Alternative AlmaLinux 8 kernel based on the longterm branch.

SOURCES/mod-sign.sh

@@ -0,0 +1,69 @@
+#! /bin/bash
+
+# The modules_sign target checks for corresponding .o files for every .ko that
+# is signed. This doesn't work for package builds which re-use the same build
+# directory for every variant, and the .config may change between variants.
+# So instead of using this script to just sign lib/modules/$KernelVer/extra,
+# sign all .ko in the buildroot.
+
+# This essentially duplicates the 'modules_sign' Kbuild target and runs the
+# same commands for those modules.
+
+MODSECKEY=$1
+MODPUBKEY=$2
+moddir=$3
+
+
+
+modules=$(find "$moddir" -type f -name '*.ko*')
+
+NPROC=$(nproc)
+[ -z "$NPROC" ] && NPROC=1
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
+for mod; do
+    module_basename=\${mod:0:-3}
+    module_suffix=\${mod: -3}
+
+    if [[ "\$module_suffix" == ".xz" ]]; then
+        unxz \$mod
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
+        xz -f \$module_basename
+    elif [[ "\$module_suffix" == ".gz" ]]; then
+        gunzip \$mod
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
+        gzip -9f \$module_basename
+    else
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
+    fi
+
+    rm -f \$module_basename.sig \$module_basename.dig
+done
+" DUMMYARG0   # xargs appends ARG1 ARG2..., which go into $mod in for loop.
+
+RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
+rand_module_basename=${RANDOMMOD:0:-3}
+rand_module_suffix=${RANDOMMOD: -3}
+if [[ "$rand_module_suffix" == ".xz" ]]; then
+    unxz $RANDOMMOD
+elif [[ "$rand_module_suffix" == ".gz" ]]; then
+    gunzip $RANDOMMOD
+else
+    rand_module_basename=$RANDOMMOD
+fi
+if [ "~Module signature appended~" != "$(tail -c 28 "$rand_module_basename")" ]; then
+    echo "*****************************"
+    echo "*** Modules are unsigned! ***"
+    echo "*****************************"
+    exit 1
+fi
+if [[ "$rand_module_suffix" == ".xz" ]]; then
+    xz -f $rand_module_basename
+elif [[ "$rand_module_suffix" == ".gz" ]]; then
+    gzip -9f $rand_module_basename
+else
+    true
+fi
+
+exit 0

SOURCES/x509.genkey

@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = AlmaLinux
+CN = AlmaLinux kernel signing key
+emailAddress = security@almalinux.org
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid

SPECS/kernel-lt-5.4.spec

@@ -70,6 +70,21 @@
 # Set pkg_release.
 %define pkg_release 1%{?dist}%{?buildid}
 
+# Architectures upon which we can sign the kernel
+# for secure boot authentication.
+%ifarch x86_64 || aarch64
+%global signkernel 1
+%else
+%global signkernel 0
+%endif
+
+# Sign modules on all architectures that build modules.
+%ifarch x86_64 || aarch64
+%global signmodules 1
+%else
+%global signmodules 0
+%endif
+
 %define KVERREL %{pkg_version}-%{pkg_release}.%{_target_cpu}
 
 # Packages that need to be present before kernel-lt is installed
@@ -78,7 +93,7 @@
 %define initrd_prereq  dracut >= 027
 
 Name: kernel-lt
-Summary: The Linux kernel. (The core of any Linux-based operating system.)
+Summary: Alternative AlmaLinux kernel based on the "longterm" branch. (The core of any Linux-based operating system.)
 Group: System Environment/Kernel
 License: GPLv2
 URL: https://www.kernel.org/
@@ -109,6 +124,14 @@ BuildRequires: asciidoc gettext libcap-devel libnl3-devel ncurses-devel pciutils
 %if %{with_bpftool}
 BuildRequires: binutils-devel python3-docutils zlib-devel
 %endif
+
+%if %{signkernel} || %{signmodules}
+BuildRequires: openssl
+%if %{signkernel}
+BuildRequires: nss-tools, pesign >= 0.10-4
+%endif
+%endif
+
 BuildConflicts: rhbuildsys(DiskFree) < 500Mb
 
