches}/0014-rtc.patch - -Patch100: 0001-Add-secureboot-pre-signing-to-the-kernel.patch - -ExclusiveArch: x86_64 - -%global debug_package %{nil} -%global _build_id_links alldebug - -%description -The Linux Kernel, the operating system core itself, with support for -Microsoft Surface. - -%package devel -Summary: Development package for building kernel modules for kernel-surface -AutoReqProv: no -Provides: installonlypkg(kernel-surface) -Provides: kernel-devel-uname-r = %{kernel_name} - -%description devel -This package provides kernel headers and makefiles sufficient to build modules -against the kernel-surface package. - -%prep -%autosetup -S git -n linux-fedora-%{kernel_tag} - -# Fix missing Makefile.rhelver -touch Makefile.rhelver - -scripts/kconfig/merge_config.sh \ - fedora/configs/%{kernel_config} \ - %{SOURCE1} \ - %{SOURCE2} - -echo $((%{kernel_release} - 1)) > .version - -# Copy secureboot certificates if they are available -%if %{with signkernel} -mkdir -p keys -cp %{SOURCE20} keys/MOK.crt -cp %{SOURCE21} keys/MOK.key -%endif - -# This Prevents scripts/setlocalversion from mucking with our version numbers. -touch .scmversion - -# Mangle /usr/bin/python shebangs to /usr/bin/python3 -# Mangle all Python shebangs to be Python 3 explicitly -# -p preserves timestamps -# -n prevents creating ~backup files -# -i specifies the interpreter for the shebang -# This fixes errors such as -# *** ERROR: ambiguous python shebang in /usr/bin/kvm_stat: #!/usr/bin/python. Change it to python3 (or python2) explicitly. -# We patch all sources below for which we got a report/error. -pathfix.py -i "%{__python3} %{py3_shbang_opts}" -p -n \ - tools/kvm/kvm_stat/kvm_stat \ - scripts/show_delta \ - scripts/diffconfig \ - scripts/bloat-o-meter \ - scripts/jobserver-exec \ - tools \ - Documentation \ - scripts/clang-tools - -%build - -# This ensures build-ids are unique to allow parallel debuginfo -perl -p -i -e "s/^CONFIG_BUILD_SALT.*/CONFIG_BUILD_SALT=\"%{kernel_name}\"/" .config - -make %{?_smp_mflags} all LOCALVERSION=-%{kernel_localversion} ARCH=%{_target_cpu} - -%define __modsign_install_post \ - %{SOURCE100} certs/signing_key.pem certs/signing_key.x509 %{kernel_modpath} \ - find %{kernel_modpath} -type f -name '*.ko' | %{SOURCE101} %{?_smp_mflags}; \ -%{nil} - -# -# Disgusting hack alert! We need to ensure we sign modules *after* all -# invocations of strip occur. -# -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}}\ - %{__arch_install_post}\ - %{__os_install_post}\ - %{__modsign_install_post} - -%install -mkdir -p %{buildroot}/boot - -# Install modules -make %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install KERNELRELEASE=%{kernel_name} - -# Install vmlinuz -image_name=$(make -s image_name) -install -m 755 $image_name %{buildroot}/boot/vmlinuz-%{kernel_name} -install -m 755 $image_name %{kernel_modpath}/vmlinuz - -# Install System.map and .config -install -m 644 System.map %{kernel_modpath}/System.map -install -m 644 System.map %{buildroot}/boot/System.map-%{kernel_name} -install -m 644 .config %{kernel_modpath}/config -install -m 644 .config %{buildroot}/boot/config-%{kernel_name} - -# hmac sign the kernel for FIPS -sha512hmac %{buildroot}/boot/vmlinuz-%{kernel_name} | sed -e "s,%{buildroot},," > %{kernel_modpath}/.vmlinuz.hmac -cp %{kernel_modpath}/.vmlinuz.hmac %{buildroot}/boot/.vmlinuz-%{kernel_name}.hmac - -# mark modules executable so that strip-to-file can strip them -find %{kernel_modpath} -name "*.ko" -type f | xargs --no-run-if-empty chmod u+x - -# Setup directories for -devel files -rm -f %{kernel_modpath}/build -rm -f %{kernel_modpath}/source -mkdir -p %{kernel_modpath}/build -pushd %{kernel_modpath} - ln -s build source -popd - -# first copy everything -cp --parents $(find -type f -name "Makefile*" -o -name "Kconfig*") %{kernel_modpath}/build -cp Module.symvers %{kernel_modpath}/build -cp System.map %{kernel_modpath}/build -if [ -s Module.markers ]; then - cp Module.markers %{kernel_modpath}/build -fi - -# then drop all but the needed Makefiles/Kconfig files -rm -rf %{kernel_modpath}/build/scripts -rm -rf %{kernel_modpath}/build/include -cp .config %{kernel_modpath}/build -cp -a scripts %{kernel_modpath}/build -rm -rf %{kernel_modpath}/build/scripts/tracing -rm -f %{kernel_modpath}/build/scripts/spdxcheck.py - -if [ -f tools/objtool/objtool ]; then - cp -a tools/objtool/objtool %{kernel_modpath}/build/tools/objtool/ || : - - # these are a few files associated with objtool - cp -a --parents tools/build/Build.include %{kernel_modpath}/build/ - cp -a --parents tools/build/Build %{kernel_modpath}/build/ - cp -a --parents tools/build/fixdep.c %{kernel_modpath}/build/ - cp -a --parents tools/scripts/utilities.mak %{kernel_modpath}/build/ - - # also more than necessary but it's not that many more files - cp -a --parents tools/objtool/* %{kernel_modpath}/build/ - cp -a --parents tools/lib/str_error_r.c %{kernel_modpath}/build/ - cp -a --parents