1
0
forked from rpms/kernel

Alternative AlmaLinux 8 kernel based on the longterm branch.

This commit is contained in:
Yuriy Kohut 2024-05-10 13:03:25 +03:00
parent 8451bea2b1
commit 6af7171032
6 changed files with 182 additions and 4 deletions

BIN
SOURCES/almalinuxdup1.x509 Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

69
SOURCES/mod-sign.sh Executable file
View File

@ -0,0 +1,69 @@
#! /bin/bash
# The modules_sign target checks for corresponding .o files for every .ko that
# is signed. This doesn't work for package builds which re-use the same build
# directory for every variant, and the .config may change between variants.
# So instead of using this script to just sign lib/modules/$KernelVer/extra,
# sign all .ko in the buildroot.
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
# same commands for those modules.
MODSECKEY=$1
MODPUBKEY=$2
moddir=$3
modules=$(find "$moddir" -type f -name '*.ko*')
NPROC=$(nproc)
[ -z "$NPROC" ] && NPROC=1
# NB: this loop runs 2000+ iterations. Try to be fast.
echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
for mod; do
module_basename=\${mod:0:-3}
module_suffix=\${mod: -3}
if [[ "\$module_suffix" == ".xz" ]]; then
unxz \$mod
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
xz -f \$module_basename
elif [[ "\$module_suffix" == ".gz" ]]; then
gunzip \$mod
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$module_basename
gzip -9f \$module_basename
else
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
fi
rm -f \$module_basename.sig \$module_basename.dig
done
" DUMMYARG0 # xargs appends ARG1 ARG2..., which go into $mod in for loop.
RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
rand_module_basename=${RANDOMMOD:0:-3}
rand_module_suffix=${RANDOMMOD: -3}
if [[ "$rand_module_suffix" == ".xz" ]]; then
unxz $RANDOMMOD
elif [[ "$rand_module_suffix" == ".gz" ]]; then
gunzip $RANDOMMOD
else
rand_module_basename=$RANDOMMOD
fi
if [ "~Module signature appended~" != "$(tail -c 28 "$rand_module_basename")" ]; then
echo "*****************************"
echo "*** Modules are unsigned! ***"
echo "*****************************"
exit 1
fi
if [[ "$rand_module_suffix" == ".xz" ]]; then
xz -f $rand_module_basename
elif [[ "$rand_module_suffix" == ".gz" ]]; then
gzip -9f $rand_module_basename
else
true
fi
exit 0

16
SOURCES/x509.genkey Normal file
View File

@ -0,0 +1,16 @@
[ req ]
default_bits = 3072
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = AlmaLinux
CN = AlmaLinux kernel signing key
emailAddress = security@almalinux.org
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

