From 6af71710321df05e039f783a4389fc5566b70c2f Mon Sep 17 00:00:00 2001
From: Yuriy Kohut <yura.kohut@gmail.com>
Date: Fri, 10 May 2024 13:03:25 +0300
Subject: [PATCH] Alternative AlmaLinux 8 kernel based on the longterm branch.

---
 SOURCES/almalinuxdup1.x509         | Bin 0 -> 995 bytes
 SOURCES/almalinuxkpatch1.x509      | Bin 0 -> 988 bytes
 SOURCES/almalinuxsecurebootca0.cer | Bin 0 -> 1787 bytes
 SOURCES/mod-sign.sh                |  69 ++++++++++++++++++++
 SOURCES/x509.genkey                |  16 +++++
 SPECS/kernel-lt-5.4.spec           | 101 +++++++++++++++++++++++++++--
 6 files changed, 182 insertions(+), 4 deletions(-)
 create mode 100644 SOURCES/almalinuxdup1.x509
 create mode 100644 SOURCES/almalinuxkpatch1.x509
 create mode 100644 SOURCES/almalinuxsecurebootca0.cer
 create mode 100755 SOURCES/mod-sign.sh
 create mode 100644 SOURCES/x509.genkey

diff --git a/SOURCES/almalinuxdup1.x509 b/SOURCES/almalinuxdup1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..29720140fbee0cf2f4cf3f67c8397db54c22f071
GIT binary patch
literal 995
zcmXqLV!m(C#B_WCGZP~dlR$FEyqw>8{>5GH$@aZzVZsKyY@Awc9&O)w85y}*84MB(
zRSlHkLY$0ZV#TS+rA3(~l@5tHxrsTMd8HM4`9<l5LIwhC%%Ln?!kmskaUYPlp|XJ@
zNQ_xn3NEG)4AP#e;FO<VqTuYPU}zvG&TC|7U}$IpB+U&iqr`cQ&464(DAyp95*O$g
zXhB?{jBtTVQD#|ckwR%fN@7W>LUCq#US?jpLUwAUK@+1Avi})b8JL?G`5A!XTue=j
zj123ZNKRR()t6VrVddXye^5T8T4B~o>%t$eKL;F|{3))^ed>HR7LiW}UMnsA9`^Sw
z|57<ipH@Xala5585{s}oj74*%{@Cwnb7hU^udS|3_gqxO+YWCvTX`$}lgvr!^iYOt
zrHw^lQUZIQoL*EvYfsI-gQ{08+@3!=`f1wgrR|I>3uISJ=G<WSC%VdK&&&e8ZB0Q-
zW=Q_tnfd45O`qDRrU%YtreCE0f7oUaFnf0I!38T9tT|euUi|LU%kPf!^d=ZQRGA+q
z`(@R}Q+qv%AFsSCXuRZNLFhGh%gIaf&R9&zpWL(3QSsx^bIRJ2MXlD{oBno+jqIW}
z@Aq@oCzhRlul()S^xsU(j0}v68@mk}I}GH3;VP@lB4HrbATs09+wWglH$CltKS|}%
zo_VeHdTx^qMA<kK+B_KBemF4#!G9K3W@d&Dj1YaQAbo5c+H8!htnAFpY+OJV3*#gX
z0Y)YRK9IruARR2sOe`A=WI=pB7BLo)>NYzjhqnq{+jdBI<!dAy`10cTHRSjLrdMEm
zF)~!~FESQ(z36v&E=SwW)t@Y7t=Sh@D&$UKOVLR$n`$%LZ0_{#$bgSpYgYQ76+3?_
z;H&E?&&4yguQE;8>(n%NZQ$kw_C6L>+3w=I8uV2*)Ewl9ntQyUZsqn#M?`sVGMzYi
z=gbS;?JNHV_Xx}runt`JU4Pfa;3*FZJ04{#v%M^t@KyE4?Pl@!`WDu<i~PGM>c5bE
zklZtyt7yWkt}nN*mAm(RxR=qtbgIMUp4_|h<7W4H_Wifo9c$3Dv(1hD%*>V__bhsH
z-l$3k*H~%lH#B~jIy>yBm-n^%&jh=Dj9lKk|9{Fn=V#f{M?A`R{TUy68OpPSw&}&)
Q>Flmr+o@R=wLI}A0G|SZ?f?J)

