Merge pull request #1152 from linux-surface/fedora-ark
Replace fedora package with kernel-ark
This commit is contained in:
commit
a696fc8729
28
.github/workflows/fedora-37.yml
vendored
28
.github/workflows/fedora-37.yml
vendored
|
@ -12,9 +12,7 @@ jobs:
|
||||||
build:
|
build:
|
||||||
name: Build Kernel
|
name: Build Kernel
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container:
|
container: registry.fedoraproject.org/fedora:37
|
||||||
image: registry.fedoraproject.org/fedora:37
|
|
||||||
options: --security-opt seccomp=unconfined
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
@ -22,25 +20,33 @@ jobs:
|
||||||
- name: Install build dependencies
|
- name: Install build dependencies
|
||||||
run: |
|
run: |
|
||||||
dnf distro-sync -y
|
dnf distro-sync -y
|
||||||
|
dnf install -y git make gcc flex bison bzip2 rpm-build
|
||||||
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
||||||
dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
|
|
||||||
|
# Install build dependencies
|
||||||
|
dnf builddep -y kernel
|
||||||
|
|
||||||
|
# Install additional build dependencies
|
||||||
|
dnf install -y sbsigntools
|
||||||
|
|
||||||
- name: Setup secureboot certificate
|
- name: Setup secureboot certificate
|
||||||
env:
|
env:
|
||||||
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||||
run: |
|
run: |
|
||||||
cd pkg
|
|
||||||
|
|
||||||
# Install the surface secureboot certificate
|
# Install the surface secureboot certificate
|
||||||
echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
|
echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
|
||||||
cp keys/surface.crt fedora/kernel-surface/surface.crt
|
cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
|
||||||
|
|
||||||
- name: Build packages
|
- name: Build packages
|
||||||
run: |
|
run: |
|
||||||
cd pkg/fedora/kernel-surface
|
cd pkg/fedora/kernel-surface
|
||||||
|
|
||||||
|
# setup git
|
||||||
|
git config --global user.email "surfacebot@users.noreply.github.com"
|
||||||
|
git config --global user.name "surfacebot"
|
||||||
|
|
||||||
# Build the .rpm packages
|
# Build the .rpm packages
|
||||||
../makerpm -- --with=signkernel -ba
|
python3 build-linux-surface.py
|
||||||
|
|
||||||
- name: Sign packages
|
- name: Sign packages
|
||||||
env:
|
env:
|
||||||
|
@ -84,9 +90,7 @@ jobs:
|
||||||
name: Update package repository
|
name: Update package repository
|
||||||
needs: [release]
|
needs: [release]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container:
|
container: registry.fedoraproject.org/fedora:37
|
||||||
image: fedora:37
|
|
||||||
options: --security-opt seccomp=unconfined
|
|
||||||
steps:
|
steps:
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: |
|
run: |
|
||||||
|
|
28
.github/workflows/fedora-38.yml
vendored
28
.github/workflows/fedora-38.yml
vendored
|
@ -12,9 +12,7 @@ jobs:
|
||||||
build:
|
build:
|
||||||
name: Build Kernel
|
name: Build Kernel
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container:
|
container: registry.fedoraproject.org/fedora:38
|
||||||
image: registry.fedoraproject.org/fedora:38
|
|
||||||
options: --security-opt seccomp=unconfined
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
@ -22,25 +20,33 @@ jobs:
|
||||||
- name: Install build dependencies
|
- name: Install build dependencies
|
||||||
run: |
|
run: |
|
||||||
dnf distro-sync -y
|
dnf distro-sync -y
|
||||||
|
dnf install -y git make gcc flex bison bzip2 rpm-build
|
||||||
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
||||||
dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
|
|
||||||
|
# Install build dependencies
|
||||||
|
dnf builddep -y kernel
|
||||||
|
|
||||||
|
# Install additional build dependencies
|
||||||
|
dnf install -y sbsigntools
|
||||||
|
|
||||||
- name: Setup secureboot certificate
|
- name: Setup secureboot certificate
|
||||||
env:
|
env:
|
||||||
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||||
run: |
|
run: |
|
||||||
cd pkg
|
|
||||||
|
|
||||||
# Install the surface secureboot certificate
|
# Install the surface secureboot certificate
|
||||||
echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
|
echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
|
||||||
cp keys/surface.crt fedora/kernel-surface/surface.crt
|
cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
|
||||||
|
|
||||||
- name: Build packages
|
- name: Build packages
|
||||||
run: |
|
run: |
|
||||||
cd pkg/fedora/kernel-surface
|
cd pkg/fedora/kernel-surface
|
||||||
|
|
||||||
|
# setup git
|
||||||
|
git config --global user.email "surfacebot@users.noreply.github.com"
|
||||||
|
git config --global user.name "surfacebot"
|
||||||
|
|
||||||
# Build the .rpm packages
|
# Build the .rpm packages
|
||||||
../makerpm -- --with=signkernel -ba
|
python3 build-linux-surface.py
|
||||||
|
|
||||||
- name: Sign packages
|
- name: Sign packages
|
||||||
env:
|
env:
|
||||||
|
@ -84,9 +90,7 @@ jobs:
|
||||||
name: Update package repository
|
name: Update package repository
|
||||||
needs: [release]
|
needs: [release]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container:
|
container: registry.fedoraproject.org/fedora:38
|
||||||
image: fedora:38
|
|
||||||
options: --security-opt seccomp=unconfined
|
|
||||||
steps:
|
steps:
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: |
|
run: |
|
||||||
|
|
6
pkg/fedora/kernel-surface/.gitignore
vendored
6
pkg/fedora/kernel-surface/.gitignore
vendored
|
@ -1,2 +1,4 @@
|
||||||
surface.key
|
secureboot/MOK.key
|
||||||
surface.crt
|
secureboot/MOK.crt
|
||||||
|
kernel-ark
|
||||||
|
out
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
From 4d40b8001ac67866e49659211163ebcc0b17dd73 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
|
||||||
Date: Sun, 22 Sep 2019 22:44:16 +0200
|
|
||||||
Subject: [PATCH] Add secureboot pre-signing to the kernel
|
|
||||||
|
|
||||||
If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
|
|
||||||
the kernel Makefile will automatically sign the vmlinux / bzImage file that
|
|
||||||
gets generated, and that is then used in packaging.
|
|
||||||
|
|
||||||
By integrating it into the kernel build system directly, it is fully integrated
|
|
||||||
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
|
|
||||||
and it gets added to every tree by the same mechanism that is used to apply the
|
|
||||||
other surface patches anyways.
