# A spec file for building xenlinux Dom0 kernel for Qubes # Based on the Open SUSE kernel-spec & Fedora kernel-spec. # %define variant qubes %define plainrel @REL@ %define rel %{plainrel}.%{variant} %define version %(echo '@VERSION@' | sed 's/~rc.*/.0/') %define upstream_version %(echo '@VERSION@' | sed 's/~rc/-rc/') %if "%{version}" != "%{upstream_version}" %define prerelease 1 %define rel 0.%(echo '@VERSION@' | sed 's/.*~rc/rc/').%{plainrel}.%{variant} %else %define prerelease 0 %define rel %{plainrel}.%{variant} %endif %define name_suffix -latest %define _buildshell /bin/bash %define build_xen 1 %global cpu_arch x86_64 %define cpu_arch_flavor %cpu_arch %define kernelrelease %(echo %{upstream_version} | sed 's/^[0-9]\\.[0-9]\\+$/\\0.0/;s/-rc.*/.0/')-%rel.%cpu_arch %define my_builddir %_builddir/%{name}-%{version} %define build_src_dir %my_builddir/linux-%upstream_version %define src_install_dir /usr/src/kernels/%kernelrelease %define kernel_build_dir %my_builddir/linux-obj %define vm_install_dir /var/lib/qubes/vm-kernels/%upstream_version-%{plainrel} %define install_vdso 1 %define debuginfodir /usr/lib/debug # debuginfo build is disabled by default to save disk space (it needs 2-3GB build time) %define with_debuginfo 0 # Sign all modules %global signmodules 1 %if !%{with_debuginfo} %global debug_package %{nil} %define setup_config --disable CONFIG_DEBUG_INFO %else %define setup_config --enable CONFIG_DEBUG_INFO --disable CONFIG_DEBUG_INFO_REDUCED %endif Name: kernel%{?name_suffix} Summary: The Xen Kernel Version: %{version} Epoch: 1000 Release: %{rel} License: GPL v2 only Group: System/Kernel Url: http://www.kernel.org/ AutoReqProv: on BuildRequires: coreutils module-init-tools sparse BuildRequires: qubes-kernel-vm-support BuildRequires: dracut BuildRequires: busybox BuildRequires: bc BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: python3-devel BuildRequires: gcc-plugin-devel BuildRequires: elfutils-libelf-devel BuildRequires: bison BuildRequires: flex BuildRequires: e2fsprogs # gcc with support for BTI mitigation %if 0%{?fedora} == 23 BuildRequires: gcc >= 5.3.1-6.qubes1 %else %if 0%{?fedora} == 25 BuildRequires: gcc >= 6.4.1-1.qubes1 %else BuildRequires: gcc %endif %endif # Needed for building GCC hardened plugins BuildRequires: gcc-c++ Provides: multiversion(kernel) Provides: %name = %kernelrelease Provides: kernel-xen-dom0 Provides: kernel-qubes-dom0 Provides: kernel-qubes-dom0-pvops Provides: kernel-drm = 4.3.0 Provides: kernel-drm-nouveau = 16 Provides: kernel-modules-extra = %kernelrelease Provides: kernel-modeset = 1 Requires(pre): coreutils gawk Requires(post): dracut binutils Requires: qubes-core-dom0-linux-kernel-install Conflicts: sysfsutils < 2.0 # root-lvm only works with newer udevs Conflicts: udev < 118 Conflicts: lvm2 < 2.02.33 Provides: kernel = %kernelrelease Provides: kernel-uname-r = %kernelrelease ExclusiveArch: x86_64 %if !