literal 0
HcmV?d00001

diff --git a/SOURCES/almalinuxkpatch1.x509 b/SOURCES/almalinuxkpatch1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..1292610292f7822b62040394efe0fac2dafa694b
GIT binary patch
literal 988
zcmXqLV!mO}#B^W*GZP~dlYoq&xXS67&Odh=mLz#4otb99%f_kI=F#?@mywa1mBApv
zP}M*gF2u<wCRUu9Tw0V_Qt6PGlbe{6nO9n&mtT}_C}beO#vIDRCCupv6!!s%8!8(p
zg2b4GrQl);!65Ca3Qqa?B?``t3Wf%9;=D$N28M<vK+?j%AWEFq*bK-ugmMj%C~*PE
z@n9FoAY71LkXVwOp-`Neo|l=Iu8^HtY0$)|gzRxfRtDxKMt%mMI2ThBBO}AHaxUj>
zJHGXK1atMXhiz20(loue!mCj*?5S+)#RDlD$_$e9g42(2J*()j?LXwd_Qq-j_n4iZ
zX11RcaMIIVoA^<dN1i*_RN~J6J<*cee%t)<`4pmf`n+)0alyU%;hmSybG(#p2xez`
zk|^<yS#b8*M58C}YmZy)RMVg8b9(Ywp*1aqY-VTQiVENMIxX|u+5N}ssakVRGITZ0
zwmVk1K5&)LUPhs<%gdUDTI!beSe%tOQEYC$dET|ECx$Mkk802O@zGatiL2tzC+gSo
zOxRwVSMS)7XsvRHsrPBr_9>YzB~o0EUgs?+etc(|;`beXUHVUU1<(3sS6Fd<=lOpV
z*p&^JGchwVFfMNFHfZcHkOu~+tTKy)fmnmcj7x97e`VeDwEz7il}mf(wbtvoO*Rl^
z<4kDtU~K#0#0UicSy-8w89p#V^r?dMv2kd#F|x9<Gc&Vs0a+}JlQ;wznGE<q2J?e-
zurM>RY%q`o@%dQ9SVS_H-F$cXo5IyY53OVsW!wU}qHcagjxS(B1;!U6gMr05Z-?gl
z!MfHV%O8|P>|L=<C){hPQ-fe>(Kl({AMCdaj;r1}Sbw-b<8e8UNn=LD3ZKZyd_5Zf
zc~T_azVMYVxR_~K&2wShYrSVIm;8fY^cVPPe@|(Q=m{~?yAiru=IZNHEH7VgTeq=%
zLWn9)X<^_p4<XyK@`^16j<+8zUY4GCcGAx9pb6(AmY$zsCUU2xf6?!@suW50o}}uY
z$Je;uO#b6=J4(~Rk+~r7q2Ar<C+{xrRb1kcFFg0J@`AcU8KQr8thnuRWhr0S&4>S<
zwz7w`MLnBVe(7q;?A#<1xqF4j&OEp#qbRvS>G+zR!fP|m#$5`0ab$Veg}WOqH5EPk
HR-6O?x59Yr