tools/lib/string.c %{kernel_modpath}/build/ - cp -a --parents tools/lib/subcmd/* %{kernel_modpath}/build/ -fi - -if [ -d arch/x86/scripts ]; then - cp -a arch/x86/scripts %{kernel_modpath}/build/arch/x86/ || : -fi - -if [ -f arch/x86/*lds ]; then - cp -a arch/x86/*lds %{kernel_modpath}/build/arch/x86/ || : -fi - -if [ -f arch/x86/kernel/module.lds ]; then - cp -a --parents arch/x86/kernel/module.lds %{kernel_modpath}/build/ -fi - -rm -f %{kernel_modpath}/build/scripts/*.o -rm -f %{kernel_modpath}/build/scripts/*/*.o - -if [ -d arch/x86/include ]; then - cp -a --parents arch/x86/include %{kernel_modpath}/build/ -fi - -cp -a include %{kernel_modpath}/build/include - -# files for 'make prepare' to succeed with kernel-devel -cp -a --parents arch/x86/entry/syscalls/syscall_32.tbl %{kernel_modpath}/build/ -cp -a --parents arch/x86/entry/syscalls/syscall_64.tbl %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_32.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_64.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs_common.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/tools/relocs.h %{kernel_modpath}/build/ - -cp -a --parents scripts/syscalltbl.sh %{kernel_modpath}/build/ -cp -a --parents scripts/syscallhdr.sh %{kernel_modpath}/build/ - -# Yes this is more includes than we probably need. Feel free to sort out -# dependencies if you so choose. -cp -a --parents tools/include/* %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/purgatory.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/stack.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/setup-x86_64.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/purgatory/entry64.S %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/string.h %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/string.c %{kernel_modpath}/build/ -cp -a --parents arch/x86/boot/ctype.h %{kernel_modpath}/build/ - -# Make sure the Makefile, version.h, and auto.conf have a matching -# timestamp so that external modules can be built - -touch -r %{kernel_modpath}/build/Makefile \ - %{kernel_modpath}/build/include/generated/uapi/linux/version.h \ - %{kernel_modpath}/build/include/config/auto.conf - -mkdir -p %{buildroot}/usr/src/kernels -mv %{kernel_modpath}/build %{buildroot}/usr/src/kernels/%{kernel_name} - -# This is going to create a broken link during the build, but we don't use -# it after this point. We need the link to actually point to something -# when kernel-devel is installed, and a relative link doesn't work across -# the F17 UsrMove feature. -ln -sf /usr/src/kernels/%{kernel_name} %{kernel_modpath}/build - -# prune junk from kernel-devel -find %{buildroot}/usr/src/kernels -name ".*.cmd" -delete - -# remove files that will be auto generated by depmod at rpm -i time -pushd %{kernel_modpath} - rm -f modules.{alias*,builtin.bin,dep*,*map,symbols*,devname,softdep} -popd - -# build a BLS config for this kernel -cat >%{kernel_modpath}/bls.conf < -- Initial version diff --git a/pkg/fedora/kernel-surface/mod-sign.sh b/pkg/fedora/kernel-surface/mod-sign.sh deleted file mode 100755 index 5081e77dc..000000000 --- a/pkg/fedora/kernel-surface/mod-sign.sh +++ /dev/null @@ -1,36 +0,0 @@ -#! /bin/bash - -# The modules_sign target checks for corresponding .o files for every .ko that -# is signed. This doesn't work for package builds which re-use the same build -# directory for every flavour, and the .config may change between flavours. -# So instead of using this script to just sign lib/modules/$KernelVer/extra, -# sign all .ko in the buildroot. - -# This essentially duplicates the 'modules_sign' Kbuild target and runs the -# same commands for those modules. - -MODSECKEY=$1 -MODPUBKEY=$2 - -moddir=$3 - -modules=`find $moddir -name *.ko` - -for mod in $modules -do - dir=`dirname $mod` - file=`basename $mod` - - ./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} - rm -f ${dir}/${file}.{sig,dig} -done - -RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1) -if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then - echo "*****************************" - echo "*** Modules are unsigned! ***" - echo "*****************************" - exit 1 -fi - -exit 0 diff --git a/pkg/fedora/kernel-surface/parallel_xz.sh b/pkg/fedora/kernel-surface/parallel_xz.sh deleted file mode 100755 index bc08a548d..000000000 --- a/pkg/fedora/kernel-surface/parallel_xz.