pkg: fedora: Add support for Fedora 34

Also disable secureboot signing by default, and explicitly enable it in the CI.
This makes local builds easier, where you dont have the secureboot CA available.

Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>

.github/workflows/fedora-32.yml

@@ -38,7 +38,7 @@ jobs:
         cd pkg/fedora/kernel-surface
 
         # Build the .rpm packages
-        ../makerpm
+        ../makerpm -- --with=signkernel -ba
 
     - name: Sign packages
       env:

.github/workflows/fedora-33.yml

@@ -38,7 +38,7 @@ jobs:
         cd pkg/fedora/kernel-surface
 
         # Build the .rpm packages
-        ../makerpm
+        ../makerpm -- --with=signkernel -ba
 
     - name: Sign packages
       env:

.github/workflows/fedora-34.yml

@@ -0,0 +1,128 @@
+on:
+  push:
+    tags:
+      - 'fedora-34-*'
+
+name: Fedora 34
+
+env:
+  GPG_KEY_ID: 56C464BAAC421453
+
+jobs:
+  build:
+    name: Build Kernel
+    runs-on: ubuntu-latest
+    container: fedora:34
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Install build dependencies
+      run: |
+        dnf distro-sync -y
+        dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
+        dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
+
+    - name: Setup secureboot certificate
+      env:
+        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+      run: |
+        cd pkg
+
+        # Install the surface secureboot certificate
+        echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
+        cp keys/surface.crt fedora/kernel-surface/surface.crt
+
+    - name: Build packages
+      run: |
+        cd pkg/fedora/kernel-surface
+
+        # Build the .rpm packages
+        ../makerpm -- --with=signkernel -ba
+
+    - name: Sign packages
+      env:
+        GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
+      run: |
+        cd pkg/fedora/kernel-surface/out/x86_64
+
+        # import GPG key
+        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+
+        # sign packages
+        rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: fedora-34-latest
+        path: pkg/fedora/kernel-surface/out/x86_64
+
+  release:
+    name: Publish release
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Download artifacts
+      uses: actions/download-artifact@v1
+      with:
+        name: fedora-34-latest
+
+    - name: Upload assets
+      uses: svenstaro/upload-release-action@v1-release
+      with:
+        repo_token: ${{ secrets.GITHUB_BOT_TOKEN }}
+        file: ./*-latest/*
+        tag: ${{ github.ref }}
+        overwrite: true
+        file_glob: true
+
+  repo:
+    name: Update package repository
+    needs: [release]
+    runs-on: ubuntu-latest
+    container: fedora:34
+    steps:
+    - name: Install dependencies
+      run: |
+        dnf install -y git findutils
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v1
+      with:
+        name: fedora-34-latest
+
+    - name: Update repository
+      env:
+        SURFACEBOT_TOKEN: ${{ secrets.GITHUB_BOT_TOKEN }}
+        BRANCH_STAGING: u/staging
+        GIT_REF: ${{ github.ref }}
+      run: |
+        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
+
+        # clone package repository
+        git clone -b "${BRANCH_STAGING}" "${repo}" repo
+
+        # copy packages
+        cp fedora-34-latest/* repo/fedora/f34
+        cd repo/fedora/f34
+
+        # parse git tag from ref
+        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
+
+        # convert packages into references
+        for pkg in $(find . -name '*.rpm'); do
+          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
+          rm $pkg
+        done
+
+        # set git identity
+        git config --global user.email "surfacebot@users.noreply.github.com"
+        git config --global user.name "surfacebot"
+
+        # commit and push
+        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
+        git checkout -b "${update_branch}"
+        git add .
+        git commit -m "Update Fedora 34 kernel"
+        git push --set-upstream origin "${update_branch}"

pkg/fedora/kernel-surface/kernel-surface.spec

@@ -2,12 +2,18 @@
 # Definitions to configure the kernel we want to build
 #
 
+%global kernel_tag_fc34 kernel-5.11.5-300.fc34
 %global kernel_tag_fc33 kernel-5.10.21-200.fc33
 %global kernel_tag_fc32 kernel-5.10.21-100.fc32
 
+%global kernel_release_fc34 1
 %global kernel_release_fc33 1
 %global kernel_release_fc32 1
 