literal 0
HcmV?d00001

diff --git a/SOURCES/almalinuxsecurebootca0.cer b/SOURCES/almalinuxsecurebootca0.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6a4e99b9ed921c4af3db55a619260f1ab76110dc
GIT binary patch
literal 1787
zcmb7Edpy%?9NzEu+YQ4qp+X~z$h<!#p$oRjtthe5I<;n4v1uk{onoRAK8{FoFx^gc
z)hd-rIu)nr?ozG9NGF_fI7Am`6X*En{BeH&J@5N`pZ9&<&+mDF3_l2DxOH*_hG3YC
zc63{K)Mc`VR1X->NhS)Qi`TME^-dksg&-Xq2Cz{bpoK?*v3Lr+#1l0EMjD_^(GTMD
zB!UPL)n5=TknqD$I+(55K`6BGoxr#aQ34*7AqwMDg9H&mfiQx~@Sw6ns4M2o1LnrM
zj*bAGgM!g7R1KZf5ID|pa&dAA1xdG2GSJgV;wS_sr+Fwqoly#ygx9gdLs&@Wya0v}
z3LG4SP65Uf7hwvK$&cd3bH#kr3{2A~=u->>#eywd37;Auj^GLf30#RlB%EMPEi-l+
zkwox{5{U(2T$BpTN6nIqJ))wy{sLj#R%$>H)k_p74EruH#z6j)0c5b{#3zMt7(@o^
zW7O-~undMU6>I1J?%P(;)EDT<J`&<=PqZm?Eh+Gdc^{X>d~@7#vAD%qZ-ufkhh?j~
zapii8FZ6l4l2j4>$6Kvd%=FCfQ#Hi8bqZPzauDLVg0k(jF6nNqtfiz|Wxur8bX2ad
zdVcV5sacnCY_nO@_S&kodX}Gu=_h9qjw-&C&Q?YW8|~hwL@-lYMZxo*mT|n_rq!Dq
zNO?Kr*Z&ajuCl*+CptA}bH}3+sZUn7lNIOqU@O10Y8v~wWKcZqMh{nDsrrHAqC?Fn
zC5Od?^TaPN9vZwE>ENKiT9WIkzve%`+%Pg-+wtWhW?EoI?ykMo1m;;krtqoqrdY(Z
z>AG~nTPIVAdtr9e$os^OcI}Pat4B7uw#bZr_Ev0CoO20G4yS!W8C%*eNtWAYpL#d*
zedparl{a8zs7XrL79O+)cgO3rRq(Xe?bv+=_YavC&C0sI{5@^Is<rr7Q~oQL=9Ko_
zd&TbxFV50?)oW08?yPU9{?yXi;q$0tf$3uhOWxNtF#$EN9$(nj61mrZXRg<?fO5Aq
z{IFK_+_a`mJHJLPzOu2$``0#6NiXkuM_k_1)xDklhX*R_Aot#YOpZ%PWJx`Hvwv(+
zUSn91q<LmM;ZwJ8FJ8nt5r4k_e%;mzeMQkS+dKS(UD8v&r=*?B&+x(vVcja{*!1E*
zR`nr|@2-+JzzBqaj>w>gKnC3h)7Af**$k{YWr>DKj@ce|HuYY$w-4X7busAnE?sO0
z%rpc&tP$2Q5p}pRNtx`QBY$$Hy}hi^EzC7xG%sfQ5Hy0tA}}ElkTi6P2EzaYC>lh=
zl7Kdzs16YhM?esDptRPfdPAw7JRwLkg(U+Y4UdZT1n$5IPa2Kec@%;nJOpT9#`r7@
z85u`PBr&nB4i2&3%Ye=kMLRG8g8%`Ki%23t2=LQLO~*2UT1>u3z97|AGoqg0iKFNf
zr^ZU-duM1WW2`Y49;^^`UC`BhARRwieNz#L243SBz!P*O|5I1;uO$Gbj#^URPsEFj
znJ5J48Yh#m)_^Ae=Lv|2+!#zIQG$c)nJj+~w#N#V{a95^486KX5gC+(`LS(LuYLx&
zmK=g#7W3C{btC1qgXHu|&hAt1mVpg9@qz7)LQjirTbE=%tB>VaJ{w|W+SRlqtM=qq
z`BZ#(0JZP>i7X28yp;YFwn*+V^|hB(LiOc)PaARBXXK%~jS_tFjUyY$QX;*+r0V45
zkE=pT=tBm1C+#j}43w`s`%TdlzpX-LE<>U=F6|4*<{yn&V-xIkW##-D?u9_i{=os1
zQ~fq=HHqcUdPH1KbNZa$#kq3WF+jPXnVa;%`a)vjg(LknHdCYpovzocJ`VZSGQKX%
z9VuvTNmoc+L-8N(4b3q2QAF;sQhj@I<v<*0Ht?VN<knFg<}yq{?haG<fv+xMZkq1G
zfMeB!j>*nzv-=TicK8=0<z{!5STDIQowYE}{M!p%v*XagiZ@#a*rpBp-pFlw$j1cA
zMbdL^7Fn6pu1Ds+4F;K(`~A_^c|ytX^;TAfXxKtf>_FUZQQx>WuhjaYMX_P|t&zHv
TseG#v;Fg#3=RT@0&At3@_pP4Z