%{prerelease} Source0: linux-%{upstream_version}.tar.xz %else Source0: linux-%{upstream_version}.tar.gz %endif Source5: wireguard-linux-compat-0.0.20200121.tar.xz Source6: macbook12-spi-driver-31cc060adcb431efdf9cf547d600bb45bb00a7f4.tar.gz Source16: guards Source17: apply-patches Source18: mod-sign.sh Source33: check-for-config-changes Source34: gen-config Source100: config-base Source101: config-qubes %define modsign_cmd %{SOURCE18} Patch0: 0001-xen-netfront-detach-crash.patch Patch1: 0002-mce-hide-EBUSY-initialization-error-on-Xen.patch Patch2: 0003-Log-error-code-of-EVTCHNOP_bind_pirq-failure.patch Patch3: 0004-pvops-respect-removable-xenstore-flag-for-block-devi.patch Patch4: 0005-pvops-xen-blkfront-handle-FDEJECT-as-detach-request-.patch Patch5: 0006-block-add-no_part_scan-module-parameter.patch Patch6: 0007-xen-Add-RING_COPY_RESPONSE.patch Patch7: 0008-xen-netfront-copy-response-out-of-shared-buffer-befo.patch Patch8: 0009-xen-netfront-do-not-use-data-already-exposed-to-back.patch Patch9: 0010-xen-netfront-add-range-check-for-Tx-response-id.patch Patch10: 0011-xen-blkfront-make-local-copy-of-response-before-usin.patch Patch11: 0012-xen-blkfront-prepare-request-locally-only-then-put-i.patch Patch12: 0013-xen-pcifront-pciback-Update-pciif.h-with-err-and-res.patch Patch13: 0014-xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch %description Qubes Dom0 kernel. %prep SYMBOLS="xen-dom0 pvops" # Unpack all sources and patches %autosetup -N -c -T -a 0 export LINUX_UPSTREAM_VERSION=%{upstream_version} mkdir -p %kernel_build_dir cd linux-%upstream_version %autopatch -p1 # drop EXTRAVERSION - possible -rc suffix already included in %release sed -i -e 's/^EXTRAVERSION = -rc.*/EXTRAVERSION =/' Makefile %if 0%{?fedora} >= 31 # Mangle /usr/bin/python shebangs to /usr/bin/python3 # Mangle all Python shebangs to be Python 3 explicitly # -p preserves timestamps # -n prevents creating ~backup files # -i specifies the interpreter for the shebang # This fixes errors such as # *** ERROR: ambiguous python shebang in /usr/bin/kvm_stat: #!/usr/bin/python. Change it to python3 (or python2) explicitly. # We patch all sources below for which we got a report/error. pathfix.py -i "%{__python3} %{py3_shbang_opts}" -p -n \ tools/kvm/kvm_stat/kvm_stat \ scripts/show_delta \ scripts/diffconfig \ scripts/bloat-o-meter \ tools/perf/tests/attr.py \ tools/perf/scripts/python/stat-cpi.py \ tools/perf/scripts/python/sched-migration.py \ Documentation \ scripts/gen_compile_commands.py %endif cd %kernel_build_dir # Create QubesOS config kernel %{SOURCE34} %{SOURCE100} %{SOURCE101} %build_src_dir/scripts/config \ --set-str CONFIG_LOCALVERSION -%release.%cpu_arch %{setup_config} MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD KERNELRELEASE=%{kernelrelease}" make prepare $MAKE_ARGS make scripts $MAKE_ARGS make scripts_basic $MAKE_ARGS krel=$(make -s kernelrelease $MAKE_ARGS) if [ "$krel" != "%kernelrelease" ]; then echo "Kernel release mismatch: $krel != %kernelrelease" >&2 exit 1 fi make clean $MAKE_ARGS rm -f source find . ! -type d -printf '%%P\n' > %my_builddir/obj-files rm -rf %_builddir/u2mfn u2mfn_ver=`dkms status u2mfn|tail -n 1|cut -f 2 -d ' '|tr -d ':,:'` if [ -n "$u2mfn_ver" ]; then cp -r /usr/src/u2mfn-$u2mfn_ver %_builddir/u2mfn fi rm -rf %_builddir/wireguard tar x -C %_builddir -Jpf %{SOURCE5} mv %_builddir/$(basename %{SOURCE5} .tar.xz) %_builddir/wireguard rm -rf %_builddir/macbook12-spi-driver tar -x -C %_builddir -zf %{SOURCE6} mv %_builddir/$(basename %{SOURCE6} .tar.gz) %_builddir/macbook12-spi-driver %build cd %kernel_build_dir make %{?