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Reads filenames on stdin, xz-compresses each in place. -# Not optimal for "compress relatively few, large files" scenario! - -# How many xz's to run in parallel: -procgroup="" -while test "$#" != 0; do - # Get it from -jNUM - N="${1#-j}" - if test "$N" = "$1"; then - # Not -j - warn and ignore - echo "parallel_xz: warning: unrecognized argument: '$1'" - else - procgroup="$N" - fi - shift -done - -# If told to use only one cpu: -test "$procgroup" || exec xargs -r xz -test "$procgroup" = 1 && exec xargs -r xz - -# xz has some startup cost. If files are really small, -# this cost might be significant. To combat this, -# process several files (in sequence) by each xz process via -n 16: -exec xargs -r -n 16 -P $procgroup xz From 5dffa283ee51ed05c6d173ce63237ed97cf078f6 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 13 May 2023 20:46:57 +0200 Subject: [PATCH 2/9] pkg: fedora: Add new package build scripts for building patched kernels These scripts use the kernel-ark repository that upstream Fedora uses too to build their kernels. --- pkg/fedora/kernel-surface/.gitignore | 6 +- pkg/fedora/kernel-surface/build-ark.py | 171 ++++++++++++++++++ .../kernel-surface/build-linux-surface.py | 111 ++++++++++++ pkg/fedora/kernel-surface/configs/.gitkeep | 0 .../kernel-surface/configs/fedora.config | 7 + pkg/fedora/kernel-surface/files/.gitkeep | 0 pkg/fedora/kernel-surface/patches/.gitkeep | 0 .../secureboot/0001-secureboot.patch | 60 ++++++ 8 files changed, 353 insertions(+), 2 deletions(-) create mode 100755 pkg/fedora/kernel-surface/build-ark.py create mode 100755 pkg/fedora/kernel-surface/build-linux-surface.py create mode 100644 pkg/fedora/kernel-surface/configs/.gitkeep create mode 100644 pkg/fedora/kernel-surface/configs/fedora.config create mode 100644 pkg/fedora/kernel-surface/files/.gitkeep create mode 100644 pkg/fedora/kernel-surface/patches/.gitkeep create mode 100644 pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch diff --git a/pkg/fedora/kernel-surface/.gitignore b/pkg/fedora/kernel-surface/.gitignore index 93ce722d5..e20d2e79f 100644 --- a/pkg/fedora/kernel-surface/.gitignore +++ b/pkg/fedora/kernel-surface/.gitignore @@ -1,2 +1,4 @@ -surface.key -surface.crt +secureboot/MOK.key +secureboot/MOK.crt +kernel-ark +out diff --git a/pkg/fedora/kernel-surface/build-ark.py b/pkg/fedora/kernel-surface/build-ark.py new file mode 100755 index 000000000..347b46041 --- /dev/null +++ b/pkg/fedora/kernel-surface/build-ark.py @@ -0,0 +1,171 @@ +#!/usr/bin/env python3 + +import argparse +import functools +import operator +import os +import shutil +import subprocess +import time + + +def system(cmd: str) -> None: + subprocess.run(cmd, shell=True, check=True) + + +parser = argparse.ArgumentParser(usage="Build a patched Fedora kernel") + +parser.add_argument( + "--package-name", + help="The name of the patched package (e.g. foo -> kernel-foo).", + required=True, +) + +parser.add_argument( + "--package-tag", + help="The upstream tag to build.", + required=True, +) + +parser.add_argument( + "--package-release", + help="The release suffix of the modified package.", + required=True, +) + +parser.add_argument( + "--ark-dir", + help="The local path to the kernel-ark repository.", + default="kernel-ark", +) + +parser.add_argument( + "--ark-url", + help="The remote path to the kernel-ark repository.", + default="https://gitlab.com/cki-project/kernel-ark", +) + +parser.add_argument( + "--patch", + help="Applies a patch to the kernel source.", + action="append", + nargs="+", +) + +parser.add_argument( + "--config", + help="Applies a KConfig fragment to the kernel source.", + action="append", + nargs="+", +) + +parser.add_argument( + "--file", + help="Copy a file into the RPM buildroot.", + action="append", + nargs="+", +) + +parser.add_argument( + "--buildopts", + help="Enable or disable options of the kernel spec file.", + action="append", + nargs="+", +) + +parser.add_argument( + "--outdir", + help="The directory where the built RPM files will be saved.", + default="out", +) + +args = parser.parse_args() + +patches = [] if not args.patch else functools.reduce(operator.add, args.patch) +configs = [] if not args.config else functools.reduce(operator.add, args.config) +files = [] if not args.file else functools.reduce(operator.add, args.file) +buildopts = [] if not args.buildopts else functools.reduce(operator.add, args.buildopts) + +# Make paths absolute. +patches = [os.path.realpath(x) for x in patches] +configs = [os.path.realpath(x) for x in configs] +files = [os.path.realpath(x) for x in files] +outdir = os.path.realpath(args.outdir) + +# Clone the kernel-ark repository if it doesn't exist. +if not os.path.exists(args.ark_dir): + system("git clone '%s' '%s'" % (args.ark_url, args.ark_dir)) + +os.chdir(args.ark_dir) + +# Check out the requested tag. +system("git fetch --tags") +system("git clean -dfx") +system("git checkout -b 'build/%s'" % time.time()) +system("git reset --hard '%s'" % args.package_tag) + +# Apply patches +for patch in patches: + system("git am '%s'" % patch) + +# Copy files +for file in files: + shutil.copy(file, "redhat/fedora_files/") + +# Apply config options +# +# The format that the kernel-ark tree expects is a bit different from +# a standard kernel config. Every option is split into a single file +# named after that config. +# +# Example: +# $ cat redhat/configs/common/generic/CONFIG_PCI +# CONFIG_PCI=y +# +# This supposedly makes things easier for Red Hat