pkg: fedora: Add support for Fedora 34
Also disable secureboot signing by default, and explicitly enable it in the CI. This makes local builds easier, where you dont have the secureboot CA available. Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
This commit is contained in:
parent
adbe1575e3
commit
cc0bb9cffb
2
.github/workflows/fedora-32.yml
vendored
2
.github/workflows/fedora-32.yml
vendored
|
@ -38,7 +38,7 @@ jobs:
|
|||
cd pkg/fedora/kernel-surface
|
||||
|
||||
# Build the .rpm packages
|
||||
../makerpm
|
||||
../makerpm -- --with=signkernel -ba
|
||||
|
||||
- name: Sign packages
|
||||
env:
|
||||
|
|
2
.github/workflows/fedora-33.yml
vendored
2
.github/workflows/fedora-33.yml
vendored
|
@ -38,7 +38,7 @@ jobs:
|
|||
cd pkg/fedora/kernel-surface
|
||||
|
||||
# Build the .rpm packages
|
||||
../makerpm
|
||||
../makerpm -- --with=signkernel -ba
|
||||
|
||||
- name: Sign packages
|
||||
env:
|
||||
|
|
128
.github/workflows/fedora-34.yml
vendored
Normal file
128
.github/workflows/fedora-34.yml
vendored
Normal file
|
@ -0,0 +1,128 @@
|
|||
on:
|
||||
push:
|
||||
tags:
|
||||
- 'fedora-34-*'
|
||||
|
||||
name: Fedora 34
|
||||
|
||||
env:
|
||||
GPG_KEY_ID: 56C464BAAC421453
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build Kernel
|
||||
runs-on: ubuntu-latest
|
||||
container: fedora:34
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Install build dependencies
|
||||
run: |
|
||||
dnf distro-sync -y
|
||||
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
||||
dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
|
||||
|
||||
- name: Setup secureboot certificate
|
||||
env:
|
||||
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||
run: |
|
||||
cd pkg
|
||||
|
||||
# Install the surface secureboot certificate
|
||||
echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
|
||||
cp keys/surface.crt fedora/kernel-surface/surface.crt
|
||||
|
||||
- name: Build packages
|
||||
run: |
|
||||
cd pkg/fedora/kernel-surface
|
||||
|
||||
# Build the .rpm packages
|
||||
../makerpm -- --with=signkernel -ba
|
||||
|
||||
- name: Sign packages
|
||||
env:
|
||||
GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
|
||||
run: |
|
||||
cd pkg/fedora/kernel-surface/out/x86_64
|
||||
|
||||
# import GPG key
|
||||
echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
|
||||
|
||||
# sign packages
|
||||
rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v1
|
||||
with:
|
||||
name: fedora-34-latest
|
||||
path: pkg/fedora/kernel-surface/out/x86_64
|
||||
|
||||
release:
|
||||
name: Publish release
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Download artifacts
|
||||
uses: actions/download-artifact@v1
|
||||
with:
|
||||
name: fedora-34-latest
|
||||
|
||||
- name: Upload assets
|
||||
uses: svenstaro/upload-release-action@v1-release
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_BOT_TOKEN }}
|
||||
file: ./*-latest/*
|
||||
tag: ${{ github.ref }}
|
||||
overwrite: true
|
||||
file_glob: true
|
||||
|
||||
repo:
|
||||
name: Update package repository
|
||||
needs: [release]
|
||||
runs-on: ubuntu-latest
|
||||
container: fedora:34
|
||||
steps:
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
dnf install -y git findutils
|
||||
|
||||
- name: Download artifacts
|
||||
uses: actions/download-artifact@v1
|
||||
with:
|
||||
name: fedora-34-latest
|
||||
|
||||
- name: Update repository
|
||||
env:
|
||||
SURFACEBOT_TOKEN: ${{ secrets.GITHUB_BOT_TOKEN }}
|
||||
BRANCH_STAGING: u/staging
|
||||
GIT_REF: ${{ github.ref }}
|
||||
run: |
|
||||
repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
|
||||
|
||||
# clone package repository
|
||||
git clone -b "${BRANCH_STAGING}" "${repo}" repo
|
||||
|
||||
# copy packages
|
||||
cp fedora-34-latest/* repo/fedora/f34
|
||||
cd repo/fedora/f34
|
||||
|
||||
# parse git tag from ref
|
||||
GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
|
||||
|
||||
# convert packages into references
|
||||
for pkg in $(find . -name '*.rpm'); do
|
||||
echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
|
||||
rm $pkg
|
||||
done
|
||||
|
||||
# set git identity
|
||||
git config --global user.email "surfacebot@users.noreply.github.com"
|
||||
git config --global user.name "surfacebot"
|
||||
|
||||
# commit and push
|
||||
update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
|
||||
git checkout -b "${update_branch}"
|
||||
git add .