literal 0
HcmV?d00001

diff --git a/SOURCES/mod-sign.sh b/SOURCES/mod-sign.sh
new file mode 100755
index 0000000..a789141
--- /dev/null
+++ b/SOURCES/mod-sign.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+# The modules_sign target checks for corresponding .o files for every .ko that
+# is signed. This doesn't work for package builds which re-use the same build
+# directory for every variant, and the .config may change between variants.
+# So instead of using this script to just sign lib/modules/$KernelVer/extra,
+# sign all .ko in the buildroot.
+
+# This essentially duplicates the 'modules_sign' Kbuild target and runs the
+# same commands for those modules.
+
+MODSECKEY=$1
+MODPUBKEY=$2
+moddir=$3
+
+
+
+modules=$(find "$moddir" -type f -name '*.ko*')
+
+NPROC=$(nproc)
+[ -z "$NPROC" ] && NPROC=1
+
+# NB: this loop runs 2000+ iterations. Try to be fast.
+echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
+for mod; do
+    module_basename=\${mod:0:-3}
+    module_suffix=\${mod: -3}
+
+    if [[ "\$module_suffix" == ".xz" ]]; then
+        unxz \$mod
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
+        xz -f \$module_basename
+    elif [[ "\$module_suffix" == ".gz" ]]; then
+        gunzip \$mod
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
+        gzip -9f \$module_basename
+    else
+        ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
+    fi
+
+    rm -f \$module_basename.sig \$module_basename.dig
+done
+" DUMMYARG0   # xargs appends ARG1 ARG2..., which go into $mod in for loop.
+
+RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
+rand_module_basename=${RANDOMMOD:0:-3}
+rand_module_suffix=${RANDOMMOD: -3}
+if [[ "$rand_module_suffix" == ".xz" ]]; then
+    unxz $RANDOMMOD
+elif [[ "$rand_module_suffix" == ".gz" ]]; then
+    gunzip $RANDOMMOD
+else
+    rand_module_basename=$RANDOMMOD
+fi
+if [ "~Module signature appended~" != "$(tail -c 28 "$rand_module_basename")" ]; then
+    echo "*****************************"
+    echo "*** Modules are unsigned! ***"
+    echo "*****************************"
+    exit 1
+fi
+if [[ "$rand_module_suffix" == ".xz" ]]; then
+    xz -f $rand_module_basename
+elif [[ "$rand_module_suffix" == ".gz" ]]; then
+    gzip -9f $rand_module_basename
+else
+    true
+fi
+
+exit 0
diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey
new file mode 100644
index 0000000..4c34491
--- /dev/null
+++ b/SOURCES/x509.genkey
@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = AlmaLinux
+CN = AlmaLinux kernel signing key
+emailAddress = security@almalinux.org
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
diff --git a/SPECS/kernel-lt-5.4.spec b/SPECS/kernel-lt-5.4.spec
index 98815dd..0ce9b31 100644
--- a/SPECS/kernel-lt-5.4.spec
+++ b/SPECS/kernel-lt-5.4.spec
@@ -70,6 +70,21 @@
 # Set pkg_release.
 %define pkg_release 1%{?dist}%{?buildid}
 
+# Architectures upon which we can sign the kernel
+# for secure boot authentication.
+%ifarch x86_64 || aarch64
+%global signkernel 1
+%else
+%global signkernel 0
+%endif
+
+# Sign modules on all architectures that build modules.
+%ifarch x86_64 || aarch64
+%global signmodules 1
+%else
+%global signmodules 0
+%endif
+
 %define KVERREL %{pkg_version}-%{pkg_release}.%{_target_cpu}
 
 # Packages that need to be present before kernel-lt is installed
@@ -78,7 +93,7 @@
 %define initrd_prereq  dracut >= 027
 
 Name: kernel-lt
-Summary: The Linux kernel. (The core of any Linux-based operating system.)
+Summary: Alternative AlmaLinux kernel based on the "longterm" branch. (The core of any Linux-based operating system.)
 Group: System Environment/Kernel
 License: GPLv2
 URL: https://www.kernel.org/
@@ -109,6 +124,14 @@ BuildRequires: asciidoc gettext libcap-devel libnl3-devel ncurses-devel pciutils
 %if %{with_bpftool}
 BuildRequires: binutils-devel python3-docutils zlib-devel
 %endif
+
+%if %{signkernel} || %{signmodules}
+BuildRequires: openssl
+%if %{signkernel}
+BuildRequires: nss-tools, pesign >= 0.10-4
+%endif
+%endif
+
 BuildConflicts: rhbuildsys(DiskFree) < 500Mb
 
