rpms/rpm
7
0
Fork 0
Code Issues Pull Requests Releases Activity
883db33fa0
rpm/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
CentOS Sources 883db33fa0 import rpm-4.14.3-15.el8
2021-09-10 03:58:54 +00:00

49 lines
2.0 KiB
Diff
Raw Blame History

commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
Author: Michal Domonkos <mdomonko@redhat.com>
Date: Sun Jul 11 18:08:26 2021 +0200
Don't brp-strip .ko files
Otherwise SecureBoot signatures may be stripped too.
We used to exclude shared libraries from this strip as they were
supposed to be covered by another brp script (brp-strip-shared), however
it turned out the latter was never really used, so we removed the
exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
As it turns out, that was a little too ambitious, since we may now
inadvertently strip SecureBoot signatures from kernel modules too,
provided that they're made during the build, prior to the invocation of
brp-strip.
Note that this regression currently does *not* affect the following two
cases on Fedora/RHEL systems with redhat-rpm-config installed:
- in-tree kernel modules; these are built from kernel.spec which
already contains a hack ensuring that module signing only happens
*after* any stripping (see %__modsign_install_post in kernel.spec)
- out-of-tree kernel modules built with debuginfo enabled; this is
because brp-strip is only called when %debug_package is set to
%{nil}
Any other combinations may be affected, depending on the macros and
.spec files used, so let's fix this by effectively "reverting" said
commit for .ko files only.
Fixes: rhbz#1967291
Backported into 4.14.3
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
--- rpm-4.14.3/scripts/brp-strip.orig 2021-07-12 17:21:04.446396789 +0200
+++ rpm-4.14.3/scripts/brp-strip 2021-07-12 17:21:20.673633783 +0200
@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
esac
# Strip ELF binaries
-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \
sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do
$STRIP -g "$f" || :
Reference in New Issue View Git Blame Copy Permalink