_smp_mflags} all $MAKE_ARGS CONFIG_DEBUG_SECTION_MISMATCH=y # Build u2mfn module if [ -d "%_builddir/u2mfn" ]; then make -C %kernel_build_dir M=%_builddir/u2mfn modules fi if [ -d "%_builddir/wireguard" ]; then make -C %kernel_build_dir M=%_builddir/wireguard/src modules fi # Build applespi, apple-ibridge, apple-ib-tb, apple-ib-als modules if [ -d "%_builddir/macbook12-spi-driver" ]; then make -C %kernel_build_dir M=%_builddir/macbook12-spi-driver modules fi %define __modsign_install_post \ if [ "%{signmodules}" -eq "1" ]; then \ %{modsign_cmd} certs/signing_key.pem certs/signing_key.x509 $RPM_BUILD_ROOT/lib/modules/%kernelrelease/ \ fi \ %{nil} # # Disgusting hack alert! We need to ensure we sign modules *after* all # invocations of strip occur, which is in __debug_install_post if # find-debuginfo.sh runs, and __os_install_post if not. # %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}}\ %{__arch_install_post}\ %{__os_install_post}\ %{?__remove_unwanted_dbginfo_install_post}\ %{__modsign_install_post} %install # get rid of /usr/lib/rpm/brp-strip-debug # strip removes too much from the vmlinux ELF binary export NO_BRP_STRIP_DEBUG=true export STRIP_KEEP_SYMTAB='*/vmlinux-*' # /lib/modules/%kernelrelease-%build_flavor/build will be a stale symlink until the # kernel-devel package is installed. Don't check for stale symlinks # in the brp-symlink check: export NO_BRP_STALE_LINK_ERROR=yes cd %kernel_build_dir mkdir -p %buildroot/boot cp -p System.map %buildroot/boot/System.map-%kernelrelease cp -p arch/x86/boot/bzImage %buildroot/boot/vmlinuz-%kernelrelease cp .config %buildroot/boot/config-%kernelrelease %if %install_vdso # Install the unstripped vdso's that are linked in the kernel image make vdso_install $MAKE_ARGS INSTALL_MOD_PATH=%buildroot %endif # Create a dummy initramfs with roughly the size the real one will have. # That way, rpm will know that this package requires some additional # space in /boot. dd if=/dev/zero of=%buildroot/boot/initramfs-%kernelrelease.img \ bs=1M count=20 gzip -c9 < Module.symvers > %buildroot/boot/symvers-%kernelrelease.gz make modules_install $MAKE_ARGS INSTALL_MOD_PATH=%buildroot if [ -d "%_builddir/u2mfn" ]; then make modules_install $MAKE_ARGS INSTALL_MOD_PATH=%buildroot M=%_builddir/u2mfn fi if [ -d "%_builddir/wireguard" ]; then make modules_install $MAKE_ARGS INSTALL_MOD_PATH=%buildroot M=%_builddir/wireguard/src fi if [ -d "%_builddir/macbook12-spi-driver" ]; then make modules_install $MAKE_ARGS INSTALL_MOD_PATH=%buildroot M=%_builddir/macbook12-spi-driver fi mkdir -p %buildroot/%src_install_dir rm -f %buildroot/lib/modules/%kernelrelease/build rm -f %buildroot/lib/modules/%kernelrelease/source mkdir -p %buildroot/lib/modules/%kernelrelease/build (cd %buildroot/lib/modules/%kernelrelease ; ln -s build source) # dirs for additional modules per module-init-tools, kbuild/modules.txt mkdir -p %buildroot/lib/modules/%kernelrelease/extra mkdir -p %buildroot/lib/modules/%kernelrelease/updates mkdir -p %buildroot/lib/modules/%kernelrelease/weak-updates pushd %build_src_dir cp --parents `find -type f -name "Makefile*" -o -name "Kconfig*"` %buildroot/lib/modules/%kernelrelease/build cp -a scripts %buildroot/lib/modules/%kernelrelease/build