developers, +# but it also ends up being really annoying for us. +for config in configs: + with open(config) as f: + lines = f.readlines() + + # Filter out comments, this means only selecting lines that look like: + # - CONFIG_FOO=b + # - # CONFIG_FOO is not set + for line in lines: + enable = line.startswith("CONFIG_") + disable = line.startswith("# CONFIG_") + + if not enable and not disable: + continue + + NAME = "" + + if enable: + NAME = line.split("=")[0] + elif disable: + NAME = line[2:].split(" ")[0] + + print("Applying %s" % line.rstrip("\n")) + + with open("redhat/configs/custom-overrides/generic/%s" % NAME, "w") as f: + f.write(line) + +system("git add redhat/configs/custom-overrides/generic") +system("git commit -m 'Merge %s config'" % args.package_name) + +cmd = [] +cmd.append("make") +cmd.append("dist-rpms") +cmd.append("SPECPACKAGE_NAME='kernel-%s'" % args.package_name) +cmd.append("DISTLOCALVERSION='.%s'" % args.package_name) +cmd.append("BUILD='%s'" % args.package_release) + +if len(buildopts) > 0: + cmd.append("BUILDOPTS='%s'" % " ".join(buildopts)) + +# Build RPMS +system(" ".join(cmd)) + +# Copy built RPMS to output directory +os.makedirs(outdir, exist_ok=True) +system("cp -r redhat/rpm/RPMS/* '%s'" % outdir) diff --git a/pkg/fedora/kernel-surface/build-linux-surface.py b/pkg/fedora/kernel-surface/build-linux-surface.py new file mode 100755 index 000000000..9072c69d7 --- /dev/null +++ b/pkg/fedora/kernel-surface/build-linux-surface.py @@ -0,0 +1,111 @@ +#!/usr/bin/env python3 + +import subprocess +import sys +from pathlib import Path + +##################################################################### + +## +## The name of the modified kernel package. +## +PACKAGE_NAME = "surface" + +## +## https://gitlab.com/cki-project/kernel-ark/-/tags +## +## Fedora tags: kernel-X.Y.Z +## Upstream tags: vX.Y.Z +## +PACKAGE_TAG = "kernel-6.3.6-0" + +## +## The release number of the modified kernel package. +## e.g. 300 for kernel-6.3.1-300.fc38.foo +## +PACKAGE_RELEASE = "1" + +## +## Build options for configuring which parts of the kernel package are enabled. +## +## We disable all userspace components because we only want the kernel + modules. +## We also don't care too much about debug info or UKI. +## +## To list the available options, run make dist-full-help in the kernel-ark tree. +## +KERNEL_BUILDOPTS = "+up +baseonly -debuginfo -doc -headers -efiuki" + +##################################################################### + +# The directory where this script is saved. +script = Path(sys.argv[0]).resolve().parent + +# The root of the linux-surface repository. +linux_surface = script / ".." / ".." / ".." + +# Determine the major version of the kernel. +kernel_version = PACKAGE_TAG.split("-")[1] +kernel_major = ".".join(kernel_version.split(".")[:2]) + +# Determine the patches directory and config file. +patches = linux_surface / "patches" / kernel_major +config = linux_surface / "configs" / ("surface-%s.config" % kernel_major) + +sb_cert = script / "secureboot" / "MOK.crt" +sb_key = script / "secureboot" / "MOK.key" + +# Check if the major version is supported. +if not patches.exists() or not config.exists(): + print("ERROR: Could not find patches / configs for kernel %s!" % kernel_major) + sys.exit(1) + +# Check if Secure Boot keys are available. +sb_avail = sb_cert.exists() and sb_key.exists() + +# If we are building without secureboot, require user input to continue. +if not sb_avail: + print("") + print("Secure Boot keys were not configured! Using Red Hat testkeys.") + print("The compiled kernel will not boot with Secure Boot enabled!") + print("") + + input("Press any key to continue") + +# Expand globs +surface_patches = list(patches.glob("*.patch")) + +cmd = [] +cmd += [script / "build-ark.py"] +cmd += ["--package-name", PACKAGE_NAME] +cmd += ["--package-tag", PACKAGE_TAG] +cmd += ["--package-release", PACKAGE_RELEASE] +cmd += ["--patch"] + surface_patches +cmd += ["--config", config] +cmd += ["--buildopts", KERNEL_BUILDOPTS] + +local_patches = list((script / "patches").glob("*.patch")) +local_configs = list((script / "configs").glob("*.config")) +local_files = list((script / "files").glob("*")) + +if len(local_patches) > 0: + cmd += ["--patch"] + local_patches + +if len(local_configs) > 0: + cmd += ["--config"] + local_configs + +if len(local_files) > 0: + cmd += ["--file"] + local_files + +if sb_avail: + sb_patches = list((script / "secureboot").glob("*.patch")) + sb_configs = list((script / "secureboot").glob("*.config")) + + if len(sb_patches) > 0: + cmd += ["--patch"] + sb_patches + + if len(sb_configs) > 0: + cmd += ["--config"] + sb_configs + + cmd += ["--file", sb_cert, sb_key] + +subprocess.run(cmd, check=True) diff --git a/pkg/fedora/kernel-surface/configs/.gitkeep b/pkg/fedora/kernel-surface/configs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/fedora/kernel-surface/configs/fedora.config b/pkg/fedora/kernel-surface/configs/fedora.config