|
|
||||||
|
|
||||||
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
|
||||||
---
|
|
||||||
.gitignore | 3 +++
|
|
||||||
arch/x86/Makefile | 1 +
|
|
||||||
scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 34 insertions(+)
|
|
||||||
create mode 100755 scripts/sign_kernel.sh
|
|
||||||
|
|
||||||
diff --git a/.gitignore b/.gitignore
|
|
||||||
index 2030c7a4d2f8..f0705ecd9340 100644
|
|
||||||
--- a/.gitignore
|
|
||||||
+++ b/.gitignore
|
|
||||||
@@ -132,6 +132,9 @@ signing_key.priv
|
|
||||||
signing_key.x509
|
|
||||||
x509.genkey
|
|
||||||
|
|
||||||
+# Secureboot certificate
|
|
||||||
+/keys/
|
|
||||||
+
|
|
||||||
# Kconfig presets
|
|
||||||
/all.config
|
|
||||||
/alldef.config
|
|
||||||
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
|
|
||||||
index 94df0868804b..2c7b7829f0c2 100644
|
|
||||||
--- a/arch/x86/Makefile
|
|
||||||
+++ b/arch/x86/Makefile
|
|
||||||
@@ -284,6 +284,7 @@ endif
|
|
||||||
$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
|
|
||||||
$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
|
|
||||||
$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
|
||||||
+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
|
||||||
|
|
||||||
$(BOOT_TARGETS): vmlinux
|
|
||||||
$(Q)$(MAKE) $(build)=$(boot) $@
|
|
||||||
diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 000000000000..d2526a279254
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/scripts/sign_kernel.sh
|
|
||||||
@@ -0,0 +1,30 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+# SPDX-License-Identifier: GPL-2.0
|
|
||||||
+
|
|
||||||
+# The path to the compiled kernel image is passed as the first argument
|
|
||||||
+BUILDDIR=$(dirname $(dirname $0))
|
|
||||||
+VMLINUX=$1
|
|
||||||
+
|
|
||||||
+# Keys are stored in a toplevel directory called keys
|
|
||||||
+# The following files need to be there:
|
|
||||||
+# * MOK.priv (private key)
|
|
||||||
+# * MOK.pem (public key)
|
|
||||||
+#
|
|
||||||
+# If the files don't exist, this script will do nothing.
|
|
||||||
+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
|
|
||||||
+ exit 0
|
|
||||||
+fi
|
|
||||||
+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
|
|
||||||
+ exit 0
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Both required certificates were found. Check if sbsign is installed.
|
|
||||||
+echo "Keys for automatic secureboot signing found."
|
|
||||||
+if [ ! -x "$(command -v sbsign)" ]; then
|
|
||||||
+ echo "ERROR: sbsign not found!"
|
|
||||||
+ exit -2
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Sign the kernel
|
|
||||||
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
|
|
||||||
+ --output $VMLINUX $VMLINUX
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
171
pkg/fedora/kernel-surface/build-ark.py
Executable file
171
pkg/fedora/kernel-surface/build-ark.py
Executable file
|
@ -0,0 +1,171 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import functools
|
||||||
|
import operator
|
||||||
|
import os
|
||||||
|
import shutil
|
||||||
|
import subprocess
|
||||||
|
import time
|
||||||
|
|
||||||
|
|
||||||
|
def system(cmd: str) -> None:
|
||||||
|
subprocess.run(cmd, shell=True, check=True)
|
||||||
|
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(usage="Build a patched Fedora kernel")
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--package-name",
|
||||||
|
help="The name of the patched package (e.g. foo -> kernel-foo).",
|
||||||
|
required=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--package-tag",
|
||||||
|
help="The upstream tag to build.",
|
||||||
|
required=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--package-release",
|
||||||
|
help="The release suffix of the modified package.",
|
||||||
|
required=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--ark-dir",
|
||||||
|
help="The local path to the kernel-ark repository.",
|
||||||
|
default="kernel-ark",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--ark-url",
|
||||||
|
help="The remote path to the kernel-ark repository.",
|
||||||
|
default="https://gitlab.com/cki-project/kernel-ark",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--patch",
|
||||||
|
help="Applies a patch to the kernel source.",
|
||||||
|
action="append",
|
||||||
|
nargs="+",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--config",
|
||||||
|
help="Applies a KConfig fragment to the kernel source.",
|
||||||
|
action="append",
|
||||||
|
nargs="+",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--file",
|
||||||
|
help="Copy a file into the RPM buildroot.",
|
||||||
|
action="append",
|
||||||
|
nargs="+",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--buildopts",
|
||||||
|
help="Enable or disable options of the kernel spec file.",
|
||||||
|
action="append",
|
||||||
|
nargs="+",
|
||||||
|
)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"--outdir",
|
||||||
|
help="The directory where the built RPM files will be saved.",
|
||||||
|
default="out",
|
||||||
|
)
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
patches = [] if not args.patch else functools.reduce(operator.add, args.patch)
|
||||||
|
configs = [] if not args.config else functools.reduce(operator.add, args.config)
|
||||||
|
files = [] if not args.file else functools.reduce(operator.add, args.file)
|
||||||
|
buildopts = [] if not args.buildopts else functools.reduce(operator.add, args.buildopts)
|
||||||
|
|
||||||
|
# Make paths absolute.
|
||||||
|
patches = [os.path.realpath(x) for x in patches]
|
||||||
|
configs = [os.path.realpath(x) for x in configs]
|
||||||
|
files = [os.path.realpath(x) for x in files]
|
||||||
|
outdir = os.path.realpath(args.outdir)
|
||||||
|
|
||||||
|
# Clone the kernel-ark repository if it doesn't exist.
|
||||||
|
if not os.path.exists(args.ark_dir):
|
||||||
|
system("git clone '%s' '%s'" % (args.ark_url, args.ark_dir))
|
||||||
|
|
||||||
|
os.chdir(args.ark_dir)
|
||||||
|
|
||||||
|
# Check out the requested tag.
|
||||||
|
system("git fetch --tags")
|
||||||
|
system("git clean -dfx")
|
||||||
|
system("git checkout -b 'build/%s'" % time.time())
|
||||||
|
system("git reset --hard '%s'" % args.package_tag)
|
||||||
|
|
||||||
|
# Apply patches
|
||||||
|
for patch in patches:
|
||||||
|
system("git am '%s'" % patch)
|
||||||
|
|
||||||
|
# Copy files
|
||||||
|
for file in files:
|
||||||
|
shutil.copy(file, "redhat/fedora_files/")
|
||||||
|
|
||||||
|
# Apply config options
|
||||||
|
#
|
||||||
|
# The format that the kernel-ark tree expects is a bit different from
|
||||||
|
# a standard kernel config. Every option is split into a single file
|
||||||
|
# named after that config.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# $ cat redhat/configs/common/generic/CONFIG_PCI
|
||||||
|
# CONFIG_PCI=y
|
||||||
|
#
|
||||||
|
# This supposedly makes things easier for Red Hat developers,
|
||||||
|
# but it also ends up being really annoying for us.
|
||||||
|
for config in configs:
|
||||||
|
with open(config) as f:
|
||||||
|
lines = f.readlines()
|
||||||
|
|
||||||
|
# Filter out comments, this means only selecting lines that look like:
|
||||||
|
# - CONFIG_FOO=b
|
||||||
|
# - # CONFIG_FOO is not set
|
||||||
|
for line in lines:
|
||||||
|
enable = line.startswith("CONFIG_")
|
||||||
|
disable = line.startswith("# CONFIG_")
|
||||||
|
|
||||||
|
if not enable and not disable:
|
||||||
|
continue
|
||||||
|
|
||||||
|
NAME = ""
|
||||||
|
|
||||||
|
if enable:
|
||||||
|
NAME = line.split("=")[0]
|
||||||
|
elif disable:
|
||||||
|
NAME = line[2:].split(" ")[0]
|
||||||
|
|
||||||
|
print("Applying %s" % line.rstrip("\n"))
|
||||||
|
|
||||||
|
with open("redhat/configs/custom-overrides/generic/%s" % NAME, "w") as f:
|
||||||
|
f.write(line)
|
||||||
|
|
||||||
|
system("git add redhat/configs/custom-overrides/generic")
|
||||||
|
system("git commit -m 'Merge %s config'" % args.package_name)
|
||||||
|
|
||||||
|
cmd = []
|
||||||
|
cmd.append("make")
|
||||||
|
cmd.append("dist-rpms")
|
||||||
|
cmd.append("SPECPACKAGE_NAME='kernel-%s'" % args.package_name)
|
||||||
|
cmd.append("DISTLOCALVERSION='.%s'" % args.package_name)
|
||||||
|
cmd.append("BUILD='%s'" % args.package_release)
|
||||||
|
|
||||||
|
if len(buildopts) > 0:
|
||||||
|
cmd.append("BUILDOPTS='%s'" % " ".join(buildopts))
|
||||||
|
|
||||||
|
# Build RPMS
|
||||||
|
system(" ".join(cmd))
|
||||||
|
|
||||||
|
# Copy built RPMS to output directory
|
||||||
|
os.makedirs(outdir, exist_ok=True)
|
||||||
|
system("cp -r redhat/rpm/RPMS/* '%s'" % outdir)