cp -a --parents arch/x86/include %buildroot/lib/modules/%kernelrelease/build/ cp -a include %buildroot/lib/modules/%kernelrelease/build/include popd cp Module.symvers %buildroot/lib/modules/%kernelrelease/build cp System.map %buildroot/lib/modules/%kernelrelease/build if [ -s Module.markers ]; then cp Module.markers %buildroot/lib/modules/%kernelrelease/build fi rm -rf %buildroot/lib/modules/%kernelrelease/build/Documentation # Remove useless scripts that creates ERROR with ambiguous shebang # that are removed too in Fedora rm -rf %buildroot/lib/modules/%kernelrelease/build/scripts/tracing rm -f %buildroot/lib/modules/%kernelrelease/build/scripts/spdxcheck.py # disable GCC plugins for external modules build, to not fail if different gcc # version is used sed -e 's/^\(CONFIG_GCC_PLUGIN.*\)=y/# \1 is not set/' .config > \ %buildroot/lib/modules/%kernelrelease/build/.config rm -f %buildroot/lib/modules/%kernelrelease/build/scripts/*.o rm -f %buildroot/lib/modules/%kernelrelease/build/scripts/*/*.o cp -a scripts/* %buildroot/lib/modules/%kernelrelease/build/scripts/ cp -a include/* %buildroot/lib/modules/%kernelrelease/build/include/ cp -a --parents arch/x86/include/* %buildroot/lib/modules/%kernelrelease/build/ if [ -f tools/objtool/objtool ]; then cp -a --parents tools/objtool %buildroot/lib/modules/%kernelrelease/build/ pushd %build_src_dir cp -a --parents tools/objtool %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/build/Build.include %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/build/Build %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/build/fixdep.c %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/scripts/utilities.mak %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/lib/str_error_r.c %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/lib/string.c %buildroot/lib/modules/%kernelrelease/build/ cp -a --parents tools/lib/subcmd/* %buildroot/lib/modules/%kernelrelease/build/ popd fi # Copy .config to include/config/auto.conf so "make prepare" is unnecessary. cp %buildroot/lib/modules/%kernelrelease/build/.config %buildroot/lib/modules/%kernelrelease/build/include/config/auto.conf # Make sure the Makefile and version.h have a matching timestamp so that # external modules can be built touch -r %buildroot/lib/modules/%kernelrelease/build/Makefile %buildroot/lib/modules/%kernelrelease/build/include/generated/uapi/linux/version.h touch -r %buildroot/lib/modules/%kernelrelease/build/.config %buildroot/lib/modules/%kernelrelease/build/include/config/auto.conf if test -s vmlinux.id; then cp vmlinux.id %buildroot/lib/modules/%kernelrelease/build/vmlinux.id else echo >&2 "*** WARNING *** no vmlinux build ID! ***" fi # # save the vmlinux file for kernel debugging into the kernel-debuginfo rpm # %if %{with_debuginfo} mkdir -p %buildroot%{debuginfodir}/lib/modules/%kernelrelease cp vmlinux %buildroot%{debuginfodir}/lib/modules/%kernelrelease %endif find %buildroot/lib/modules/%kernelrelease -name "*.ko" -type f >modnames # mark modules executable so that strip-to-file can strip them xargs --no-run-if-empty chmod u+x < modnames # Generate a list of modules for block and networking. fgrep /drivers/ modnames | xargs --no-run-if-empty nm -upA | sed -n 's,^.