View File

@ -70,6 +70,21 @@
# Set pkg_release.
%define pkg_release 1%{?dist}%{?buildid}
# Architectures upon which we can sign the kernel
# for secure boot authentication.
%ifarch x86_64 || aarch64
%global signkernel 1
%else
%global signkernel 0
%endif
# Sign modules on all architectures that build modules.
%ifarch x86_64 || aarch64
%global signmodules 1
%else
%global signmodules 0
%endif
%define KVERREL %{pkg_version}-%{pkg_release}.%{_target_cpu}
# Packages that need to be present before kernel-lt is installed
@ -78,7 +93,7 @@
%define initrd_prereq dracut >= 027
Name: kernel-lt
Summary: The Linux kernel. (The core of any Linux-based operating system.)
Summary: Alternative AlmaLinux kernel based on the "longterm" branch. (The core of any Linux-based operating system.)
Group: System Environment/Kernel
License: GPLv2
URL: https://www.kernel.org/
@ -109,6 +124,14 @@ BuildRequires: asciidoc gettext libcap-devel libnl3-devel ncurses-devel pciutils
%if %{with_bpftool}
BuildRequires: binutils-devel python3-docutils zlib-devel
%endif
%if %{signkernel} || %{signmodules}
BuildRequires: openssl
%if %{signkernel}
BuildRequires: nss-tools, pesign >= 0.10-4
%endif
%endif
BuildConflicts: rhbuildsys(DiskFree) < 500Mb
# Sources.
@ -123,9 +146,18 @@ Source7: filter-x86_64.sh
Source8: filter-modules.sh
Source9: generate_bls_conf.sh
# To build .src.rpm, run with '--with src'
%if %{?_with_src:0}%{!?_with_src:1}
NoSource: 0
Source21: mod-sign.sh
Source23: x509.genkey
Source100: almalinuxdup1.x509
Source101: almalinuxkpatch1.x509
Source102: almalinuxsecurebootca0.cer
%if %{signkernel}
%define secureboot_ca_0 %{SOURCE102}
%define secureboot_key_0 %{SOURCE102}
%define pesign_name_0 almalinuxsecurebootca0
%endif
%description
@ -405,6 +437,20 @@ fi
%{__rm} -f newoptions-el8-%{_target_cpu}.txt
%endif
# Add DUP and kpatch certificates to system trusted keys for RHEL.
%if %{signkernel} || %{signmodules}
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
cat rheldup3.pem rhelkpatch1.pem > certs/rhel.pem
for i in config-%{version}-*; do
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
done
%else
for i in config-%{version}-*; do
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS="*"@CONFIG_SYSTEM_TRUSTED_KEYS=""@' $i
done
%endif
%{__mv} COPYING COPYING-%{version}
# Do not use ambiguous python shebangs. RHEL 8 now has a new script
@ -433,6 +479,10 @@ pushd linux-%{KVERREL} > /dev/null
%{__make} -s ARCH=%{_target_cpu} oldconfig
%if %{signkernel} || %{signmodules}
cp %{SOURCE23} certs/
%endif
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} bzImage
%{__make} -s ARCH=%{_target_cpu} %{?_smp_mflags} modules || exit 1
@ -532,6 +582,11 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
%define __spec_install_post \
%{__arch_install_post} \
%{__os_install_post} \
if [ "%{signmodules}" -eq "1" ]; then \
cd linux-%{KVERREL} \
%{SOURCE21} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
cd - \
fi \
if [ "%{zipmodules}" -eq "1" ]; then \
%{_bindir}/find $RPM_BUILD_ROOT/lib/modules/ -name '*.ko' -type f | \
%{_bindir}/xargs --no-run-if-empty -P%{zcpu} %{__xz} \
@ -548,6 +603,31 @@ KernelVer=%{version}-%{release}.%{_target_cpu}
# into consideration when performing disk space calculations. (See bz #530778)
dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-$KernelVer.img bs=1M count=20
%if %{signkernel}
# Sign the kernel image if we're using EFI.
# aarch64 kernels are gziped EFI images.
%ifarch x86_64
SignImage=arch/x86/boot/bzImage
%endif
%ifarch aarch64
SignImage=arch/arm64/boot/Image
%endif
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
if [ ! -s vmlinuz.signed ]; then
echo "pesigning failed"
exit 1
fi
mv vmlinuz.signed $SignImage
%ifarch aarch64
gzip -f9 $SignImage
%endif
%endif
%{__cp} arch/x86/boot/bzImage $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
%{__chmod} 755 $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer
%{__cp} $RPM_BUILD_ROOT/boot/vmlinuz-$KernelVer $RPM_BUILD_ROOT/lib/modules/$KernelVer/vmlinuz
@ -780,6 +860,18 @@ popd > /dev/null
%{_bindir}/find $RPM_BUILD_ROOT/usr/src/kernels -name '.*.cmd' -type f | \
%{_bindir}/xargs --no-run-if-empty %{__rm} -f
# Red Hat UEFI Secure Boot CA certificate, which can be used to authenticate the kernel.
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}
%if %{signkernel}
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-keys/%{KVERREL}/kernel-signing-ca.cer
%endif
%if %{signmodules}
# Save the signing keys so that we can sign the modules in __modsign_install_post.
cp certs/signing_key.pem certs/signing_key.pem.sign
cp certs/signing_key.x509 certs/signing_key.x509.sign
%endif
# Create a boot loader script configuration file for this kernel.
%{SOURCE9} $KernelVer $RPM_BUILD_ROOT ""
%endif
@ -1120,6 +1212,7 @@ fi
/lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
/lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
%{_datadir}/doc/%{name}-keys/%{KVERREL}%{?3:+%{3}}\
%if %{1}\
/lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
%if 0\