|
111
pkg/fedora/kernel-surface/build-linux-surface.py
Executable file
111
pkg/fedora/kernel-surface/build-linux-surface.py
Executable file
|
@ -0,0 +1,111 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
##
|
||||||
|
## The name of the modified kernel package.
|
||||||
|
##
|
||||||
|
PACKAGE_NAME = "surface"
|
||||||
|
|
||||||
|
##
|
||||||
|
## https://gitlab.com/cki-project/kernel-ark/-/tags
|
||||||
|
##
|
||||||
|
## Fedora tags: kernel-X.Y.Z
|
||||||
|
## Upstream tags: vX.Y.Z
|
||||||
|
##
|
||||||
|
PACKAGE_TAG = "kernel-6.3.6-0"
|
||||||
|
|
||||||
|
##
|
||||||
|
## The release number of the modified kernel package.
|
||||||
|
## e.g. 300 for kernel-6.3.1-300.fc38.foo
|
||||||
|
##
|
||||||
|
PACKAGE_RELEASE = "1"
|
||||||
|
|
||||||
|
##
|
||||||
|
## Build options for configuring which parts of the kernel package are enabled.
|
||||||
|
##
|
||||||
|
## We disable all userspace components because we only want the kernel + modules.
|
||||||
|
## We also don't care too much about debug info or UKI.
|
||||||
|
##
|
||||||
|
## To list the available options, run make dist-full-help in the kernel-ark tree.
|
||||||
|
##
|
||||||
|
KERNEL_BUILDOPTS = "+up +baseonly -debuginfo -doc -headers -efiuki"
|
||||||
|
|
||||||
|
#####################################################################
|
||||||
|
|
||||||
|
# The directory where this script is saved.
|
||||||
|
script = Path(sys.argv[0]).resolve().parent
|
||||||
|
|
||||||
|
# The root of the linux-surface repository.
|
||||||
|
linux_surface = script / ".." / ".." / ".."
|
||||||
|
|
||||||
|
# Determine the major version of the kernel.
|
||||||
|
kernel_version = PACKAGE_TAG.split("-")[1]
|
||||||
|
kernel_major = ".".join(kernel_version.split(".")[:2])
|
||||||
|
|
||||||
|
# Determine the patches directory and config file.
|
||||||
|
patches = linux_surface / "patches" / kernel_major
|
||||||
|
config = linux_surface / "configs" / ("surface-%s.config" % kernel_major)
|
||||||
|
|
||||||
|
sb_cert = script / "secureboot" / "MOK.crt"
|
||||||
|
sb_key = script / "secureboot" / "MOK.key"
|
||||||
|
|
||||||
|
# Check if the major version is supported.
|
||||||
|
if not patches.exists() or not config.exists():
|
||||||
|
print("ERROR: Could not find patches / configs for kernel %s!" % kernel_major)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Check if Secure Boot keys are available.
|
||||||
|
sb_avail = sb_cert.exists() and sb_key.exists()
|
||||||
|
|
||||||
|
# If we are building without secureboot, require user input to continue.
|
||||||
|
if not sb_avail:
|
||||||
|
print("")
|
||||||
|
print("Secure Boot keys were not configured! Using Red Hat testkeys.")
|
||||||
|
print("The compiled kernel will not boot with Secure Boot enabled!")
|
||||||
|
print("")
|
||||||
|
|
||||||
|
input("Press any key to continue")
|
||||||
|
|
||||||
|
# Expand globs
|
||||||
|
surface_patches = sorted(patches.glob("*.patch"))
|
||||||
|
|
||||||
|
cmd = []
|
||||||
|
cmd += [script / "build-ark.py"]
|
||||||
|
cmd += ["--package-name", PACKAGE_NAME]
|
||||||
|
cmd += ["--package-tag", PACKAGE_TAG]
|
||||||
|
cmd += ["--package-release", PACKAGE_RELEASE]
|
||||||
|
cmd += ["--patch"] + surface_patches
|
||||||
|
cmd += ["--config", config]
|
||||||
|
cmd += ["--buildopts", KERNEL_BUILDOPTS]
|
||||||
|
|
||||||
|
local_patches = sorted((script / "patches").glob("*.patch"))
|
||||||
|
local_configs = sorted((script / "configs").glob("*.config"))
|
||||||
|
local_files = sorted((script / "files").glob("*"))
|
||||||
|
|
||||||
|
if len(local_patches) > 0:
|
||||||
|
cmd += ["--patch"] + local_patches
|
||||||
|
|
||||||
|
if len(local_configs) > 0:
|
||||||
|
cmd += ["--config"] + local_configs
|
||||||
|
|
||||||
|
if len(local_files) > 0:
|
||||||
|
cmd += ["--file"] + local_files
|
||||||
|
|
||||||
|
if sb_avail:
|
||||||
|
sb_patches = sorted((script / "secureboot").glob("*.patch"))
|
||||||
|
sb_configs = sorted((script / "secureboot").glob("*.config"))
|
||||||
|
|
||||||
|
if len(sb_patches) > 0:
|
||||||
|
cmd += ["--patch"] + sb_patches
|
||||||
|
|
||||||
|
if len(sb_configs) > 0:
|
||||||
|
cmd += ["--config"] + sb_configs
|
||||||
|
|
||||||
|
cmd += ["--file", sb_cert, sb_key]
|
||||||
|
|
||||||
|
subprocess.run(cmd, check=True)
|
0
pkg/fedora/kernel-surface/configs/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/configs/.gitkeep