*/\([^/]*\.ko\): *U \(.*\)$,\1 \2,p' > drivers.undef collect_modules_list() { sed -r -n -e "s/^([^ ]+) \\.?($2)\$/\\1/p" drivers.undef | LC_ALL=C sort -u > %buildroot/lib/modules/%kernelrelease/modules.$1 } collect_modules_list networking \ 'register_netdev|ieee80211_register_hw|usbnet_probe' collect_modules_list block \ 'ata_scsi_ioctl|scsi_add_host|scsi_add_host_with_dma|blk_init_queue|register_mtd_blktrans|scsi_esp_register|scsi_register_device_handler' collect_modules_list drm \ 'drm_open|drm_init' collect_modules_list modesetting \ 'drm_crtc_init' # detect missing or incorrect license tags rm -f modinfo while read i do echo -n "${i#%buildroot/lib/modules/%kernelrelease/} " >> modinfo /sbin/modinfo -l $i >> modinfo done < modnames egrep -v \ 'GPL( v2)?$|Dual BSD/GPL$|Dual MPL/GPL$|GPL and additional rights$' \ modinfo && exit 1 rm -f modinfo modnames # Move the devel headers out of the root file system mkdir -p %buildroot/usr/src/kernels mv %buildroot/lib/modules/%kernelrelease/build/* %buildroot/%src_install_dir/ mv %buildroot/lib/modules/%kernelrelease/build/.config %buildroot/%src_install_dir rmdir %buildroot/lib/modules/%kernelrelease/build ln -sf %src_install_dir %buildroot/lib/modules/%kernelrelease/build # Abort if there are any undefined symbols msg="$(/sbin/depmod -F %buildroot/boot/System.map-%kernelrelease \ -b %buildroot -ae %kernelrelease 2>&1)" if [ $? -ne 0 ] || echo "$msg" | grep 'needs unknown symbol'; then exit 1 fi # in case of no firmware built - place empty dir mkdir -p %buildroot/lib/firmware mv %buildroot/lib/firmware %buildroot/lib/firmware-all mkdir -p %buildroot/lib/firmware mv %buildroot/lib/firmware-all %buildroot/lib/firmware/%kernelrelease # Prepare initramfs for Qubes VM mkdir -p %buildroot/%vm_install_dir PATH="/sbin:$PATH" dracut --nomdadmconf --nolvmconf \ --kmoddir %buildroot/lib/modules/%kernelrelease \ --modules "kernel-modules qubes-vm-simple" \ --conf /dev/null --confdir /var/empty \ -d "xenblk xen-blkfront cdrom ext4 jbd2 crc16 dm_snapshot" \ %buildroot/%vm_install_dir/initramfs %kernelrelease || exit 1 # workaround for buggy dracut-044 in Fedora 25 # https://bugzilla.redhat.com/show_bug.cgi?id=1431317 # https://github.com/dracutdevs/dracut/issues/194 modules_dep=$(lsinitrd "%buildroot/%vm_install_dir/initramfs" \ "usr/lib/modules/%kernelrelease/modules.dep") if [ -z "$modules_dep" ]; then tmpdir=$(mktemp -d) zcat "%buildroot/%vm_install_dir/initramfs" | cpio -imd -D "$tmpdir" || exit 1 mv "$tmpdir"/%buildroot/lib/modules/%kernelrelease/kernel \ "$tmpdir"/lib/modules/%kernelrelease/ || exit 1 depmod -F %buildroot/boot/System.map-%kernelrelease \ -b "$tmpdir" -a %kernelrelease || exit 1 pushd "$tmpdir" if [ -n "$SOURCE_DATE_EPOCH" ]; then find . -exec touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} + fi find . -print0 | sort -z \ | cpio --null -R 0:0 -H newc -o --reproducible --quiet \ | gzip -n > %buildroot/%vm_install_dir/initramfs || exit 1 popd fi cp -p arch/x86/boot/bzImage %buildroot/%vm_install_dir/vmlinuz # default kernel options for this kernel def_kernelopts="root=/dev/mapper/dmroot ro nomodeset console=hvc0" def_kernelopts="$def_kernelopts rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0" if [ -e /usr/lib/dracut/modules.d/90qubes-vm-simple/xen-scrub-pages-supported ]; then # set xen_scrub_pages=0 _only_ when included initramfs does support # re-enabling it def_kernelopts="$def_kernelopts xen_scrub_pages=0" fi echo "$def_kernelopts " > %buildroot/%vm_install_dir/default-kernelopts-common.txt # Modules for Qubes VM mkdir -p %buildroot%vm_install_dir/modules cp -a %buildroot/lib/modules/%kernelrelease %buildroot%vm_install_dir/modules/ mkdir -p %buildroot%vm_install_dir/modules/firmware cp -a %buildroot/lib/firmware/%kernelrelease %buildroot%vm_install_dir/modules/firmware/ # Include kernel headers for Qubes VM in "/lib/modules" - so kernel-devel # package will be unnecessary there, regardless of distribution rm -f %buildroot%vm_install_dir/modules/%kernelrelease/build cp -a %buildroot/%src_install_dir %buildroot%vm_install_dir/modules/%kernelrelease/build %if 0%{?fedora} >= 25 # include kernel+initramfs also inside modules.img, for direct kernel boot with # stubdomain cp %buildroot%vm_install_dir/vmlinuz %buildroot%vm_install_dir/modules/ cp %buildroot%vm_install_dir/initramfs %buildroot%vm_install_dir/modules/ if [ -n "$SOURCE_DATE_EPOCH" ]; then find %buildroot%vm_install_dir/modules \ -exec touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} + fi PATH="/sbin:$PATH" mkfs.ext3 -d %buildroot%vm_install_dir/modules \ -U dcee2318-92bd-47a5-a15d-e79d1412cdce \ %buildroot%vm_install_dir/modules.img 500M rm -rf %buildroot%vm_install_dir/modules %endif # remove files that will be auto generated by depmod at rpm -i time for i in alias alias.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap do rm -f %buildroot/lib/modules/%kernelrelease/modules.$i done %post /sbin/depmod -a %{kernelrelease} %posttrans # with kernel-4.14+ plymouth detects hvc0 serial console and forces text boot # we simply make plymouth ignore it to recover the splash screen if [ -f /etc/default/grub ]; then if ! grep -q plymouth.ignore-serial-consoles /etc/default/grub; then echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX plymouth.ignore-serial-consoles"' >> /etc/default/grub fi fi if [ -f /boot/efi/EFI/qubes/xen.cfg ]; then if ! grep -q plymouth.ignore-serial-consoles /boot/efi/EFI/qubes/xen.cfg; then sed -i 's/kernel=.*/& plymouth.ignore-serial-consoles/g' /boot/efi/EFI/qubes/xen.cfg fi fi /bin/kernel-install add %{kernelrelease} /boot/vmlinuz-%{kernelrelease} || exit $? # grubby (used by new-kernel-pkg) do not understand xen entries in grub2 config if [ -x /sbin/new-kernel-pkg -a -e /boot/grub2/grub.cfg ]; then grub2-mkconfig > /boot/grub2/grub.cfg fi %preun /bin/kernel-install remove %{kernelrelease} /boot/vmlinuz-%{kernelrelease} || exit $? %files %defattr(-, root, root) %ghost /boot/initramfs-%{kernelrelease}.img /boot/System.map-%{kernelrelease} /boot/config-%{kernelrelease} /boot/symvers-%kernelrelease.gz %attr(0644, root, root) /boot/vmlinuz-%{kernelrelease} /lib/firmware/%{kernelrelease} /lib/modules/%{kernelrelease} %package devel Summary: Development files necessary for building kernel modules License: GPL v2 only Group: Development/Sources Provides: multiversion(kernel) Provides: %name-devel = %kernelrelease %if "%{?name_suffix}" != "" Provides: kernel-devel = %kernelrelease %endif Provides: kernel-devel-uname-r = %kernelrelease Requires: elfutils-libelf-devel AutoReqProv: on %description devel This package contains files necessary for building kernel modules (and kernel module packages) against the kernel. %post devel if [ -f /etc/sysconfig/kernel ] then . /etc/sysconfig/kernel || exit $? fi if [ "$HARDLINK" != "no" -a -x /usr/sbin/hardlink ] then (cd /usr/src/kernels/%{kernelrelease} && /usr/bin/find . -type f | while read f; do hardlink -c /usr/src/kernels/*.fc*.