diff --git a/kernel.spec.in b/kernel.spec.in index fa95e4b..7dc2cd0 100644 --- a/kernel.spec.in +++ b/kernel.spec.in @@ -37,6 +37,9 @@ # debuginfo build is disabled by default to save disk space (it needs 2-3GB build time) %define with_debuginfo 0 +# Sign all modules +%global signmodules 1 + %if !%{with_debuginfo} %global debug_package %{nil} %define setup_config --disable CONFIG_DEBUG_INFO @@ -58,6 +61,7 @@ BuildRequires: qubes-kernel-vm-support BuildRequires: dracut BuildRequires: busybox BuildRequires: bc +BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: gcc-plugin-devel BuildRequires: elfutils-libelf-devel @@ -111,10 +115,12 @@ Source0: linux-%{upstream_version}.tar.gz Source5: WireGuard-0.0.20191012.tar.xz Source16: guards Source17: apply-patches +Source18: mod-sign.sh Source33: check-for-config-changes Source34: gen-config Source100: config-base Source101: config-qubes +%define modsign_cmd %{SOURCE18} Patch0: 0001-xen-netfront-detach-crash.patch Patch1: 0002-mce-hide-EBUSY-initialization-error-on-Xen.patch @@ -221,6 +227,27 @@ if [ -d "%_builddir/wireguard" ]; then make -C %kernel_build_dir M=%_builddir/wireguard/src modules fi + +%define __modsign_install_post \ + if [ "%{signmodules}" -eq "1" ]; then \ + %{modsign_cmd} certs/signing_key.pem certs/signing_key.x509 $RPM_BUILD_ROOT/lib/modules/%kernelrelease/ \ + fi \ +%{nil} + +# +# Disgusting hack alert! We need to ensure we sign modules *after* all +# invocations of strip occur, which is in __debug_install_post if +# find-debuginfo.sh runs, and __os_install_post if not. +# + +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}}\ + %{__arch_install_post}\ + %{__os_install_post}\ + %{?__remove_unwanted_dbginfo_install_post}\ + %{__modsign_install_post} + + %install # get rid of /usr/lib/rpm/brp-strip-debug diff --git a/mod-sign.sh b/mod-sign.sh new file mode 100755 index 0000000..ed2bd62 --- /dev/null +++ b/mod-sign.sh @@ -0,0 +1,37 @@ +#! /bin/bash + +# The modules_sign target checks for corresponding .o files for every .ko that +# is signed. This doesn't work for package builds which re-use the same build +# directory for every flavour, and the .config may change between flavours. +# So instead of using this script to just sign lib/modules/$KernelVer/extra, +# sign all .ko in the buildroot. + +# This essentially duplicates the 'modules_sign' Kbuild target and runs the +# same commands for those modules. + +MODSECKEY=$1 +MODPUBKEY=$2 +moddir=$3 + +modules=`find $moddir -type f -name '*.ko'` + +NPROC=`nproc` +[ -z "$NPROC" ] && NPROC=1 + +# NB: this loop runs 2000+ iterations. Try to be fast. +echo "$modules" | xargs -r -n16 -P $NPROC sh -c " +for mod; do + ./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod + rm -f \$mod.sig \$mod.dig +done +" DUMMYARG0 # xargs appends ARG1 ARG2..., which go into $mod in for loop. + +RANDOMMOD=$(echo "$modules" | sort -R | head -n 1) +if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then + echo "*****************************" + echo "*** Modules are unsigned! ***" + echo "*****************************" + exit 1 +fi + +exit 0