Alternative AlmaLinux 8 kernel based on the mainline branch #11
BIN
SOURCES/almalinuxdup1.x509
Normal file
BIN
SOURCES/almalinuxdup1.x509
Normal file
Binary file not shown.
BIN
SOURCES/almalinuxkpatch1.x509
Normal file
BIN
SOURCES/almalinuxkpatch1.x509
Normal file
Binary file not shown.
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
Binary file not shown.
69
SOURCES/mod-sign.sh
Executable file
69
SOURCES/mod-sign.sh
Executable file
@ -0,0 +1,69 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
# The modules_sign target checks for corresponding .o files for every .ko that
|
||||||
|
# is signed. This doesn't work for package builds which re-use the same build
|
||||||
|
# directory for every variant, and the .config may change between variants.
|
||||||
|
# So instead of using this script to just sign lib/modules/$KernelVer/extra,
|
||||||
|
# sign all .ko in the buildroot.
|
||||||
|
|
||||||
|
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
|
||||||
|
# same commands for those modules.
|
||||||
|
|
||||||
|
MODSECKEY=$1
|
||||||
|
MODPUBKEY=$2
|
||||||
|
moddir=$3
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
modules=$(find "$moddir" -type f -name '*.ko*')
|
||||||
|
|
||||||
|
NPROC=$(nproc)
|
||||||
|
[ -z "$NPROC" ] && NPROC=1
|
||||||
|
|
||||||
|
# NB: this loop runs 2000+ iterations. Try to be fast.
|
||||||
|
echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
|
||||||
|
for mod; do
|
||||||
|
module_basename=\${mod:0:-3}
|
||||||
|
module_suffix=\${mod: -3}
|
||||||
|
|
||||||
|
if [[ "\$module_suffix" == ".xz" ]]; then
|
||||||
|
unxz \$mod
|
||||||
|
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
|
||||||
|
xz -f \$module_basename
|
||||||
|
elif [[ "\$module_suffix" == ".gz" ]]; then
|
||||||
|
gunzip \$mod
|
||||||
|
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
|
||||||
|
gzip -9f \$module_basename
|
||||||
|
else
|
||||||
|
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f \$module_basename.sig \$module_basename.dig
|
||||||
|
done
|
||||||
|
" DUMMYARG0 # xargs appends ARG1 ARG2..., which go into $mod in for loop.
|
||||||
|
|
||||||
|
RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
|
||||||
|
rand_module_basename=${RANDOMMOD:0:-3}
|
||||||
|
rand_module_suffix=${RANDOMMOD: -3}
|
||||||
|
if [[ "$rand_module_suffix" == ".xz" ]]; then
|
||||||
|
unxz $RANDOMMOD
|
||||||
|
elif [[ "$rand_module_suffix" == ".gz" ]]; then
|
||||||
|
gunzip $RANDOMMOD
|
||||||
|
else
|
||||||
|
rand_module_basename=$RANDOMMOD
|
||||||
|
fi
|
||||||
|
if [ "~Module signature appended~" != "$(tail -c 28 "$rand_module_basename")" ]; then
|
||||||
|
echo "*****************************"
|
||||||
|
echo "*** Modules are unsigned! ***"
|
||||||
|
echo "*****************************"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [[ "$rand_module_suffix" == ".xz" ]]; then
|
||||||
|
xz -f $rand_module_basename
|
||||||
|
elif [[ "$rand_module_suffix" == ".gz" ]]; then
|
||||||
|
gzip -9f $rand_module_basename
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
16
SOURCES/x509.genkey
Normal file
16
SOURCES/x509.genkey
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[ req ]
|
||||||
|
default_bits = 3072
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
prompt = no
|
||||||
|
x509_extensions = myexts
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
O = AlmaLinux
|
||||||
|
CN = AlmaLinux kernel signing key
|
||||||
|
emailAddress = security@almalinux.org
|
||||||
|
|
||||||
|
[ myexts ]
|
||||||
|
basicConstraints=critical,CA:FALSE
|
||||||
|
keyUsage=digitalSignature
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid
|
@ -34,11 +34,17 @@
|
|||||||
# vsdo install
|
# vsdo install
|
||||||
%define with_vdso_install %{?_without_vdso_install: 0} %{?!_without_vdso_install: 1}
|
%define with_vdso_install %{?_without_vdso_install: 0} %{?!_without_vdso_install: 1}