new file mode 100644 index 000000000..ee8cc1e7e --- /dev/null +++ b/pkg/fedora/kernel-surface/configs/fedora.config @@ -0,0 +1,7 @@ +## +## Config options specific to Fedora +## + +# The build fails because this is not enabled in the config set for RHEL, +# but enabled automatically by one of our patches. +CONFIG_VIDEO_V4L2_SUBDEV_API=y diff --git a/pkg/fedora/kernel-surface/files/.gitkeep b/pkg/fedora/kernel-surface/files/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/fedora/kernel-surface/patches/.gitkeep b/pkg/fedora/kernel-surface/patches/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch new file mode 100644 index 000000000..1f8ca29f7 --- /dev/null +++ b/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch @@ -0,0 +1,60 @@ +From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sat, 13 May 2023 16:39:50 +0200 +Subject: [PATCH] Use a custom key and certificate for Secure Boot signing + +Signed-off-by: Dorian Stoll +--- + redhat/kernel.spec.template | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 51f43b21b018..76d1ad8e2818 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs + %ifarch x86_64 aarch64 + BuildRequires: nss-tools + BuildRequires: pesign >= 0.10-4 ++BuildRequires: sbsigntools + %endif + %endif + %endif +@@ -762,6 +763,13 @@ Source1: Makefile.rhelver + %define signing_key_filename kernel-signing-s390.cer + %endif + ++%ifarch x86_64 aarch64 ++ ++Source7001: MOK.key ++Source7002: MOK.crt ++ ++%endif ++ + %if %{?released_kernel} + + Source10: redhatsecurebootca5.cer +@@ -1860,9 +1868,7 @@ BuildKernel() { + fi + + %ifarch x86_64 aarch64 +- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} +- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} +- rm vmlinuz.tmp ++ sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage + %endif + %ifarch s390x ppc64le + if [ -x /usr/bin/rpm-sign ]; then +@@ -2393,9 +2399,6 @@ BuildKernel() { + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer + %ifarch x86_64 aarch64 +- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer +- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer +- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif +-- +2.40.1 + From a6038d7004a68567ccbd31830024c8adacecd1cb Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sun, 14 May 2023 09:23:07 +0200 Subject: [PATCH 3/9] pkg: fedora: Readd weak dependency on iptsd --- .../kernel-surface/patches/0001-iptsd.patch | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 pkg/fedora/kernel-surface/patches/0001-iptsd.patch diff --git a/pkg/fedora/kernel-surface/patches/0001-iptsd.patch b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch new file mode 100644 index 000000000..1add9f26f --- /dev/null +++ b/pkg/fedora/kernel-surface/patches/0001-iptsd.patch @@ -0,0 +1,25 @@ +From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 14 May 2023 09:21:43 +0200 +Subject: [PATCH] Pull in iptsd as a weak dependency + +Signed-off-by: Dorian Stoll +--- + redhat/kernel.spec.template | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 51f43b21b018..d61276b49d95 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\ + Requires(pre): %{initrd_prereq}\ + Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\ + Recommends: linux-firmware\ ++Recommends: iptsd\ + Requires(preun): systemd >= 200\ + Conflicts: xfsprogs < 4.3.0-1\ + Conflicts: xorg-x11-drv-vmmouse < 13.0.99\ +-- +2.40.1 + From ae772bae3bb1336ef486dfbdaac637be496d5b26 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sun, 14 May 2023 10:44:51 +0200 Subject: [PATCH 4/9] pkg: fedora: Update Fedora 37 and 38 workflows to use the new scripts --- .github/workflows/fedora-37.yml | 28 ++++++++++++++++------------ .github/workflows/fedora-38.yml | 28 ++++++++++++++++------------ 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/fedora-37.yml b/.github/workflows/fedora-37.yml index f1926b42d..f7eea0645 100644 --- a/.github/workflows/fedora-37.yml +++ b/.github/workflows/fedora-37.yml @@ -12,9 +12,7 @@ jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: - image: registry.fedoraproject.org/fedora:37 - options: --security-opt seccomp=unconfined + container: registry.fedoraproject.org/fedora:37 steps: - name: Checkout code uses: actions/checkout@v3 @@ -22,25 +20,33 @@ jobs: - name: Install build dependencies run: | dnf distro-sync -y + dnf install -y git make gcc flex bison bzip2 rpm-build dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' - dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec + + # Install build dependencies + dnf builddep -y kernel + + # Install additional build dependencies + dnf install -y sbsigntools - name: Setup secureboot certificate env: SB_KEY: ${{ secrets.SURFACE_SB_KEY }} run: | - cd pkg - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key - cp keys/surface.crt fedora/kernel-surface/surface.crt + echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key + cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt - name: Build packages run: | cd pkg/fedora/kernel-surface + # setup git + git config --global user.email "surfacebot@users.noreply.github.com" + git config --global user.name "surfacebot" + # Build the .rpm packages - ../makerpm -- --with=signkernel -ba + python3 build-linux-surface.py - name: Sign packages env: @@ -84,9 +90,7 @@ jobs: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: - image: fedora:37 - options: --security-opt seccomp=unconfined + container: registry.fedoraproject.org/fedora:37 steps: - name: Install dependencies run: | diff --git a/.github/workflows/fedora-38.yml b/.github/workflows/fedora-38.yml index 2413f6393..a7b3a2103 100644 --- a/.github/workflows/fedora-38.yml +++ b/.github/workflows/fedora-38.yml @@ -12,9 +12,7 @@ jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: - image: registry.fedoraproject.org/fedora:38 - options: --security-opt seccomp=unconfined + container: registry.fedoraproject.org/fedora:38 steps: - name: Checkout code uses: actions/checkout@v3 @@ -22,25 +20,33 @@ jobs: - name: Install build dependencies run: | dnf distro-sync -y + dnf install -y git make gcc flex bison bzip2 rpm-build dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' - dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec + + # Install build dependencies + dnf builddep -y kernel + + # Install additional build dependencies + dnf install -y sbsigntools - name: Setup secureboot certificate env: SB_KEY: ${{ secrets.SURFACE_SB_KEY }} run: | - cd pkg - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key - cp keys/surface.crt fedora/kernel-surface/surface.crt + echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key + cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt - name: Build packages run: | cd pkg/fedora/kernel-surface + # setup git + git config --global user.email "surfacebot@users.noreply.github.com" + git config --global user.name "surfacebot" + # Build the .rpm packages - ../makerpm -- --with=signkernel -ba + python3 build-linux-surface.py - name: Sign packages env: @@ -84,9 +90,7 @@ jobs: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: - image: fedora:38 - options: --security-opt seccomp=unconfined + container: registry.fedoraproject.org/fedora:38 steps: - name: Install dependencies run: | From e4c653f2afff086769a55f1028f391066fd4792b Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sun, 14 May 2023 14:51:02 +0200 Subject: [PATCH 5/9] pkg: fedora: Remove rpmbuild wrapper script --- pkg/fedora/makerpm | 117 --------------------------------------------- 1 file changed, 117 deletions(-) delete mode 100755 pkg/fedora/makerpm diff --git a/pkg/fedora/makerpm b/pkg/fedora/makerpm deleted file mode 100755 index 10fdd54bc..000000000 --- a/pkg/fedora/makerpm +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/sh - -# Default to using the first specfile in the current directory -SPEC="*.spec" -OPTS="-ba" - -SIGN=0 -KEY="" - -BUILD=".build" -RPMS="out" - -usage() { - echo "Usage: $0 [OPTION]..." - echo "Wrapper for rpmbuild that is easier to use." - echo - echo "Options:" - echo " -h This help message" - echo " -f The specfile to build from" - echo " -c Clean the build artifacts" - echo " -s Sign the produced RPM packages" - echo " -k The GPG key to use for signing" - exit -} - -clean() { - rm -rf $BUILD - rm -rf $RPMS - exit -} - -while getopts ":hcsf:k:" args; do - case "$args" in - f) - SPEC=$OPTARG - ;; - s) - SIGN=1 - ;; - k) - KEY=$OPTARG - ;; - c) - clean - ;; - h) - usage - ;; - esac -done -shift $((OPTIND-1)) - -if [ ! "$*" = "" ]; then - OPTS="$*" -fi - -# Check if the specfile exists -if [ "$(ls -f $SPEC | wc -l)" = "0" ]; then - echo "ERROR: No specfile found. Specify it with the -s option." - exit -2 -fi - -# Check if there are too many specfiles -if [ ! "$(ls -f $SPEC | wc -l)" = "1" ]; then - echo "ERROR: Ambiguous matches for specfile. Please specify a single" \ - "file through the -s option." - exit -7 -fi - -# Get the directory of the specfile -SPEC=$(ls -f $SPEC) -DIR=$(readlink -f $(dirname $SPEC)) - -if [ ! -d "$DIR/$BUILD" ]; then - mkdir "$DIR/$BUILD" -fi - -FILES=$(find $DIR -maxdepth 1); -for file in $FILES; do - [ "$file" = "$DIR" ] && continue - [ "$file" = "$DIR/$BUILD" ] && continue - [ "$file" = "$DIR/$RPMS" ] && continue - - cp -r "$file" "$DIR/$BUILD" -done - -spectool \ - --define "_sourcedir $DIR/$BUILD" \ - --define "_builddir $DIR/$BUILD" \ - --define "_srcrpmdir $DIR/$RPMS" \ - --define "_rpmdir $DIR/$RPMS" \ - --define "_specdir $DIR" \ - --get-files --all \ - --directory $DIR/$BUILD $SPEC - -echo - -rpmbuild \ - --define "_sourcedir $DIR/$BUILD" \ - --define "_builddir $DIR/$BUILD" \ - --define "_srcrpmdir $DIR/$RPMS" \ - --define "_rpmdir $DIR/$RPMS" \ - --define "_specdir $DIR" \ - $OPTS $SPEC - -if [ ! "$SIGN" = "1" ]; then - exit -fi - -for file in $(find out/ -name '*.rpm'); do - echo "Signing $file" - if [ "$KEY" = "" ]; then - rpm --resign $file 2>&1 > /dev/null - else - rpm --resign $file --define "_gpg_name $KEY" 2>&1 > /dev/null - fi -done From 9a550fda701bf68c5e595ef549f4ae10e51327c4 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Fri, 26 May 2023 11:09:40 +0200 Subject: [PATCH 6/9] pkg: fedora: Let kernel-surface provide standard kernel package names --- .../patches/0002-provides.patch | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 pkg/fedora/kernel-surface/patches/0002-provides.patch diff --git a/pkg/fedora/kernel-surface/patches/0002-provides.patch b/pkg/fedora/kernel-surface/patches/0002-provides.patch new file mode 100644 index 000000000..6a109fe9f --- /dev/null +++ b/pkg/fedora/kernel-surface/patches/0002-provides.patch @@ -0,0 +1,57 @@ +From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 14 May 2023 15:04:22 +0200 +Subject: [PATCH] Let kernel-surface provide the standard package names + +Signed-off-by: Dorian Stoll +--- + redhat/kernel.spec.template | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 51f43b21b018..2d91719b7d93 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL} + Requires: kernel-modules-uname-r = %{KVERREL} + Requires: kernel-modules-core-uname-r = %{KVERREL} + Provides: installonlypkg(kernel) ++Provides: kernel = %{KVERREL} + %endif + + +@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} + Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\ + Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\ + Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\ ++Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\ + Provides: installonlypkg(kernel)\ + AutoReqProv: no\ + Requires(pre): findutils\ +@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\ + Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\ + Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\ + Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\ ++Provides: kernel-devel-matched = %{specrpmversion}-%{release}\ + %description %{?1:%{1}-}devel-matched\ + This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\ + %{nil} +@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\ + Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\ + Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\ + Provides: installonlypkg(kernel)\ ++Provides: kernel = %{KVERREL}+%{1}\ + %description %{1}\ + The meta-package for the %{1} kernel\ + %{nil} +@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\ + Summary: %{variant_summary}\ + Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\ + Provides: installonlypkg(kernel)\ ++Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\ + %if %{-m:1}%{!-m:0}\ + Requires: kernel-core-uname-r = %{KVERREL}\ + Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\ +-- +2.40.1 + From e4d4ccb5c9ce35e7ff580b6c2e0c1df8e91a96c8 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Fri, 26 May 2023 11:16:53 +0200 Subject: [PATCH 7/9] pkg: fedora: Let kernel-surface conflict with older versions of the package --- .../patches/0003-obsoletes.patch | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 pkg/fedora/kernel-surface/patches/0003-obsoletes.patch diff --git a/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch new file mode 100644 index 000000000..101ab613d --- /dev/null +++ b/pkg/fedora/kernel-surface/patches/0003-obsoletes.patch @@ -0,0 +1,29 @@ +From 084f48d80c730162805d654325934843cd12db94 Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 14 May 2023 18:16:38 +0200 +Subject: [PATCH] Let kernel-surface conflict with older versions of the + package + +Signed-off-by: Dorian Stoll +--- + redhat/kernel.spec.template | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 2d91719b7d93..9ad0c720d467 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL} + Requires: kernel-modules-core-uname-r = %{KVERREL} + Provides: installonlypkg(kernel) + Provides: kernel = %{KVERREL} ++ ++Conflicts: kernel-surface < 6.3.6-1 ++Obsoletes: kernel-surface < 6.3.6-1 ++ + %endif + + +-- +2.40.1 + From 11900261190ed360a97d4781a24ac3908bf87052 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 3 Jun 2023 11:49:16 +0200 Subject: [PATCH 8/9] pkg: fedora: Ship the default-kernel service from contrib with the kernel package --- .../files/linux-surface-default-kernel.path | 8 +++ .../linux-surface-default-kernel.service | 6 +++ .../files/linux-surface-default-kernel.sh | 20 ++++++++ .../patches/0004-default-kernel.patch | 50 +++++++++++++++++++ 4 files changed, 84 insertions(+) create mode 100644 pkg/fedora/kernel-surface/files/linux-surface-default-kernel.path create mode 100644 pkg/fedora/kernel-surface/files/linux-surface-default-kernel.service create mode 100755 pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh create mode 100644 pkg/fedora/kernel-surface/patches/0004-default-kernel.patch diff --git a/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.path b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.path new file mode 100644 index 000000000..8c13d1e83 --- /dev/null +++ b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.path @@ -0,0 +1,8 @@ +[Unit] +Description=linux-surface default kernel watchdog + +[Path] +PathChanged=/boot + +[Install] +WantedBy=default.target diff --git a/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.service b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.service new file mode 100644 index 000000000..336c4d444 --- /dev/null +++ b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.service @@ -0,0 +1,6 @@ +[Unit] +Description=linux-surface default kernel watchdog + +[Service] +Type=oneshot +ExecStart=/usr/bin/linux-surface-default-kernel.sh diff --git a/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh new file mode 100755 index 000000000..818b3479c --- /dev/null +++ b/pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -euo pipefail + +# get list of surface kernels with timestamp +kernels=$(find /boot -maxdepth 1 -name "vmlinuz-*.surface.*" -printf '%T@\t%p\n') + +# sort by timestamp +kernels=$(echo "${kernels}" | sort -n) + +# get latest kernel (last line) and extract path +kernel=$(echo "${kernels}" | tail -n1 | cut -f2) + +echo $kernel + +# update GRUB config +grubby --set-default "${kernel}" + +# update timestamp for rEFInd (ensure it's marked as latest across all kernels, +# not just surface ones) +touch "${kernel}" diff --git a/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch new file mode 100644 index 000000000..538ee641f --- /dev/null +++ b/pkg/fedora/kernel-surface/patches/0004-default-kernel.patch @@ -0,0 +1,50 @@ +From 5d16b0aca7c07c1e3df5c47c61f5b6f402dd987b Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sat, 3 Jun 2023 11:47:02 +0200 +Subject: [PATCH] Install scripts and service files for keeping the surface + kernel the default + +Signed-off-by: Dorian Stoll +--- + redhat/kernel.spec.template | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template +index 9ad0c720d467..5a367c936e05 100644 +--- a/redhat/kernel.spec.template ++++ b/redhat/kernel.spec.template +@@ -911,6 +911,10 @@ Source4000: README.rst + Source4001: rpminspect.yaml + Source4002: gating.yaml + ++Source4100: linux-surface-default-kernel.path ++Source4101: linux-surface-default-kernel.service ++Source4102: linux-surface-default-kernel.sh ++ + ## Patches needed for building this package + + %if !%{nopatches} +@@ -2674,6 +2678,10 @@ find Documentation -type d | xargs chmod u+w + + cd linux-%{KVERREL} + ++install -D -m644 "%{SOURCE4100}" -t "%{buildroot}%{_unitdir}" ++install -D -m644 "%{SOURCE4101}" -t "%{buildroot}%{_unitdir}" ++install -D -m755 "%{SOURCE4102}" -t "%{buildroot}%{_bindir}" ++ + %if %{with_doc} + docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease} + +@@ -3331,6 +3339,9 @@ fi + %ghost %attr(0600, root, root) /boot/symvers-%{KVERREL}%{?3:+%{3}}.gz\ + %ghost %attr(0600, root, root) /boot/initramfs-%{KVERREL}%{?3:+%{3}}.img\ + %ghost %attr(0644, root, root) /boot/config-%{KVERREL}%{?3:+%{3}}\ ++%{_bindir}/linux-surface-default-kernel.sh\ ++%{_unitdir}/linux-surface-default-kernel.path\ ++%{_unitdir}/linux-surface-default-kernel.service\ + %{expand:%%files -f kernel-%{?3:%{3}-}modules-core.list %{?3:%{3}-}modules-core}\ + %dir /lib/modules\ + %dir /lib/modules/%{KVERREL}%{?3:+%{3}}\ +-- +2.40.1 + From 7aa5c1efe947da4e1aaeb34d66a3b60a1595dde1 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 3 Jun 2023 18:52:01 +0200 Subject: [PATCH 9/9] pkg: fedora: Make sure that glob results are sorted --- pkg/fedora/kernel-surface/build-linux-surface.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/fedora/kernel-surface/build-linux-surface.py b/pkg/fedora/kernel-surface/build-linux-surface.py index 9072c69d7..fcea082b3 100755 --- a/pkg/fedora/kernel-surface/build-linux-surface.py +++ b/pkg/fedora/kernel-surface/build-linux-surface.py @@ -72,7 +72,7 @@ if not sb_avail: input("Press any key to continue") # Expand globs -surface_patches = list(patches.glob("*.patch")) +surface_patches = sorted(patches.glob("*.patch")) cmd = [] cmd += [script / "build-ark.py"] @@ -83,9 +83,9 @@ cmd += ["--patch"] + surface_patches cmd += ["--config", config] cmd += ["--buildopts", KERNEL_BUILDOPTS] -local_patches = list((script / "patches").glob("*.patch")) -local_configs = list((script / "configs").glob("*.config")) -local_files = list((script / "files").glob("*")) +local_patches = sorted((script / "patches").glob("*.patch")) +local_configs = sorted((script / "configs").glob("*.config")) +local_files = sorted((script / "files").glob("*")) if len(local_patches) > 0: cmd += ["--patch"] + local_patches @@ -97,8 +97,8 @@ if len(local_files) > 0: cmd += ["--file"] + local_files if sb_avail: - sb_patches = list((script / "secureboot").glob("*.patch")) - sb_configs = list((script / "secureboot").glob("*.config")) + sb_patches = sorted((script / "secureboot").glob("*.patch")) + sb_configs = sorted((script / "secureboot").glob("*.config")) if len(sb_patches) > 0: cmd += ["--patch"] + sb_patches