Normal file
7
pkg/fedora/kernel-surface/configs/fedora.config
Normal file
7
pkg/fedora/kernel-surface/configs/fedora.config
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
##
|
||||||
|
## Config options specific to Fedora
|
||||||
|
##
|
||||||
|
|
||||||
|
# The build fails because this is not enabled in the config set for RHEL,
|
||||||
|
# but enabled automatically by one of our patches.
|
||||||
|
CONFIG_VIDEO_V4L2_SUBDEV_API=y
|
|
@ -1,10 +0,0 @@
|
||||||
##
|
|
||||||
## Forcefully disable debug symbols
|
|
||||||
##
|
|
||||||
|
|
||||||
CONFIG_DEBUG_INFO_NONE=y
|
|
||||||
# CONFIG_DEBUG_INFO is not set
|
|
||||||
# CONFIG_DEBUG_INFO_BTF is not set
|
|
||||||
# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set
|
|
||||||
# CONFIG_DEBUG_INFO_DWARF4 is not set
|
|
||||||
# CONFIG_DEBUG_INFO_DWARF5 is not set
|
|
0
pkg/fedora/kernel-surface/files/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/files/.gitkeep
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=linux-surface default kernel watchdog
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
PathChanged=/boot
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Unit]
|
||||||
|
Description=linux-surface default kernel watchdog
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/linux-surface-default-kernel.sh
|
20
pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh
Executable file
20
pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# get list of surface kernels with timestamp
|
||||||
|
kernels=$(find /boot -maxdepth 1 -name "vmlinuz-*.surface.*" -printf '%T@\t%p\n')
|
||||||
|
|
||||||
|
# sort by timestamp
|
||||||
|
kernels=$(echo "${kernels}" | sort -n)
|
||||||
|
|
||||||
|
# get latest kernel (last line) and extract path
|
||||||
|
kernel=$(echo "${kernels}" | tail -n1 | cut -f2)
|
||||||
|
|
||||||
|
echo $kernel
|
||||||
|
|
||||||
|
# update GRUB config
|
||||||
|
grubby --set-default "${kernel}"
|
||||||
|
|
||||||
|
# update timestamp for rEFInd (ensure it's marked as latest across all kernels,
|
||||||
|
# not just surface ones)
|
||||||
|
touch "${kernel}"
|
|
@ -1,363 +0,0 @@
|
||||||
#
|
|
||||||
# Definitions to configure the kernel we want to build
|
|
||||||
#
|
|
||||||
|
|
||||||
%global kernel_tag_fc38 kernel-6.3.5-200.fc38
|
|
||||||
%global kernel_tag_fc37 kernel-6.3.5-100.fc37
|
|
||||||
|
|
||||||
%global kernel_release_fc38 1
|
|
||||||
%global kernel_release_fc37 1
|
|
||||||
|
|
||||||
# This is what is printed in the GRUB menu. These cannot be fetched from the
|
|
||||||
# buildhost, because in a container this will also say container. To get the
|
|
||||||
# same text as the default kernels, just hardcode it. Hey, this is important!
|
|
||||||
%global fedora_title_fc37 38 (Thirty Eight)
|
|
||||||
%global fedora_title_fc37 37 (Thirty Seven)
|
|
||||||
|
|
||||||
%global ls_patches_commit f6d9315b8a3ecaee9f1575d8860a46cf44e79607
|
|
||||||
|
|
||||||
%global sb_crt surface.crt
|
|
||||||
%global sb_key surface.key
|
|
||||||
|
|
||||||
#
|
|
||||||
# Definitions that get automatically generated from the ones above
|
|
||||||
#
|
|
||||||
|
|
||||||
%global kernel_tag %{kernel_tag_fc%{fedora}}
|
|
||||||
%global kernel_release %{kernel_release_fc%{fedora}}
|
|
||||||
%global fedora_title %{fedora_title_fc%{fedora}}
|
|
||||||
|
|
||||||
%global kernel_version %(echo %{kernel_tag} | cut -d'-' -f2)
|
|
||||||
%global kernel_majorver %(echo %{kernel_version} | cut -d'.' -f1-2)
|
|
||||||
%global kernel_patches patches/%{kernel_majorver}
|
|
||||||
|
|
||||||
%global kernel_localversion %{kernel_release}.surface%{?dist}.%{_target_cpu}
|
|
||||||
%global kernel_config kernel-%{kernel_version}-%{_target_cpu}.config
|
|
||||||
%global kernel_name %{kernel_version}-%{kernel_localversion}
|
|
||||||
|
|
||||||
%global fedora_source https://github.com/StollD/linux-fedora
|
|
||||||
%global surface_source https://raw.githubusercontent.com/linux-surface/linux-surface/%{ls_patches_commit}
|
|
||||||
|
|
||||||
%global kernel_modpath %{buildroot}/lib/modules/%{kernel_name}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Actual specfile starts here
|
|
||||||
#
|
|
||||||
|
|
||||||
%bcond_with signkernel
|
|
||||||
|
|
||||||
Name: kernel-surface
|
|
||||||
Summary: The Linux Kernel with patches for Microsoft Surface
|
|
||||||
Version: %{kernel_version}
|
|
||||||
Release: %{kernel_release}%{?dist}
|
|
||||||
License: GPLv2
|
|
||||||
URL: https://github.com/linux-surface/linux-surface
|
|
||||||
|
|
||||||
Provides: installonlypkg(kernel-surface)
|
|
||||||
Provides: kernel-uname-r = %{kernel_name}
|
|
||||||
Provides: kernel-core-uname-r = %{kernel_name}
|
|
||||||
Provides: kernel-modules-uname-r = %{kernel_name}
|
|
||||||
|
|
||||||
Recommends: iptsd
|
|
||||||
|
|
||||||
Requires(pre): coreutils, systemd >= 203-2, /usr/bin/kernel-install
|
|
||||||
Requires(pre): dracut >= 027
|
|
||||||
Requires(pre): linux-firmware >= 20150904-56.git6ebf5d57
|
|
||||||
Requires(preun): systemd >= 200
|
|
||||||
|
|
||||||
BuildRequires: openssl openssl-devel
|
|
||||||
BuildRequires: kmod, patch, bash, tar, git-core, sbsigntools
|
|
||||||
BuildRequires: bzip2, xz, findutils, gzip, m4, perl-interpreter,
|
|
||||||
BuildRequires: perl-Carp, perl-devel, perl-generators, make, diffutils,
|
|
||||||
BuildRequires: gawk, gcc, binutils, redhat-rpm-config, hmaccalc, bison
|
|
||||||
BuildRequires: flex, net-tools, hostname, bc, elfutils-devel
|
|
||||||
BuildRequires: gcc-plugin-devel dwarves
|
|
||||||
|
|
||||||
# Used to mangle unversioned shebangs to be Python 3
|
|
||||||
BuildRequires: python3-devel
|
|
||||||
|
|
||||||
Conflicts: xfsprogs < 4.3.0-1
|
|
||||||
Conflicts: xorg-x11-drv-vmmouse < 13.0.99
|
|
||||||
BuildConflicts: rhbuildsys(DiskFree) < 500Mb
|
|
||||||
BuildConflicts: rpm < 4.13.0.1-19
|
|
||||||
BuildConflicts: dwarves < 1.13
|
|
||||||
|
|
||||||
Source0: %{fedora_source}/archive/%{kernel_tag}.tar.gz
|
|
||||||
Source1: %{surface_source}/configs/surface-%{kernel_majorver}.config
|
|
||||||
Source2: fedora.config
|
|
||||||
|
|
||||||
%if %{with signkernel}
|
|
||||||
Source20: %{sb_crt}
|
|
||||||
Source21: %{sb_key}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Source100: mod-sign.sh
|
|
||||||
Source101: parallel_xz.sh
|
|
||||||
|
|
||||||
Patch0: %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
|
|
||||||
Patch1: %{surface_source}/%{kernel_patches}/0002-mwifiex.patch
|
|
||||||
Patch2: %{surface_source}/%{kernel_patches}/0003-ath10k.patch
|
|
||||||
Patch3: %{surface_source}/%{kernel_patches}/0004-ipts.patch
|
|
||||||
Patch4: %{surface_source}/%{kernel_patches}/0005-ithc.patch
|
|
||||||
Patch5: %{surface_source}/%{kernel_patches}/0006-surface-sam.patch
|
|
||||||
Patch6: %{surface_source}/%{kernel_patches}/0007-surface-sam-over-hid.patch
|
|
||||||
Patch7: %{surface_source}/%{kernel_patches}/0008-surface-button.patch
|
|
||||||
Patch8: %{surface_source}/%{kernel_patches}/0009-surface-typecover.patch
|
|
||||||
Patch9: %{surface_source}/%{kernel_patches}/0010-surface-shutdown.patch
|
|
||||||
Patch10: %{surface_source}/%{kernel_patches}/0011-surface-gpe.patch
|
|
||||||
Patch11: %{surface_source}/%{kernel_patches}/0012-cameras.patch
|
|
||||||
Patch12: %{surface_source}/%{kernel_patches}/0013-amd-gpio.patch
|
|
||||||
Patch13: %{surface_source}/%{kernel_patches}/0014-rtc.patch
|
|
||||||
|
|
||||||
Patch100: 0001-Add-secureboot-pre-signing-to-the-kernel.patch
|
|
||||||
|
|
||||||
ExclusiveArch: x86_64
|
|
||||||
|
|
||||||
%global debug_package %{nil}
|
|
||||||
%global _build_id_links alldebug
|
|
||||||
|
|
||||||
%description
|
|
||||||
The Linux Kernel, the operating system core itself, with support for
|
|
||||||
Microsoft Surface.
