rpms/kernel
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sign all modules with the extras signing script

Browse Source
This commit is contained in:
Kyle McMartin 2013-01-25 13:53:02 -05:00
parent 0f6d46f6c8
commit d0a8cf569b
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
kernel.spec
View File

@ -556,7 +556,8 @@ Source11: x509.genkey
Source15: merge.pl Source15: merge.pl
Source16: mod-extra.list Source16: mod-extra.list
Source17: mod-extra.sh Source17: mod-extra.sh
Source18: mod-extra-sign.sh Source18: mod-sign.sh
%define modsign_cmd %{SOURCE18}
Source19: Makefile.release Source19: Makefile.release
Source20: Makefile.config Source20: Makefile.config
@ -1866,8 +1867,7 @@ find Documentation -type d | xargs chmod u+w
# could be because of that. 2) We restore the .tmp_versions/ directory from # could be because of that. 2) We restore the .tmp_versions/ directory from
# the one we saved off in BuildKernel above. This is to make sure we're # the one we saved off in BuildKernel above. This is to make sure we're
# signing the modules we actually built/installed in that flavour. 3) We # signing the modules we actually built/installed in that flavour. 3) We
# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh # grab the arch and invoke mod-sign.sh command to actually sign the modules.
# commands to actually sign the modules.
# #
# We have to do all of those things _after_ find-debuginfo runs, otherwise # We have to do all of those things _after_ find-debuginfo runs, otherwise
# that will strip the signature off of the modules. # that will strip the signature off of the modules.
@ -1880,8 +1880,7 @@ find Documentation -type d | xargs chmod u+w
mv .tmp_versions.sign.PAE .tmp_versions \ mv .tmp_versions.sign.PAE .tmp_versions \
mv signing_key.priv.sign.PAE signing_key.priv \ mv signing_key.priv.sign.PAE signing_key.priv \
mv signing_key.x509.sign.PAE signing_key.x509 \ mv signing_key.x509.sign.PAE signing_key.x509 \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/ \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
fi \ fi \
if [ "%{with_debug}" != "0" ]; then \ if [ "%{with_debug}" != "0" ]; then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
@ -1889,8 +1888,7 @@ find Documentation -type d | xargs chmod u+w
mv .tmp_versions.sign.debug .tmp_versions \ mv .tmp_versions.sign.debug .tmp_versions \
mv signing_key.priv.sign.debug signing_key.priv \ mv signing_key.priv.sign.debug signing_key.priv \
mv signing_key.x509.sign.debug signing_key.x509 \ mv signing_key.x509.sign.debug signing_key.x509 \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
fi \ fi \
if [ "%{with_pae_debug}" != "0" ]; then \ if [ "%{with_pae_debug}" != "0" ]; then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
@ -1898,8 +1896,7 @@ find Documentation -type d | xargs chmod u+w
mv .tmp_versions.sign.PAEdebug .tmp_versions \ mv .tmp_versions.sign.PAEdebug .tmp_versions \
mv signing_key.priv.sign.PAEdebug signing_key.priv \ mv signing_key.priv.sign.PAEdebug signing_key.priv \
mv signing_key.x509.sign.PAEdebug signing_key.x509 \ mv signing_key.x509.sign.PAEdebug signing_key.x509 \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/ \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
fi \ fi \
if [ "%{with_up}" != "0" ]; then \ if [ "%{with_up}" != "0" ]; then \
Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
@ -1907,8 +1904,7 @@ find Documentation -type d | xargs chmod u+w
mv .tmp_versions.sign .tmp_versions \ mv .tmp_versions.sign .tmp_versions \
mv signing_key.priv.sign signing_key.priv \ mv signing_key.priv.sign signing_key.priv \
mv signing_key.x509.sign signing_key.x509 \ mv signing_key.x509.sign signing_key.x509 \
make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
%{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
fi \ fi \
fi \ fi \
%{nil} %{nil}
@ -2313,6 +2309,10 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Fri Jan 25 2013 Kyle McMartin <kmcmarti@redhat.com>
- Sign all modules with the mod-extra-sign.sh script, ensures nothing gets
missed because of .config differences between invocations of BuildKernel.
* Fri Jan 25 2013 Justin M. Forbes <jforbes@redhat.com> * Fri Jan 25 2013 Justin M. Forbes <jforbes@redhat.com>
- Turn off THP for 32bit - Turn off THP for 32bit

10
mod-extra-sign.sh → mod-sign.sh
View File

@ -1,10 +1,10 @@
#! /bin/bash #! /bin/bash
# We need to sign modules we've moved from <path>/kernel/ to <path>/extra/ # The modules_sign target checks for corresponding .o files for every .ko that
# during mod-extra processing by hand. The 'modules_sign' Kbuild target can # is signed. This doesn't work for package builds which re-use the same build
# "handle" out-of-tree modules, but it does that by not signing them. Plus, # directory for every flavour, and the .config may change between flavours.
# the modules we've moved aren't actually out-of-tree. We've just shifted # So instead of using this script to just sign lib/modules/$KernelVer/extra,
# them to a different location behind Kbuild's back because we are mean. # sign all .ko in the buildroot.
# This essentially duplicates the 'modules_sign' Kbuild target and runs the # This essentially duplicates the 'modules_sign' Kbuild target and runs the
# same commands for those modules. # same commands for those modules.