systemtap/pr30749.patch

100 lines
3.5 KiB
Diff
Raw Permalink Normal View History

commit 9839db5514a29cf4f58b3de8cc6155088be6d061
gpg: Signature made Sat 12 Aug 2023 02:49:26 PM EDT
gpg: using RSA key 5D38116FA4D3A7CC77E378D37E83610126DCC2E8
gpg: Good signature from "Frank Ch. Eigler <fche@elastic.org>" [full]
Author: Frank Ch. Eigler <fche@redhat.com>
Date: Sat Aug 12 14:28:44 2023 -0400
PR30749: correct stap --sign-module timing
Previous code signed the temp directory copy, after it had already
been copied into the cache -- so the signature never made it to a
permanent artifact.
If the module was being fetched from the cache from a previous build
run, a sign (re)attempt will still be done. This may not be
necessary, but shouldn't be harmful.
Reported-By: Renaud Métrich <rmetrich@redhat.com>
diff --git a/main.cxx b/main.cxx
index 06adb66ad..9f695cbd8 100644
--- a/main.cxx
+++ b/main.cxx
@@ -1190,8 +1190,10 @@ passes_0_4 (systemtap_session &s)
s.mok_fingerprints.clear();
s.mok_fingerprints.push_back(mok_fingerprint);
}
- rc =
- sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
+ if (s.verbose)
+ clog << _F("Signing %s with mok key %s", s.module_filename().c_str(), mok_path.c_str())
+ << endl;
+ rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
}
#endif
@@ -1310,8 +1312,30 @@ passes_0_4 (systemtap_session &s)
if (! s.use_script_cache && s.last_pass <= 4)
s.save_module = true;
+#if HAVE_NSS
+ // PR30749
+ if (!rc && s.module_sign_given)
+ {
+ // when run on client as --sign-module, mok fingerprints are result of mokutil -l
+ // when run from server as --sign-module=PATH, mok fingerprint is given by PATH
+ string mok_path;
+ if (!s.module_sign_mok_path.empty())
+ {
+ string mok_fingerprint;
+ split_path (s.module_sign_mok_path, mok_path, mok_fingerprint);
+ s.mok_fingerprints.clear();
+ s.mok_fingerprints.push_back(mok_fingerprint);
+ }
+
+ if (s.verbose)
+ clog << _F("Signing %s with mok key %s", s.module_filename().c_str(), mok_path.c_str())
+ << endl;
+ rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
+ }
+#endif
+
// Copy module to the current directory.
- if (s.save_module && !pending_interrupts)
+ if (!rc && s.save_module && !pending_interrupts)
{
string module_src_path = s.tmpdir + "/" + s.module_filename();
string module_dest_path = s.module_filename();
@@ -1327,29 +1351,11 @@ passes_0_4 (systemtap_session &s)
}
}
-#if HAVE_NSS
- if (s.module_sign_given)
- {
- // when run on client as --sign-module, mok fingerprints are result of mokutil -l
- // when run from server as --sign-module=PATH, mok fingerprint is given by PATH
- string mok_path;
- if (!s.module_sign_mok_path.empty())
- {
- string mok_fingerprint;
- split_path (s.module_sign_mok_path, mok_path, mok_fingerprint);
- s.mok_fingerprints.clear();
- s.mok_fingerprints.push_back(mok_fingerprint);
- }
-
- rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
- }
-#endif
-
PROBE1(stap, pass4__end, &s);
return rc;
}
-
+
int
pass_5 (systemtap_session &s, vector<remote*> targets)
{