|
|
||||||
|
|
||||||
%package devel
|
|
||||||
Summary: Development package for building kernel modules for kernel-surface
|
|
||||||
AutoReqProv: no
|
|
||||||
Provides: installonlypkg(kernel-surface)
|
|
||||||
Provides: kernel-devel-uname-r = %{kernel_name}
|
|
||||||
|
|
||||||
%description devel
|
|
||||||
This package provides kernel headers and makefiles sufficient to build modules
|
|
||||||
against the kernel-surface package.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -S git -n linux-fedora-%{kernel_tag}
|
|
||||||
|
|
||||||
# Fix missing Makefile.rhelver
|
|
||||||
touch Makefile.rhelver
|
|
||||||
|
|
||||||
scripts/kconfig/merge_config.sh \
|
|
||||||
fedora/configs/%{kernel_config} \
|
|
||||||
%{SOURCE1} \
|
|
||||||
%{SOURCE2}
|
|
||||||
|
|
||||||
echo $((%{kernel_release} - 1)) > .version
|
|
||||||
|
|
||||||
# Copy secureboot certificates if they are available
|
|
||||||
%if %{with signkernel}
|
|
||||||
mkdir -p keys
|
|
||||||
cp %{SOURCE20} keys/MOK.crt
|
|
||||||
cp %{SOURCE21} keys/MOK.key
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# This Prevents scripts/setlocalversion from mucking with our version numbers.
|
|
||||||
touch .scmversion
|
|
||||||
|
|
||||||
# Mangle /usr/bin/python shebangs to /usr/bin/python3
|
|
||||||
# Mangle all Python shebangs to be Python 3 explicitly
|
|
||||||
# -p preserves timestamps
|
|
||||||
# -n prevents creating ~backup files
|
|
||||||
# -i specifies the interpreter for the shebang
|
|
||||||
# This fixes errors such as
|
|
||||||
# *** ERROR: ambiguous python shebang in /usr/bin/kvm_stat: #!/usr/bin/python. Change it to python3 (or python2) explicitly.
|
|
||||||
# We patch all sources below for which we got a report/error.
|
|
||||||
pathfix.py -i "%{__python3} %{py3_shbang_opts}" -p -n \
|
|
||||||
tools/kvm/kvm_stat/kvm_stat \
|
|
||||||
scripts/show_delta \
|
|
||||||
scripts/diffconfig \
|
|
||||||
scripts/bloat-o-meter \
|
|
||||||
scripts/jobserver-exec \
|
|
||||||
tools \
|
|
||||||
Documentation \
|
|
||||||
scripts/clang-tools
|
|
||||||
|
|
||||||
%build
|
|
||||||
|
|
||||||
# This ensures build-ids are unique to allow parallel debuginfo
|
|
||||||
perl -p -i -e "s/^CONFIG_BUILD_SALT.*/CONFIG_BUILD_SALT=\"%{kernel_name}\"/" .config
|
|
||||||
|
|
||||||
make %{?_smp_mflags} all LOCALVERSION=-%{kernel_localversion} ARCH=%{_target_cpu}
|
|
||||||
|
|
||||||
%define __modsign_install_post \
|
|
||||||
%{SOURCE100} certs/signing_key.pem certs/signing_key.x509 %{kernel_modpath} \
|
|
||||||
find %{kernel_modpath} -type f -name '*.ko' | %{SOURCE101} %{?_smp_mflags}; \
|
|
||||||
%{nil}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Disgusting hack alert! We need to ensure we sign modules *after* all
|
|
||||||
# invocations of strip occur.
|
|
||||||
#
|
|
||||||
%define __spec_install_post \
|
|
||||||
%{?__debug_package:%{__debug_install_post}}\
|
|
||||||
%{__arch_install_post}\
|
|
||||||
%{__os_install_post}\
|
|
||||||
%{__modsign_install_post}
|
|
||||||
|
|
||||||
%install
|
|
||||||
mkdir -p %{buildroot}/boot
|
|
||||||
|
|
||||||
# Install modules
|
|
||||||
make %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install KERNELRELEASE=%{kernel_name}
|
|
||||||
|
|
||||||
# Install vmlinuz
|
|
||||||
image_name=$(make -s image_name)
|
|
||||||
install -m 755 $image_name %{buildroot}/boot/vmlinuz-%{kernel_name}
|
|
||||||
install -m 755 $image_name %{kernel_modpath}/vmlinuz
|
|
||||||
|
|
||||||
# Install System.map and .config
|
|
||||||
install -m 644 System.map %{kernel_modpath}/System.map
|
|
||||||
install -m 644 System.map %{buildroot}/boot/System.map-%{kernel_name}
|
|
||||||
install -m 644 .config %{kernel_modpath}/config
|
|
||||||
install -m 644 .config %{buildroot}/boot/config-%{kernel_name}
|
|
||||||
|
|
||||||
# hmac sign the kernel for FIPS
|
|
||||||
sha512hmac %{buildroot}/boot/vmlinuz-%{kernel_name} | sed -e "s,%{buildroot},," > %{kernel_modpath}/.vmlinuz.hmac
|
|
||||||
cp %{kernel_modpath}/.vmlinuz.hmac %{buildroot}/boot/.vmlinuz-%{kernel_name}.hmac
|
|
||||||
|
|
||||||
# mark modules executable so that strip-to-file can strip them
|
|
||||||
find %{kernel_modpath} -name "*.ko" -type f | xargs --no-run-if-empty chmod u+x
|
|
||||||
|
|
||||||
# Setup directories for -devel files
|
|
||||||
rm -f %{kernel_modpath}/build
|
|
||||||
rm -f %{kernel_modpath}/source
|
|
||||||
mkdir -p %{kernel_modpath}/build
|
|
||||||
pushd %{kernel_modpath}
|
|
||||||
ln -s build source
|
|
||||||
popd
|
|
||||||
|
|
||||||
# first copy everything
|
|
||||||
cp --parents $(find -type f -name "Makefile*" -o -name "Kconfig*") %{kernel_modpath}/build
|
|
||||||
cp Module.symvers %{kernel_modpath}/build
|
|
||||||
cp System.map %{kernel_modpath}/build
|
|
||||||
if [ -s Module.markers ]; then
|
|
||||||
cp Module.markers %{kernel_modpath}/build
|
|
||||||
fi
|
|
||||||
|
|
||||||
# then drop all but the needed Makefiles/Kconfig files
|
|
||||||
rm -rf %{kernel_modpath}/build/scripts
|
|
||||||
rm -rf %{kernel_modpath}/build/include
|
|
||||||
cp .config %{kernel_modpath}/build
|
|
||||||
cp -a scripts %{kernel_modpath}/build
|
|
||||||
rm -rf %{kernel_modpath}/build/scripts/tracing
|
|
||||||
rm -f %{kernel_modpath}/build/scripts/spdxcheck.py
|
|
||||||
|
|
||||||
if [ -f tools/objtool/objtool ]; then
|
|
||||||
cp -a tools/objtool/objtool %{kernel_modpath}/build/tools/objtool/ || :
|
|
||||||
|
|
||||||
# these are a few files associated with objtool
|
|
||||||
cp -a --parents tools/build/Build.include %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/build/Build %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/build/fixdep.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/scripts/utilities.mak %{kernel_modpath}/build/
|
|
||||||
|
|
||||||
# also more than necessary but it's not that many more files
|
|
||||||
cp -a --parents tools/objtool/* %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/lib/str_error_r.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/lib/string.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents tools/lib/subcmd/* %{kernel_modpath}/build/
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -d arch/x86/scripts ]; then
|
|
||||||
cp -a arch/x86/scripts %{kernel_modpath}/build/arch/x86/ || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f arch/x86/*lds ]; then
|
|
||||||
cp -a arch/x86/*lds %{kernel_modpath}/build/arch/x86/ || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f arch/x86/kernel/module.lds ]; then
|
|
||||||
cp -a --parents arch/x86/kernel/module.lds %{kernel_modpath}/build/
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f %{kernel_modpath}/build/scripts/*.o
|
|
||||||
rm -f %{kernel_modpath}/build/scripts/*/*.o
|
|
||||||
|
|
||||||
if [ -d arch/x86/include ]; then
|
|
||||||
cp -a --parents arch/x86/include %{kernel_modpath}/build/
|
|
||||||
fi
|
|
||||||
|
|
||||||
cp -a include %{kernel_modpath}/build/include
|
|
||||||
|
|
||||||
# files for 'make prepare' to succeed with kernel-devel
|
|
||||||
cp -a --parents arch/x86/entry/syscalls/syscall_32.tbl %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/entry/syscalls/syscall_64.tbl %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/tools/relocs_32.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/tools/relocs_64.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/tools/relocs.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/tools/relocs_common.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/tools/relocs.h %{kernel_modpath}/build/