+# This is what is printed in the GRUB menu. These cannot be fetched from the
+# buildhost, because in a container this will also say container. To get the
+# same text as the default kernels, just hardcode it. Hey, this is important!
+%global fedora_title_fc34 34 (Thirty Four)
 %global fedora_title_fc33 33 (Thirty Three)
 %global fedora_title_fc32 32 (Thirty Two)
 
@@ -41,6 +47,8 @@
 # Actual specfile starts here
 #
 
+%bcond_with signkernel
+
 Name:       kernel-surface
 Summary:    The Linux Kernel with patches for Microsoft Surface
 Version:    %{kernel_version}
@@ -81,12 +89,29 @@ Source0:    %{fedora_source}/archive/%{kernel_tag}.tar.gz
 Source1:    %{surface_source}/configs/surface-%{kernel_majorver}.config
 Source2:    fedora.config
 
+%if %{with signkernel}
 Source20:   %{sb_crt}
 Source21:   %{sb_key}
+%endif
 
 Source100:  mod-sign.sh
 Source101:  parallel_xz.sh
 
+%if "%{kernel_majorver}" == "5.11"
+
+Patch0:     %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
+Patch1:     %{surface_source}/%{kernel_patches}/0002-wifi.patch
+Patch2:     %{surface_source}/%{kernel_patches}/0003-ipts.patch
+Patch3:     %{surface_source}/%{kernel_patches}/0004-surface-sam-over-hid.patch
+Patch4:     %{surface_source}/%{kernel_patches}/0005-surface-sam.patch
+Patch5:     %{surface_source}/%{kernel_patches}/0006-surface-hotplug.patch
+Patch6:     %{surface_source}/%{kernel_patches}/0007-surface-typecover.patch
+Patch7:     %{surface_source}/%{kernel_patches}/0008-surface-sensors.patch
+Patch8:     %{surface_source}/%{kernel_patches}/0009-cameras.patch
+Patch9:     %{surface_source}/%{kernel_patches}/0010-ath10k-firmware-override.patch
+
+%else
+
 Patch0:     %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
 Patch1:     %{surface_source}/%{kernel_patches}/0002-wifi.patch
 Patch2:     %{surface_source}/%{kernel_patches}/0003-ipts.patch
@@ -99,6 +124,8 @@ Patch8:     %{surface_source}/%{kernel_patches}/0009-surface-sensors.patch
 Patch9:     %{surface_source}/%{kernel_patches}/0010-cameras.patch
 Patch10:    %{surface_source}/%{kernel_patches}/0011-ath10k-firmware-override.patch
 
+%endif
+
 Patch100:   0001-Add-secureboot-pre-signing-to-the-kernel.patch
 
 ExclusiveArch: x86_64
@@ -121,7 +148,7 @@ This package provides kernel headers and makefiles sufficient to build modules
 against the kernel-surface package.
 
 %prep
-%autosetup -S git_am -n linux-fedora-%{kernel_tag}
+%autosetup -p1 -n linux-fedora-%{kernel_tag}
 
 scripts/kconfig/merge_config.sh         \
 	fedora/configs/%{kernel_config} \
@@ -131,11 +158,11 @@ scripts/kconfig/merge_config.sh         \
 echo $((%{kernel_release} - 1)) > .version
 
 # Copy secureboot certificates if they are available
-if [ -f "%{SOURCE20}" ] && [ -f "%{SOURCE21}" ]; then
-	mkdir -p keys
-	cp %{SOURCE20} keys/MOK.crt
-	cp %{SOURCE21} keys/MOK.key
-fi
+%if %{with signkernel}
+mkdir -p keys
+cp %{SOURCE20} keys/MOK.crt
+cp %{SOURCE21} keys/MOK.key
+%endif
 
 # This Prevents scripts/setlocalversion from mucking with our version numbers.
 touch .scmversion

pkg/fedora/makerpm

@@ -50,8 +50,8 @@ while getopts ":hcsf:k:" args; do
 done
 shift $((OPTIND-1))
 
-if [ ! "$@" = "" ]; then
-	OPTS="$@"
+if [ ! "$*" = "" ]; then
+	OPTS="$*"
 fi
 
 # Check if the specfile exists