From d0a8cf569b30a0a9318aa47d59405efe5afb519a Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Fri, 25 Jan 2013 13:53:02 -0500 Subject: [PATCH] sign all modules with the extras signing script --- kernel.spec | 22 +++++++++++----------- mod-extra-sign.sh => mod-sign.sh | 10 +++++----- 2 files changed, 16 insertions(+), 16 deletions(-) rename mod-extra-sign.sh => mod-sign.sh (56%) diff --git a/kernel.spec b/kernel.spec index 25c8820ef..935f11908 100644 --- a/kernel.spec +++ b/kernel.spec @@ -556,7 +556,8 @@ Source11: x509.genkey Source15: merge.pl Source16: mod-extra.list Source17: mod-extra.sh -Source18: mod-extra-sign.sh +Source18: mod-sign.sh +%define modsign_cmd %{SOURCE18} Source19: Makefile.release Source20: Makefile.config @@ -1866,8 +1867,7 @@ find Documentation -type d | xargs chmod u+w # could be because of that. 2) We restore the .tmp_versions/ directory from # the one we saved off in BuildKernel above. This is to make sure we're # signing the modules we actually built/installed in that flavour. 3) We -# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh -# commands to actually sign the modules. +# grab the arch and invoke mod-sign.sh command to actually sign the modules. # # We have to do all of those things _after_ find-debuginfo runs, otherwise # that will strip the signature off of the modules. @@ -1880,8 +1880,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.PAE .tmp_versions \ mv signing_key.priv.sign.PAE signing_key.priv \ mv signing_key.x509.sign.PAE signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/ \ fi \ if [ "%{with_debug}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \ @@ -1889,8 +1888,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.debug .tmp_versions \ mv signing_key.priv.sign.debug signing_key.priv \ mv signing_key.x509.sign.debug signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \ fi \ if [ "%{with_pae_debug}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \ @@ -1898,8 +1896,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.PAEdebug .tmp_versions \ mv signing_key.priv.sign.PAEdebug signing_key.priv \ mv signing_key.x509.sign.PAEdebug signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/ \ fi \ if [ "%{with_up}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \ @@ -1907,8 +1904,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign .tmp_versions \ mv signing_key.priv.sign signing_key.priv \ mv signing_key.x509.sign signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ fi \ fi \ %{nil} @@ -2313,6 +2309,10 @@ fi # ||----w | # || || %changelog +* Fri Jan 25 2013 Kyle McMartin +- Sign all modules with the mod-extra-sign.sh script, ensures nothing gets + missed because of .config differences between invocations of BuildKernel. + * Fri Jan 25 2013 Justin M. Forbes - Turn off THP for 32bit diff --git a/mod-extra-sign.sh b/mod-sign.sh similarity index 56% rename from mod-extra-sign.sh rename to mod-sign.sh index 9b24a4098..cae259298 100755 --- a/mod-extra-sign.sh +++ b/mod-sign.sh @@ -1,10 +1,10 @@ #! /bin/bash -# We need to sign modules we've moved from /kernel/ to /extra/ -# during mod-extra processing by hand. The 'modules_sign' Kbuild target can -# "handle" out-of-tree modules, but it does that by not signing them. Plus, -# the modules we've moved aren't actually out-of-tree. We've just shifted -# them to a different location behind Kbuild's back because we are mean. +# The modules_sign target checks for corresponding .o files for every .ko that +# is signed. This doesn't work for package builds which re-use the same build +# directory for every flavour, and the .config may change between flavours. +# So instead of using this script to just sign lib/modules/$KernelVer/extra, +# sign all .ko in the buildroot. # This essentially duplicates the 'modules_sign' Kbuild target and runs the # same commands for those modules.