|
||||||
|
|
||||||
|
# Compress modules on all architectures that build modules.
|
||||||
|
%ifarch x86_64
|
||||||
|
%global zipmodules 1
|
||||||
|
%else
|
||||||
|
%global zipmodules 0
|
||||||
|
%endif
|
||||||
|
|
||||||
# Kernel-ml, devel, headers, perf, tools and bpftool.
|
# Kernel-ml, devel, headers, perf, tools and bpftool.
|
||||||
%ifarch x86_64
|
%ifarch x86_64
|
||||||
%define with_doc 0
|
%define with_doc 0
|
||||||
%define doc_build_fail true
|
%define doc_build_fail true
|
||||||
%define zipmodules 1
|
|
||||||
### as of kernel-ml-6.5.4, no more bpftool -ay
|
### as of kernel-ml-6.5.4, no more bpftool -ay
|
||||||
%define with_bpftool 0
|
%define with_bpftool 0
|
||||||
%endif
|
%endif
|
||||||
@ -51,7 +57,6 @@
|
|||||||
%define with_tools 0
|
%define with_tools 0
|
||||||
%define with_bpftool 0
|
%define with_bpftool 0
|
||||||
%define with_vdso_install 0
|
%define with_vdso_install 0
|
||||||
%define zipmodules 0
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Compressed modules.
|
# Compressed modules.
|
||||||
@ -72,6 +77,21 @@
|
|||||||
# Set pkg_release.
|
# Set pkg_release.
|
||||||
%define pkg_release 1%{?dist}%{?buildid}
|
%define pkg_release 1%{?dist}%{?buildid}
|
||||||
|
|
||||||
|
# Architectures upon which we can sign the kernel
|
||||||
|
# for secure boot authentication.
|
||||||
|
%ifarch x86_64 || aarch64
|
||||||
|
%global signkernel 1
|
||||||
|
%else
|
||||||
|
%global signkernel 0
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Sign modules on all architectures that build modules.
|
||||||
|
%ifarch x86_64 || aarch64
|
||||||
|
%global signmodules 1
|
||||||
|
%else
|
||||||
|
%global signmodules 0
|
||||||
|
%endif
|
||||||
|
|
||||||
%define KVERREL %{pkg_version}-%{pkg_release}.%{_target_cpu}
|
%define KVERREL %{pkg_version}-%{pkg_release}.%{_target_cpu}
|
||||||
|
|
||||||
# Packages that need to be present before kernel-ml is installed
|
# Packages that need to be present before kernel-ml is installed
|
||||||
@ -80,7 +100,7 @@
|
|||||||
%define initrd_prereq dracut >= 027
|
%define initrd_prereq dracut >= 027
|
||||||
|
|
||||||
Name: kernel-ml
|
Name: kernel-ml
|
||||||
Summary: The Linux kernel. (The core of any Linux-based operating system.)
|
Summary: Alternative AlmaLinux kernel based on the "mainline" branch. (The core of any Linux-based operating system.)