 # Sources.
@@ -123,9 +146,18 @@ Source7: filter-x86_64.sh
 Source8: filter-modules.sh
 Source9: generate_bls_conf.sh
 
-# To build .src.rpm, run with '--with src'
-%if %{?_with_src:0}%{!?_with_src:1}
-NoSource: 0
+Source21: mod-sign.sh
+Source23: x509.genkey
+
+Source100: almalinuxdup1.x509
+Source101: almalinuxkpatch1.x509
+Source102: almalinuxsecurebootca0.cer
+
+%if %{signkernel}
+%define secureboot_ca_0 %{SOURCE102}
+%define secureboot_key_0 %{SOURCE102}
+
+%define pesign_name_0 almalinuxsecurebootca0
 %endif
 
 %description
@@ -405,6 +437,20 @@ fi
 %{__rm} -f newoptions-el8-%{_target_cpu}.txt
 %endif
 
+# Add DUP and kpatch certificates to system trusted keys for RHEL.
+%if %{signkernel} || %{signmodules}
+openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
+openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
+cat rheldup3.pem rhelkpatch1.pem > certs/rhel.pem
+for i in config-%{version}-*; do
+        sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
+done
+%else
+for i in config-%{version}-*; do
+        sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS=""@' $i
+done
+%endif
+
 %{__mv} COPYING COPYING-%{version}
 
 # Do not use ambiguous python shebangs. RHEL 8 now has a new script
@@ -433,6 +479,10 @@ pushd linux-%{KVERREL} > /dev/null
 
 %{__make} -s ARCH=%{_target_cpu} oldconfig
 
+%if %{signkernel} || %{signmodules}
+cp %{SOURCE23} certs/
+%endif
+
 %{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} bzImage
 
 %{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} modules || exit 1
@@ -532,6 +582,11 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
 %define __spec_install_post \
     %{__arch_install_post} \
     %{__os_install_post} \
+    if [ "%{signmodules}" -eq "1" ]; then \
+            cd linux-%{KVERREL} \
+            %{SOURCE21} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
+            cd - \
+    fi \
     if [ "%{zipmodules}" -eq "1" ]; then \
         %{_bindir}/find $RPM_BUILD_ROOT/lib/modules/ -name '*.ko' -type f | \
             %{_bindir}/xargs --no-run-if-empty -P%{zcpu} %{__xz} \
@@ -548,6 +603,31 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
 # into consideration when performing disk space calculations. (See bz #530778)
 dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-$KernelVer.img bs=1M count=20
 
+%if %{signkernel}
+# Sign the kernel image if we're using EFI.
+# aarch64 kernels are gziped EFI images.
+%ifarch x86_64
+SignImage=arch/x86/boot/bzImage
+%endif
+
+%ifarch aarch64
+SignImage=arch/arm64/boot/Image
+%endif
+
+%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+
+if [ ! -s vmlinuz.signed ]; then
+        echo "pesigning failed"
+        exit 1
+fi
+
+mv vmlinuz.signed $SignImage
+
+%ifarch aarch64
+gzip -f9 $SignImage
+%endif
+%endif
+
 %{__cp} arch/x86/boot/bzImage $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
 %{__chmod} 755 $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
 %{__cp} $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer $RPM_BUILD_ROOT/lib/modules/$KernelVer/vmlinuz
@@ -780,6 +860,18 @@ popd > /dev/null
 %{_bindir}/find $RPM_BUILD_ROOT/usr/src/kernels -name '.*.cmd' -type f | \
     %{_bindir}/xargs --no-run-if-empty %{__rm} -f
 
+# Red Hat UEFI Secure Boot CA certificate, which can be used to authenticate the kernel.
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}
+%if %{signkernel}
+install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}/kernel-signing-ca.cer
+%endif
+
+%if %{signmodules}
+# Save the signing keys so that we can sign the modules in __modsign_install_post.
+cp certs/signing_key.pem certs/signing_key.pem.sign
+cp certs/signing_key.x509 certs/signing_key.x509.sign
+%endif
+
 # Create a boot loader script configuration file for this kernel.
 %{SOURCE9} $KernelVer $RPM_BUILD_ROOT ""
 %endif
@@ -1120,6 +1212,7 @@ fi
 /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
+%{_datadir}/doc/%{name}-keys/%{KVERREL}%{?3:+%{3}}\
 %if %{1}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
 %if 0\