|
|
||||||
|
|
||||||
cp -a --parents scripts/syscalltbl.sh %{kernel_modpath}/build/
|
|
||||||
cp -a --parents scripts/syscallhdr.sh %{kernel_modpath}/build/
|
|
||||||
|
|
||||||
# Yes this is more includes than we probably need. Feel free to sort out
|
|
||||||
# dependencies if you so choose.
|
|
||||||
cp -a --parents tools/include/* %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/purgatory/purgatory.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/purgatory/stack.S %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/purgatory/setup-x86_64.S %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/purgatory/entry64.S %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/boot/string.h %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/boot/string.c %{kernel_modpath}/build/
|
|
||||||
cp -a --parents arch/x86/boot/ctype.h %{kernel_modpath}/build/
|
|
||||||
|
|
||||||
# Make sure the Makefile, version.h, and auto.conf have a matching
|
|
||||||
# timestamp so that external modules can be built
|
|
||||||
|
|
||||||
touch -r %{kernel_modpath}/build/Makefile \
|
|
||||||
%{kernel_modpath}/build/include/generated/uapi/linux/version.h \
|
|
||||||
%{kernel_modpath}/build/include/config/auto.conf
|
|
||||||
|
|
||||||
mkdir -p %{buildroot}/usr/src/kernels
|
|
||||||
mv %{kernel_modpath}/build %{buildroot}/usr/src/kernels/%{kernel_name}
|
|
||||||
|
|
||||||
# This is going to create a broken link during the build, but we don't use
|
|
||||||
# it after this point. We need the link to actually point to something
|
|
||||||
# when kernel-devel is installed, and a relative link doesn't work across
|
|
||||||
# the F17 UsrMove feature.
|
|
||||||
ln -sf /usr/src/kernels/%{kernel_name} %{kernel_modpath}/build
|
|
||||||
|
|
||||||
# prune junk from kernel-devel
|
|
||||||
find %{buildroot}/usr/src/kernels -name ".*.cmd" -delete
|
|
||||||
|
|
||||||
# remove files that will be auto generated by depmod at rpm -i time
|
|
||||||
pushd %{kernel_modpath}
|
|
||||||
rm -f modules.{alias*,builtin.bin,dep*,*map,symbols*,devname,softdep}
|
|
||||||
popd
|
|
||||||
|
|
||||||
# build a BLS config for this kernel
|
|
||||||
cat >%{kernel_modpath}/bls.conf <<EOF
|
|
||||||
title Fedora (%{kernel_name}) %{fedora_title}
|
|
||||||
version %{kernel_name}
|
|
||||||
linux /vmlinuz-%{kernel_name}
|
|
||||||
initrd /initramfs-%{kernel_name}.img
|
|
||||||
options \$kernelopts
|
|
||||||
grub_users \$grub_users
|
|
||||||
grub_arg --unrestricted
|
|
||||||
grub_class kernel
|
|
||||||
EOF
|
|
||||||
|
|
||||||
%clean
|
|
||||||
rm -rf %{buildroot}
|
|
||||||
|
|
||||||
%posttrans
|
|
||||||
/bin/kernel-install add %{kernel_name} /lib/modules/%{kernel_name}/vmlinuz || exit $?
|
|
||||||
|
|
||||||
%preun
|
|
||||||
/bin/kernel-install remove %{kernel_name} /lib/modules/%{kernel_name}/vmlinuz || exit $?
|
|
||||||
|
|
||||||
%files
|
|
||||||
%defattr (-, root, root)
|
|
||||||
/lib/modules/%{kernel_name}
|
|
||||||
%ghost /boot/vmlinuz-%{kernel_name}
|
|
||||||
%ghost /boot/config-%{kernel_name}
|
|
||||||
%ghost /boot/System.map-%{kernel_name}
|
|
||||||
%ghost /boot/.vmlinuz-%{kernel_name}.hmac
|
|
||||||
|
|
||||||
%files devel
|
|
||||||
%defattr (-, root, root)
|
|
||||||
/usr/src/kernels/%{kernel_name}
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Thu Jan 09 2020 Dorian Stoll <dorian.stoll@tmsp.io>
|
|
||||||
- Initial version
|
|
|
@ -1,36 +0,0 @@
|
||||||
#! /bin/bash
|
|
||||||
|
|
||||||
# The modules_sign target checks for corresponding .o files for every .ko that
|
|
||||||
# is signed. This doesn't work for package builds which re-use the same build
|
|
||||||
# directory for every flavour, and the .config may change between flavours.
|
|
||||||
# So instead of using this script to just sign lib/modules/$KernelVer/extra,
|
|
||||||
# sign all .ko in the buildroot.
|
|
||||||
|
|
||||||
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
|
|
||||||
# same commands for those modules.
|
|
||||||
|
|
||||||
MODSECKEY=$1
|
|
||||||
MODPUBKEY=$2
|
|
||||||
|
|
||||||
moddir=$3
|
|
||||||
|
|
||||||
modules=`find $moddir -name *.ko`
|
|
||||||
|
|
||||||
for mod in $modules
|
|
||||||
do
|
|
||||||
dir=`dirname $mod`
|
|
||||||
file=`basename $mod`
|
|
||||||
|
|
||||||
./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file}
|
|
||||||
rm -f ${dir}/${file}.{sig,dig}
|
|
||||||
done
|
|
||||||
|
|
||||||
RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1)
|
|
||||||
if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
|
|
||||||
echo "*****************************"
|
|
||||||
echo "*** Modules are unsigned! ***"
|
|
||||||
echo "*****************************"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -1,26 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# Reads filenames on stdin, xz-compresses each in place.