|
||||||
Group: System Environment/Kernel
|
Group: System Environment/Kernel
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: https://www.kernel.org/
|
URL: https://www.kernel.org/
|
||||||
@ -112,6 +132,12 @@ BuildRequires: asciidoc gettext libcap-devel libnl3-devel ncurses-devel pciutils
|
|||||||
%if %{with_bpftool}
|
%if %{with_bpftool}
|
||||||
BuildRequires: binutils-devel python3-docutils zlib-devel
|
BuildRequires: binutils-devel python3-docutils zlib-devel
|
||||||
%endif
|
%endif
|
||||||
|
%if %{signkernel} || %{signmodules}
|
||||||
|
BuildRequires: openssl
|
||||||
|
%if %{signkernel}
|
||||||
|
BuildRequires: nss-tools, pesign >= 0.10-4
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
BuildConflicts: rhbuildsys(DiskFree) < 500Mb
|
BuildConflicts: rhbuildsys(DiskFree) < 500Mb
|
||||||
|
|
||||||
# Sources.
|
# Sources.
|
||||||
@ -126,9 +152,18 @@ Source7: filter-x86_64.sh
|
|||||||
Source8: filter-modules.sh
|
Source8: filter-modules.sh
|
||||||
Source9: generate_bls_conf.sh
|
Source9: generate_bls_conf.sh
|
||||||
|
|
||||||
# To build .src.rpm, run with '--with src'
|
Source21: mod-sign.sh
|
||||||
%if %{?_with_src:0}%{!?_with_src:1}
|
Source23: x509.genkey
|
||||||
NoSource: 0
|
|
||||||
|
Source100: almalinuxdup1.x509
|
||||||
|
Source101: almalinuxkpatch1.x509
|
||||||
|
Source102: almalinuxsecurebootca0.cer
|
||||||
|
|
||||||
|
%if %{signkernel}
|
||||||
|
%define secureboot_ca_0 %{SOURCE102}
|
||||||
|
%define secureboot_key_0 %{SOURCE102}
|
||||||
|
|
||||||
|
%define pesign_name_0 almalinuxsecurebootca0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -408,6 +443,20 @@ fi
|
|||||||
%{__rm} -f newoptions-el8-%{_target_cpu}.txt
|
%{__rm} -f newoptions-el8-%{_target_cpu}.txt
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Add DUP and kpatch certificates to system trusted keys for RHEL.
|
||||||
|
%if %{signkernel} || %{signmodules}
|
||||||
|
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
||||||
|
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
||||||
|
cat rheldup3.pem rhelkpatch1.pem > certs/rhel.pem
|
||||||
|
for i in config-%{version}-*; do
|
||||||
|
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
|
||||||
|
done
|
||||||
|
%else
|
||||||
|
for i in config-%{version}-*; do
|
||||||
|
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS=""@' $i
|
||||||
|
done
|
||||||
|
%endif
|
||||||
|
|
||||||
%{__mv} COPYING COPYING-%{version}
|
%{__mv} COPYING COPYING-%{version}
|
||||||
|
|
||||||
# Do not use ambiguous python shebangs. RHEL 8 now has a new script
|
# Do not use ambiguous python shebangs. RHEL 8 now has a new script
|
||||||
@ -436,6 +485,10 @@ pushd linux-%{KVERREL} > /dev/null
|
|||||||
|
|
||||||
%{__make} -s ARCH=%{_target_cpu} oldconfig
|
%{__make} -s ARCH=%{_target_cpu} oldconfig
|
||||||
|
|
||||||
|
%if %{signkernel} || %{signmodules}
|
||||||
|
cp %{SOURCE23} certs/
|
||||||
|
%endif
|
||||||
|
|
||||||
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} bzImage
|
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} bzImage
|
||||||
|
|
||||||
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} modules || exit 1
|
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} modules || exit 1
|
||||||
@ -535,6 +588,11 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
|
|||||||
%define __spec_install_post \
|
%define __spec_install_post \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
|
if [ "%{signmodules}" -eq "1" ]; then \
|
||||||
|
cd linux-%{KVERREL} \
|
||||||
|
%{SOURCE21} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
|
||||||
|
cd - \
|
||||||
|
fi \
|
||||||
if [ "%{zipmodules}" -eq "1" ]; then \
|
if [ "%{zipmodules}" -eq "1" ]; then \
|
||||||
%{_bindir}/find $RPM_BUILD_ROOT/lib/modules/ -name '*.ko' -type f | \
|
%{_bindir}/find $RPM_BUILD_ROOT/lib/modules/ -name '*.ko' -type f | \
|
||||||
%{_bindir}/xargs --no-run-if-empty -P%{zcpu} %{__xz} \
|
%{_bindir}/xargs --no-run-if-empty -P%{zcpu} %{__xz} \
|
||||||
@ -551,6 +609,31 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
|
|||||||
# into consideration when performing disk space calculations. (See bz #530778)
|
# into consideration when performing disk space calculations. (See bz #530778)
|
||||||
dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-$KernelVer.img bs=1M count=20
|
dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-$KernelVer.img bs=1M count=20