*/$f $f done) fi %files devel %defattr(-,root,root) /usr/src/kernels/%{kernelrelease} %package qubes-vm Summary: The Xen Kernel Version: %{version} Release: %{rel} License: GPL v2 only Group: System/Kernel Url: http://www.kernel.org/ AutoReqProv: on BuildRequires: coreutils module-init-tools sparse Provides: multiversion(kernel-qubes-vm) Provides: kernel-xen-domU Provides: kernel-qubes-domU Requires(pre): coreutils gawk Requires(post): dracut Requires(post): qubes-core-dom0 Conflicts: sysfsutils < 2.0 # root-lvm only works with newer udevs Conflicts: udev < 118 Conflicts: lvm2 < 2.02.33 Provides: kernel-qubes-vm = %kernelrelease %description qubes-vm Qubes domU kernel. %post qubes-vm %if 0%{?fedora} < 25 mkdir /tmp/qubes-modules-%kernelrelease truncate -s 500M /tmp/qubes-modules-%kernelrelease.img mkfs -t ext3 -F /tmp/qubes-modules-%kernelrelease.img > /dev/null mount /tmp/qubes-modules-%kernelrelease.img /tmp/qubes-modules-%kernelrelease -o loop cp -a -t /tmp/qubes-modules-%kernelrelease %vm_install_dir/modules/%kernelrelease mkdir /tmp/qubes-modules-%kernelrelease/firmware cp -a -t /tmp/qubes-modules-%kernelrelease/firmware %vm_install_dir/modules/firmware/%kernelrelease cp %vm_install_dir/vmlinuz /tmp/qubes-modules-%kernelrelease/ cp %vm_install_dir/initramfs /tmp/qubes-modules-%kernelrelease/ umount /tmp/qubes-modules-%kernelrelease rmdir /tmp/qubes-modules-%kernelrelease mv /tmp/qubes-modules-%kernelrelease.img %vm_install_dir/modules.img %endif current_default="$(qubes-prefs default-kernel)" current_default_path="/var/lib/qubes/vm-kernels/$current_default" current_default_package="$(rpm --qf '%{NAME}' -qf "$current_default_path")" if [ "$current_default_package" = "%{name}-qubes-vm" ]; then # Set kernel as default VM kernel if we are the default package. # If qubes-prefs isn't installed yet, the default kernel will be set by %post # of qubes-core-dom0 type qubes-prefs &>/dev/null && qubes-prefs --set default-kernel %upstream_version-%plainrel fi exit 0 %preun qubes-vm if [ "`qubes-prefs -g default-kernel`" == "%upstream_version-%plainrel" ]; then echo "This kernel version is set as default VM kernel, cannot remove" exit 1 fi if qvm-ls --kernel | grep -qw "%upstream_version-%plainrel"; then echo "This kernel version is used by at least one VM, cannot remove" exit 1 fi exit 0 %files qubes-vm %defattr(-, root, root) %dir %vm_install_dir %if 0%{?fedora} < 25 %ghost %attr(0644, root, root) %vm_install_dir/modules.img %else %attr(0644, root, root) %vm_install_dir/modules.img %endif %attr(0644, root, root) %vm_install_dir/initramfs %attr(0644, root, root) %vm_install_dir/vmlinuz %if 0%{?fedora} < 25 %vm_install_dir/modules %endif %attr(0644, root, root) %vm_install_dir/default-kernelopts-common.txt %changelog @CHANGELOG@