|
|
||||||
# Not optimal for "compress relatively few, large files" scenario!
|
|
||||||
|
|
||||||
# How many xz's to run in parallel:
|
|
||||||
procgroup=""
|
|
||||||
while test "$#" != 0; do
|
|
||||||
# Get it from -jNUM
|
|
||||||
N="${1#-j}"
|
|
||||||
if test "$N" = "$1"; then
|
|
||||||
# Not -j<something> - warn and ignore
|
|
||||||
echo "parallel_xz: warning: unrecognized argument: '$1'"
|
|
||||||
else
|
|
||||||
procgroup="$N"
|
|
||||||
fi
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
|
|
||||||
# If told to use only one cpu:
|
|
||||||
test "$procgroup" || exec xargs -r xz
|
|
||||||
test "$procgroup" = 1 && exec xargs -r xz
|
|
||||||
|
|
||||||
# xz has some startup cost. If files are really small,
|
|
||||||
# this cost might be significant. To combat this,
|
|
||||||
# process several files (in sequence) by each xz process via -n 16:
|
|
||||||
exec xargs -r -n 16 -P $procgroup xz
|
|
0
pkg/fedora/kernel-surface/patches/.gitkeep
Normal file
0
pkg/fedora/kernel-surface/patches/.gitkeep
Normal file
25
pkg/fedora/kernel-surface/patches/0001-iptsd.patch
Normal file
25
pkg/fedora/kernel-surface/patches/0001-iptsd.patch
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sun, 14 May 2023 09:21:43 +0200
|
||||||
|
Subject: [PATCH] Pull in iptsd as a weak dependency
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
redhat/kernel.spec.template | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||||
|
index 51f43b21b018..d61276b49d95 100644
|
||||||
|
--- a/redhat/kernel.spec.template
|
||||||
|
+++ b/redhat/kernel.spec.template
|
||||||
|
@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\
|
||||||
|
Requires(pre): %{initrd_prereq}\
|
||||||
|
Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\
|
||||||
|
Recommends: linux-firmware\
|
||||||
|
+Recommends: iptsd\
|
||||||
|
Requires(preun): systemd >= 200\
|
||||||
|
Conflicts: xfsprogs < 4.3.0-1\
|
||||||
|
Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
57
pkg/fedora/kernel-surface/patches/0002-provides.patch
Normal file
57
pkg/fedora/kernel-surface/patches/0002-provides.patch
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sun, 14 May 2023 15:04:22 +0200
|
||||||
|
Subject: [PATCH] Let kernel-surface provide the standard package names
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
redhat/kernel.spec.template | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||||
|
index 51f43b21b018..2d91719b7d93 100644
|
||||||
|
--- a/redhat/kernel.spec.template
|
||||||
|
+++ b/redhat/kernel.spec.template
|
||||||
|
@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL}
|
||||||
|
Requires: kernel-modules-uname-r = %{KVERREL}
|
||||||
|
Requires: kernel-modules-core-uname-r = %{KVERREL}
|
||||||
|
Provides: installonlypkg(kernel)
|
||||||
|
+Provides: kernel = %{KVERREL}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
|
||||||
|
Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\
|
||||||
|
Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\
|
||||||
|
Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\
|
||||||
|
+Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\
|
||||||
|
Provides: installonlypkg(kernel)\
|
||||||
|
AutoReqProv: no\
|
||||||
|
Requires(pre): findutils\
|
||||||
|
@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\
|
||||||
|
Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\
|
||||||
|
Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\
|
||||||
|
Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\
|
||||||
|
+Provides: kernel-devel-matched = %{specrpmversion}-%{release}\
|
||||||
|
%description %{?1:%{1}-}devel-matched\
|
||||||
|
This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\
|
||||||
|
%{nil}
|
||||||
|
@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\
|
||||||
|
Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\
|
||||||
|
Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\
|
||||||
|
Provides: installonlypkg(kernel)\
|
||||||
|
+Provides: kernel = %{KVERREL}+%{1}\
|
||||||
|
%description %{1}\
|
||||||
|
The meta-package for the %{1} kernel\
|
||||||
|
%{nil}
|
||||||
|
@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\
|
||||||
|
Summary: %{variant_summary}\
|
||||||
|
Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\
|
||||||
|
Provides: installonlypkg(kernel)\
|
||||||
|
+Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\
|
||||||
|
%if %{-m:1}%{!-m:0}\
|
||||||
|
Requires: kernel-core-uname-r = %{KVERREL}\
|
||||||
|
Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
29
pkg/fedora/kernel-surface/patches/0003-obsoletes.patch
Normal file
29
pkg/fedora/kernel-surface/patches/0003-obsoletes.patch
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
From 084f48d80c730162805d654325934843cd12db94 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sun, 14 May 2023 18:16:38 +0200
|
||||||
|
Subject: [PATCH] Let kernel-surface conflict with older versions of the
|
||||||
|
package
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
redhat/kernel.spec.template | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||||
|
index 2d91719b7d93..9ad0c720d467 100644
|
||||||
|
--- a/redhat/kernel.spec.template
|
||||||
|
+++ b/redhat/kernel.spec.template
|
||||||
|
@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL}
|
||||||
|
Requires: kernel-modules-core-uname-r = %{KVERREL}
|
||||||
|
Provides: installonlypkg(kernel)
|
||||||
|
Provides: kernel = %{KVERREL}
|
||||||
|
+
|
||||||
|
+Conflicts: kernel-surface < 6.3.6-1
|
||||||
|
+Obsoletes: kernel-surface < 6.3.6-1
|
||||||
|
+
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
50
pkg/fedora/kernel-surface/patches/0004-default-kernel.patch
Normal file
50
pkg/fedora/kernel-surface/patches/0004-default-kernel.patch
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
From 5d16b0aca7c07c1e3df5c47c61f5b6f402dd987b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sat, 3 Jun 2023 11:47:02 +0200
|
||||||
|
Subject: [PATCH] Install scripts and service files for keeping the surface
|
||||||
|
kernel the default
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
redhat/kernel.spec.template | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||||
|
index 9ad0c720d467..5a367c936e05 100644
|
||||||
|
--- a/redhat/kernel.spec.template
|
||||||
|
+++ b/redhat/kernel.spec.template
|
||||||
|
@@ -911,6 +911,10 @@ Source4000: README.rst
|
||||||
|
Source4001: rpminspect.yaml
|
||||||
|
Source4002: gating.yaml
|
||||||
|
|
||||||
|
+Source4100: linux-surface-default-kernel.path
|
||||||
|
+Source4101: linux-surface-default-kernel.service
|
||||||
|
+Source4102: linux-surface-default-kernel.sh
|
||||||
|
+
|
||||||
|
## Patches needed for building this package
|
