(re-)sign all the modules after processing debuginfo
Extracting debuginfo strips away modules signatures (which would be invalid anyway, as the module file is modified). Include the code for signing modules again, taken from Fedora's kernel.spec. Fixes QubesOS/qubes-issues#5497
This commit is contained in:
parent
5d6894800e
commit
8aca753f93
@ -37,6 +37,9 @@
|
|||||||
# debuginfo build is disabled by default to save disk space (it needs 2-3GB build time)
|
# debuginfo build is disabled by default to save disk space (it needs 2-3GB build time)
|
||||||
%define with_debuginfo 0
|
%define with_debuginfo 0
|
||||||
|
|
||||||
|
# Sign all modules
|
||||||
|
%global signmodules 1
|
||||||
|
|
||||||
%if !%{with_debuginfo}
|
%if !%{with_debuginfo}
|
||||||
%global debug_package %{nil}
|
%global debug_package %{nil}
|
||||||
%define setup_config --disable CONFIG_DEBUG_INFO
|
%define setup_config --disable CONFIG_DEBUG_INFO
|
||||||
@ -58,6 +61,7 @@ BuildRequires: qubes-kernel-vm-support
|
|||||||
BuildRequires: dracut
|
BuildRequires: dracut
|
||||||
BuildRequires: busybox
|
BuildRequires: busybox
|
||||||
BuildRequires: bc
|
BuildRequires: bc
|
||||||
|
BuildRequires: openssl
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: gcc-plugin-devel
|
BuildRequires: gcc-plugin-devel
|
||||||
BuildRequires: elfutils-libelf-devel
|
BuildRequires: elfutils-libelf-devel
|
||||||
@ -111,10 +115,12 @@ Source0: linux-%{upstream_version}.tar.gz
|
|||||||
Source5: WireGuard-0.0.20191012.tar.xz
|
Source5: WireGuard-0.0.20191012.tar.xz
|
||||||
Source16: guards
|
Source16: guards
|
||||||
Source17: apply-patches
|
Source17: apply-patches
|
||||||
|
Source18: mod-sign.sh
|
||||||
Source33: check-for-config-changes
|
Source33: check-for-config-changes
|
||||||
Source34: gen-config
|
Source34: gen-config
|
||||||
Source100: config-base
|
Source100: config-base
|
||||||
Source101: config-qubes
|
Source101: config-qubes
|
||||||
|
%define modsign_cmd %{SOURCE18}
|
||||||
|
|
||||||
Patch0: 0001-xen-netfront-detach-crash.patch
|
Patch0: 0001-xen-netfront-detach-crash.patch
|
||||||
Patch1: 0002-mce-hide-EBUSY-initialization-error-on-Xen.patch
|
Patch1: 0002-mce-hide-EBUSY-initialization-error-on-Xen.patch
|
||||||
@ -221,6 +227,27 @@ if [ -d "%_builddir/wireguard" ]; then
|
|||||||
make -C %kernel_build_dir M=%_builddir/wireguard/src modules
|
make -C %kernel_build_dir M=%_builddir/wireguard/src modules
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
%define __modsign_install_post \
|
||||||
|
if [ "%{signmodules}" -eq "1" ]; then \
|
||||||
|
%{modsign_cmd} certs/signing_key.pem certs/signing_key.x509 $RPM_BUILD_ROOT/lib/modules/%kernelrelease/ \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Disgusting hack alert! We need to ensure we sign modules *after* all
|
||||||
|
# invocations of strip occur, which is in __debug_install_post if
|
||||||
|
# find-debuginfo.sh runs, and __os_install_post if not.
|
||||||
|
#
|
||||||
|
|
||||||
|
%define __spec_install_post \
|
||||||
|
%{?__debug_package:%{__debug_install_post}}\
|
||||||
|
%{__arch_install_post}\
|
||||||
|
%{__os_install_post}\
|
||||||
|
%{?__remove_unwanted_dbginfo_install_post}\
|
||||||
|
%{__modsign_install_post}
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
|
||||||
# get rid of /usr/lib/rpm/brp-strip-debug
|
# get rid of /usr/lib/rpm/brp-strip-debug
|
||||||
|
37
mod-sign.sh
Executable file
37
mod-sign.sh
Executable file
@ -0,0 +1,37 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
# The modules_sign target checks for corresponding .o files for every .ko that
|
||||||
|
# is signed. This doesn't work for package builds which re-use the same build
|
||||||
|
# directory for every flavour, and the .config may change between flavours.
|
||||||
|
# So instead of using this script to just sign lib/modules/$KernelVer/extra,
|
||||||
|
# sign all .ko in the buildroot.
|
||||||
|
|
||||||
|
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
|
||||||
|
# same commands for those modules.
|
||||||
|
|
||||||
|
MODSECKEY=$1
|
||||||
|
MODPUBKEY=$2
|
||||||
|
moddir=$3
|
||||||
|
|
||||||
|
modules=`find $moddir -type f -name '*.ko'`
|
||||||
|
|
||||||
|
NPROC=`nproc`
|
||||||
|
[ -z "$NPROC" ] && NPROC=1
|
||||||
|
|
||||||
|
# NB: this loop runs 2000+ iterations. Try to be fast.
|
||||||
|
echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
|
||||||
|
for mod; do
|
||||||
|
./scripts/sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
|
||||||
|
rm -f \$mod.sig \$mod.dig
|
||||||
|
done
|
||||||
|
" DUMMYARG0 # xargs appends ARG1 ARG2..., which go into $mod in for loop.
|
||||||
|
|
||||||
|
RANDOMMOD=$(echo "$modules" | sort -R | head -n 1)
|
||||||
|
if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
|
||||||
|
echo "*****************************"
|
||||||
|
echo "*** Modules are unsigned! ***"
|
||||||
|
echo "*****************************"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
Loading…
Reference in New Issue
Block a user