|
||||
git commit -m "Update Fedora 34 kernel"
|
||||
git push --set-upstream origin "${update_branch}"
|
|
@ -2,12 +2,18 @@
|
|||
# Definitions to configure the kernel we want to build
|
||||
#
|
||||
|
||||
%global kernel_tag_fc34 kernel-5.11.5-300.fc34
|
||||
%global kernel_tag_fc33 kernel-5.10.21-200.fc33
|
||||
%global kernel_tag_fc32 kernel-5.10.21-100.fc32
|
||||
|
||||
%global kernel_release_fc34 1
|
||||
%global kernel_release_fc33 1
|
||||
%global kernel_release_fc32 1
|
||||
|
||||
# This is what is printed in the GRUB menu. These cannot be fetched from the
|
||||
# buildhost, because in a container this will also say container. To get the
|
||||
# same text as the default kernels, just hardcode it. Hey, this is important!
|
||||
%global fedora_title_fc34 34 (Thirty Four)
|
||||
%global fedora_title_fc33 33 (Thirty Three)
|
||||
%global fedora_title_fc32 32 (Thirty Two)
|
||||
|
||||
|
@ -41,6 +47,8 @@
|
|||
# Actual specfile starts here
|
||||
#
|
||||
|
||||
%bcond_with signkernel
|
||||
|
||||
Name: kernel-surface
|
||||
Summary: The Linux Kernel with patches for Microsoft Surface
|
||||
Version: %{kernel_version}
|
||||
|
@ -81,12 +89,29 @@ Source0: %{fedora_source}/archive/%{kernel_tag}.tar.gz
|
|||
Source1: %{surface_source}/configs/surface-%{kernel_majorver}.config
|
||||
Source2: fedora.config
|
||||
|
||||
%if %{with signkernel}
|
||||
Source20: %{sb_crt}
|
||||
Source21: %{sb_key}
|
||||
%endif
|
||||
|
||||
Source100: mod-sign.sh
|
||||
Source101: parallel_xz.sh
|
||||
|
||||
%if "%{kernel_majorver}" == "5.11"
|
||||
|
||||
Patch0: %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
|
||||
Patch1: %{surface_source}/%{kernel_patches}/0002-wifi.patch
|
||||
Patch2: %{surface_source}/%{kernel_patches}/0003-ipts.patch
|
||||
Patch3: %{surface_source}/%{kernel_patches}/0004-surface-sam-over-hid.patch
|
||||
Patch4: %{surface_source}/%{kernel_patches}/0005-surface-sam.patch
|
||||
Patch5: %{surface_source}/%{kernel_patches}/0006-surface-hotplug.patch
|
||||
Patch6: %{surface_source}/%{kernel_patches}/0007-surface-typecover.patch
|
||||
Patch7: %{surface_source}/%{kernel_patches}/0008-surface-sensors.patch
|
||||
Patch8: %{surface_source}/%{kernel_patches}/0009-cameras.patch
|
||||
Patch9: %{surface_source}/%{kernel_patches}/0010-ath10k-firmware-override.patch
|
||||
|
||||
%else
|
||||
|
||||
Patch0: %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
|
||||
Patch1: %{surface_source}/%{kernel_patches}/0002-wifi.patch
|
||||
Patch2: %{surface_source}/%{kernel_patches}/0003-ipts.patch
|
||||
|
@ -99,6 +124,8 @@ Patch8: %{surface_source}/%{kernel_patches}/0009-surface-sensors.patch
|
|||
Patch9: %{surface_source}/%{kernel_patches}/0010-cameras.patch
|
||||
Patch10: %{surface_source}/%{kernel_patches}/0011-ath10k-firmware-override.patch
|
||||
|
||||
%endif
|
||||
|
||||
Patch100: 0001-Add-secureboot-pre-signing-to-the-kernel.patch
|
||||
|
||||
ExclusiveArch: x86_64
|
||||
|
@ -121,7 +148,7 @@ This package provides kernel headers and makefiles sufficient to build modules
|
|||
against the kernel-surface package.
|
||||
|
||||
%prep
|
||||
%autosetup -S git_am -n linux-fedora-%{kernel_tag}
|
||||
%autosetup -p1 -n linux-fedora-%{kernel_tag}
|
||||
|
||||
scripts/kconfig/merge_config.sh \
|
||||
fedora/configs/%{kernel_config} \
|
||||
|
@ -131,11 +158,11 @@ scripts/kconfig/merge_config.sh \
|
|||
echo $((%{kernel_release} - 1)) > .version
|
||||
|
||||
# Copy secureboot certificates if they are available
|
||||
if [ -f "%{SOURCE20}" ] && [ -f "%{SOURCE21}" ]; then
|
||||
mkdir -p keys
|
||||
cp %{SOURCE20} keys/MOK.crt
|
||||
cp %{SOURCE21} keys/MOK.key
|
||||
fi
|
||||
%if %{with signkernel}
|
||||
mkdir -p keys
|
||||
cp %{SOURCE20} keys/MOK.crt
|
||||
cp %{SOURCE21} keys/MOK.key
|
||||
%endif
|
||||
|
||||
# This Prevents scripts/setlocalversion from mucking with our version numbers.
|
||||
touch .scmversion
|
||||
|
|
|
@ -50,8 +50,8 @@ while getopts ":hcsf:k:" args; do
|
|||
done
|
||||
shift $((OPTIND-1))
|
||||
|
||||
if [ ! "$@" = "" ]; then
|
||||
OPTS="$@"
|
||||
if [ ! "$*" = "" ]; then
|
||||
OPTS="$*"
|
||||
fi
|
||||
|
||||
# Check if the specfile exists
|
||||
|
|
Loading…
Reference in a new issue