||||||
|
|
||||||
|
%if !%{nopatches}
|
||||||
|
@@ -2674,6 +2678,10 @@ find Documentation -type d | xargs chmod u+w
|
||||||
|
|
||||||
|
cd linux-%{KVERREL}
|
||||||
|
|
||||||
|
+install -D -m644 "%{SOURCE4100}" -t "%{buildroot}%{_unitdir}"
|
||||||
|
+install -D -m644 "%{SOURCE4101}" -t "%{buildroot}%{_unitdir}"
|
||||||
|
+install -D -m755 "%{SOURCE4102}" -t "%{buildroot}%{_bindir}"
|
||||||
|
+
|
||||||
|
%if %{with_doc}
|
||||||
|
docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease}
|
||||||
|
|
||||||
|
@@ -3331,6 +3339,9 @@ fi
|
||||||
|
%ghost %attr(0600, root, root) /boot/symvers-%{KVERREL}%{?3:+%{3}}.gz\
|
||||||
|
%ghost %attr(0600, root, root) /boot/initramfs-%{KVERREL}%{?3:+%{3}}.img\
|
||||||
|
%ghost %attr(0644, root, root) /boot/config-%{KVERREL}%{?3:+%{3}}\
|
||||||
|
+%{_bindir}/linux-surface-default-kernel.sh\
|
||||||
|
+%{_unitdir}/linux-surface-default-kernel.path\
|
||||||
|
+%{_unitdir}/linux-surface-default-kernel.service\
|
||||||
|
%{expand:%%files -f kernel-%{?3:%{3}-}modules-core.list %{?3:%{3}-}modules-core}\
|
||||||
|
%dir /lib/modules\
|
||||||
|
%dir /lib/modules/%{KVERREL}%{?3:+%{3}}\
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
60
pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch
Normal file
60
pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sat, 13 May 2023 16:39:50 +0200
|
||||||
|
Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
redhat/kernel.spec.template | 15 +++++++++------
|
||||||
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||||||
|
index 51f43b21b018..76d1ad8e2818 100644
|
||||||
|
--- a/redhat/kernel.spec.template
|
||||||
|
+++ b/redhat/kernel.spec.template
|
||||||
|
@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs
|
||||||
|
%ifarch x86_64 aarch64
|
||||||
|
BuildRequires: nss-tools
|
||||||
|
BuildRequires: pesign >= 0.10-4
|
||||||
|
+BuildRequires: sbsigntools
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
@@ -762,6 +763,13 @@ Source1: Makefile.rhelver
|
||||||
|
%define signing_key_filename kernel-signing-s390.cer
|
||||||
|
%endif
|
||||||
|
|
||||||
|
+%ifarch x86_64 aarch64
|
||||||
|
+
|
||||||
|
+Source7001: MOK.key
|
||||||
|
+Source7002: MOK.crt
|
||||||
|
+
|
||||||
|
+%endif
|
||||||
|
+
|
||||||
|
%if %{?released_kernel}
|
||||||
|
|
||||||
|
Source10: redhatsecurebootca5.cer
|
||||||
|
@@ -1860,9 +1868,7 @@ BuildKernel() {
|
||||||
|
fi
|
||||||
|
|
||||||
|
%ifarch x86_64 aarch64
|
||||||
|
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||||
|
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||||
|
- rm vmlinuz.tmp
|
||||||
|
+ sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage
|
||||||
|
%endif
|
||||||
|
%ifarch s390x ppc64le
|
||||||
|
if [ -x /usr/bin/rpm-sign ]; then
|
||||||
|
@@ -2393,9 +2399,6 @@ BuildKernel() {
|
||||||
|
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||||
|
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||||
|
%ifarch x86_64 aarch64
|
||||||
|
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||||
|
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||||
|
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||||
|
%else
|
||||||
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||||
|
%endif
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
|
@ -1,117 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Default to using the first specfile in the current directory
|
|
||||||
SPEC="*.spec"
|
|
||||||
OPTS="-ba"
|
|
||||||
|
|
||||||
SIGN=0
|
|
||||||
KEY=""
|
|
||||||
|
|
||||||
BUILD=".build"
|
|
||||||
RPMS="out"
|
|
||||||
|
|
||||||
usage() {
|
|
||||||
echo "Usage: $0 [OPTION]..."
|
|
||||||
echo "Wrapper for rpmbuild that is easier to use."
|
|
||||||
echo
|
|
||||||
echo "Options:"
|
|
||||||
echo " -h This help message"
|
|
||||||
echo " -f The specfile to build from"
|
|
||||||
echo " -c Clean the build artifacts"
|
|
||||||
echo " -s Sign the produced RPM packages"
|
|
||||||
echo " -k The GPG key to use for signing"
|
|
||||||
exit
|
|
||||||
}
|
|
||||||
|
|
||||||
clean() {
|
|
||||||
rm -rf $BUILD
|
|
||||||
rm -rf $RPMS
|
|
||||||
exit
|
|
||||||
}
|
|
||||||
|
|
||||||
while getopts ":hcsf:k:" args; do
|
|
||||||
case "$args" in
|
|
||||||
f)
|
|
||||||
SPEC=$OPTARG
|
|
||||||
;;
|
|
||||||
s)
|
|
||||||
SIGN=1
|
|
||||||
;;
|
|
||||||
k)
|
|
||||||
KEY=$OPTARG
|
|
||||||
;;
|
|
||||||
c)
|
|
||||||
clean
|
|
||||||
;;
|
|
||||||
h)
|
|
||||||
usage
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
shift $((OPTIND-1))
|
|
||||||
|
|
||||||
if [ ! "$*" = "" ]; then
|
|
||||||
OPTS="$*"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if the specfile exists
|
|
||||||
if [ "$(ls -f $SPEC | wc -l)" = "0" ]; then
|
|
||||||
echo "ERROR: No specfile found. Specify it with the -s option."
|
|
||||||
exit -2
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if there are too many specfiles
|
|
||||||
if [ ! "$(ls -f $SPEC | wc -l)" = "1" ]; then
|
|
||||||
echo "ERROR: Ambiguous matches for specfile. Please specify a single" \
|
|
||||||
"file through the -s option."
|
|
||||||
exit -7
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Get the directory of the specfile
|
|
||||||
SPEC=$(ls -f $SPEC)
|
|
||||||
DIR=$(readlink -f $(dirname $SPEC))
|
|
||||||
|
|
||||||
if [ ! -d "$DIR/$BUILD" ]; then
|
|
||||||
mkdir "$DIR/$BUILD"
|
|
||||||
fi
|
|
||||||
|
|
||||||
FILES=$(find $DIR -maxdepth 1);
|
|
||||||
for file in $FILES; do
|
|
||||||
[ "$file" = "$DIR" ] && continue
|
|
||||||
[ "$file" = "$DIR/$BUILD" ] && continue
|
|
||||||
[ "$file" = "$DIR/$RPMS" ] && continue
|
|
||||||
|
|
||||||
cp -r "$file" "$DIR/$BUILD"
|
|
||||||
done
|
|
||||||
|
|
||||||
spectool \
|
|
||||||
--define "_sourcedir $DIR/$BUILD" \
|
|
||||||
--define "_builddir $DIR/$BUILD" \
|
|
||||||
--define "_srcrpmdir $DIR/$RPMS" \
|
|
||||||
--define "_rpmdir $DIR/$RPMS" \
|
|
||||||
--define "_specdir $DIR" \
|
|
||||||
--get-files --all \
|
|
||||||
--directory $DIR/$BUILD $SPEC
|
|
||||||
|
|
||||||
echo
|
|
||||||
|
|
||||||
rpmbuild \
|
|
||||||
--define "_sourcedir $DIR/$BUILD" \
|
|
||||||
--define "_builddir $DIR/$BUILD" \
|
|
||||||
--define "_srcrpmdir $DIR/$RPMS" \
|
|
||||||
--define "_rpmdir $DIR/$RPMS" \
|
|
||||||
--define "_specdir $DIR" \
|
|
||||||
$OPTS $SPEC
|
|
||||||
|
|
||||||
if [ ! "$SIGN" = "1" ]; then
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
for file in $(find out/ -name '*.rpm'); do
|
|
||||||
echo "Signing $file"
|
|
||||||
if [ "$KEY" = "" ]; then
|
|
||||||
rpm --resign $file 2>&1 > /dev/null
|
|
||||||
else
|
|
||||||
rpm --resign $file --define "_gpg_name $KEY" 2>&1 > /dev/null
|
|
||||||
fi
|
|
||||||
done
|
|
Loading…
Reference in a new issue