|
||||||
|
|
||||||
|
%if %{signkernel}
|
||||||
|
# Sign the kernel image if we're using EFI.
|
||||||
|
# aarch64 kernels are gziped EFI images.
|
||||||
|
%ifarch x86_64
|
||||||
|
SignImage=arch/x86/boot/bzImage
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%ifarch aarch64
|
||||||
|
SignImage=arch/arm64/boot/Image
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||||
|
|
||||||
|
if [ ! -s vmlinuz.signed ]; then
|
||||||
|
echo "pesigning failed"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv vmlinuz.signed $SignImage
|
||||||
|
|
||||||
|
%ifarch aarch64
|
||||||
|
gzip -f9 $SignImage
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%{__cp} arch/x86/boot/bzImage $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
|
%{__cp} arch/x86/boot/bzImage $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
|
||||||
%{__chmod} 755 $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
|
%{__chmod} 755 $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
|
||||||
%{__cp} $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer $RPM_BUILD_ROOT/lib/modules/$KernelVer/vmlinuz
|
%{__cp} $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer $RPM_BUILD_ROOT/lib/modules/$KernelVer/vmlinuz
|
||||||
@ -778,6 +861,18 @@ popd > /dev/null
|
|||||||
%{_bindir}/find $RPM_BUILD_ROOT/usr/src/kernels -name '.*.cmd' -type f | \
|
%{_bindir}/find $RPM_BUILD_ROOT/usr/src/kernels -name '.*.cmd' -type f | \
|
||||||
%{_bindir}/xargs --no-run-if-empty %{__rm} -f
|
%{_bindir}/xargs --no-run-if-empty %{__rm} -f
|
||||||
|
|
||||||
|
# Red Hat UEFI Secure Boot CA certificate, which can be used to authenticate the kernel.
|
||||||
|
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}
|
||||||
|
%if %{signkernel}
|
||||||
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}/kernel-signing-ca.cer
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{signmodules}
|
||||||
|
# Save the signing keys so that we can sign the modules in __modsign_install_post.
|
||||||
|
cp certs/signing_key.pem certs/signing_key.pem.sign
|
||||||
|
cp certs/signing_key.x509 certs/signing_key.x509.sign
|
||||||
|
%endif
|
||||||
|
|
||||||
# Create a boot loader script configuration file for this kernel.
|
# Create a boot loader script configuration file for this kernel.
|
||||||
%{SOURCE9} $KernelVer $RPM_BUILD_ROOT ""
|
%{SOURCE9} $KernelVer $RPM_BUILD_ROOT ""
|
||||||
%endif
|
%endif
|
||||||
@ -1115,6 +1210,7 @@ fi
|
|||||||
/lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
|
/lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
|
||||||
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
|
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
|
||||||
/lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
|
/lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
|
||||||
|
%{_datadir}/doc/%{name}-keys/%{KVERREL}%{?3:+%{3}}\
|
||||||
%if %{1}\
|
%if %{1}\
|
||||||
/lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
|
/lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
|
||||||
%if 0\
|
%if 0\
|
||||||
|
Loading…
Reference in New Issue
Block a user