 # Sources.
@@ -123,9 +146,18 @@ Source7: filter-x86_64.sh
 Source8: filter-modules.sh
 Source9: generate_bls_conf.sh
 
-# To build .src.rpm, run with '--with src'
-%if %{?_with_src:0}%{!?_with_src:1}
-NoSource: 0
+Source21: mod-sign.sh
+Source23: x509.genkey
+
+Source100: almalinuxdup1.x509
+Source101: almalinuxkpatch1.x509
+Source102: almalinuxsecurebootca0.cer
+
+%if %{signkernel}
+%define secureboot_ca_0 %{SOURCE102}
+%define secureboot_key_0 %{SOURCE102}
+
+%define pesign_name_0 almalinuxsecurebootca0
 %endif
 
 %description
@@ -405,6 +437,20 @@ fi
 %{__rm} -f newoptions-el8-%{_target_cpu}.txt
 %endif
 
+# Add DUP and kpatch certificates to system trusted keys for RHEL.
+%if %{signkernel} || %{signmodules}
+openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
+openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
+cat rheldup3.pem rhelkpatch1.pem > certs/rhel.pem
+for i in config-%{version}-*; do
+        sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
+done
+%else
+for i in config-%{version}-*; do
+        sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS=""@' $i
+done
+%endif
+
 %{__mv} COPYING COPYING-%{version}
 
 # Do not use ambiguous python shebangs. RHEL 8 now has a new script
@@ -433,6 +479,10 @@ pushd linux-%{KVERREL} > /dev/null
 
 %{__make} -s ARCH=%{_target_cpu} oldconfig
 
+%if %{signkernel} || %{signmodules}
+cp %{SOURCE23} certs/
+%endif
+
 %{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} bzImage
 
 %{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} modules || exit 1
@@ -532,6 +582,11 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
 %define __spec_install_post \
     %{__arch_install_post} \
     %{__os_install_post} \
+    if [ "%{signmodules}" -eq "1" ]; then \
+            cd linux-%{KVERREL} \
+            %{SOURCE21} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
+            cd - \
+    fi \
     if [ "%{zipmodules}" -eq "1" ]; then \
         %{_bindir}/find $RPM_BUILD_ROOT/lib/modules/ -name '*.ko' -type f | \
             %{_bindir}/xargs --no-run-if-empty -P%{zcpu} %{__xz} \
@@ -548,6 +603,31 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
 # into consideration when performing disk space calculations. (See bz #530778)
 dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-$KernelVer.img bs=1M count=20
 
+%if %{signkernel}
+# Sign the kernel image if we're using EFI.
+# aarch64 kernels are gziped EFI images.
+%ifarch x86_64
+SignImage=arch/x86/boot/bzImage
+%endif
+
+%ifarch aarch64
+SignImage=arch/arm64/boot/Image
+%endif
+
+%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+
+if [ ! -s vmlinuz.signed ]; then
+        echo "pesigning failed"
+        exit 1
+fi
+
+mv vmlinuz.signed $SignImage
+
+%ifarch aarch64
+gzip -f9 $SignImage
+%endif
+%endif
+
 %{__cp} arch/x86/boot/bzImage $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
 %{__chmod} 755 $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
 %{__cp} $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer $RPM_BUILD_ROOT/lib/modules/$KernelVer/vmlinuz
@@ -780,6 +860,18 @@ popd > /dev/null
 %{_bindir}/find $RPM_BUILD_ROOT/usr/src/kernels -name '.*.cmd' -type f | \
     %{_bindir}/xargs --no-run-if-empty %{__rm} -f
 
+# Red Hat UEFI Secure Boot CA certificate, which can be used to authenticate the kernel.
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}
+%if %{signkernel}
+install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}/kernel-signing-ca.cer
+%endif
+
+%if %{signmodules}
+# Save the signing keys so that we can sign the modules in __modsign_install_post.
+cp certs/signing_key.pem certs/signing_key.pem.sign
+cp certs/signing_key.x509 certs/signing_key.x509.sign
+%endif
+
 # Create a boot loader script configuration file for this kernel.
 %{SOURCE9} $KernelVer $RPM_BUILD_ROOT ""
 %endif
@@ -1120,6 +1212,7 @@ fi
 /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
+%{_datadir}/doc/%{name}-keys/%{KVERREL}%{?3:+%{3}}\
 %if %{1}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
 %if 0\