diff --git a/kernel.spec b/kernel.spec index a537878e864db0d056cb95367bc006a8dfbc1902..ffadcd6c3a2fb191bf56c662532ac9d4b4985ec5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -25,7 +25,7 @@ %global upstream_sublevel 0 %global devel_release 10 %global maintenance_release .0.0 -%global pkg_release .7 +%global pkg_release .8 %define with_debuginfo 1 # Do not recompute the build-id of vmlinux in find-debuginfo.sh @@ -69,6 +69,11 @@ Source12: extra_certificates Source13: RPM-GPG-KEY-openEuler-compass-ci Source14: process_pgp_certs.sh +%if 0%{?openEuler_sign_rsa} +Source15: openeuler_kernel_cert.cer +Source16: sign-modules-openeuler +%endif + %if 0%{?with_kabichk} Source18: check-kabi Source20: Module.kabi_aarch64 @@ -92,7 +97,7 @@ Patch0003: 0003-x86_energy_perf_policy-clang-compile-support.patch Patch0004: 0004-turbostat-clang-compile-support.patch #BuildRequires: -BuildRequires: module-init-tools, patch >= 2.5.4, bash >= 2.03, tar +BuildRequires: module-init-tools, patch >= 2.5.4, bash >= 2.03, tar, llvm-devel BuildRequires: bzip2, xz, findutils, gzip, m4, perl, make >= 3.78, diffutils, gawk BuildRequires: libcap-devel, libcap-ng-devel, rsync BuildRequires: gcc >= 3.4.2, binutils >= 2.12 @@ -116,10 +121,6 @@ BuildRequires: rpm-build, elfutils BuildRequires: numactl-devel python3-devel glibc-static python3-docutils BuildRequires: perl-generators perl(Carp) libunwind-devel gtk2-devel libbabeltrace-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel perl-devel -%if 0%{?openEuler_sign_rsa} -BuildRequires: sign-openEuler -%endif - AutoReq: no AutoProv: yes @@ -390,6 +391,14 @@ sed -i 's/# CONFIG_LTO_CLANG_FULL is not set/CONFIG_LTO_CLANG_FULL=y/' .config sed -i 's/CONFIG_LTO_NONE=y/# CONFIG_LTO_NONE is not set/' .config %endif +%if 0%{?openEuler_sign_rsa} + cp %{SOURCE15} ./certs/openeuler-cert.pem + # close kernel native signature + sed -i 's/CONFIG_MODULE_SIG_KEY=.*$/CONFIG_MODULE_SIG_KEY=""/g' .config + sed -i 's/CONFIG_SYSTEM_TRUSTED_KEYS=.*$/CONFIG_SYSTEM_TRUSTED_KEYS="certs\/openeuler-cert.pem"/g' .config + sed -i 's/CONFIG_MODULE_SIG_ALL=y$/CONFIG_MODULE_SIG_ALL=n/g' .config +%endif + TargetImage=$(basename $(make -s image_name)) %{make} ARCH=%{Arch} $TargetImage %{?_smp_mflags} @@ -504,14 +513,16 @@ install -m 755 $(make -s image_name) $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} echo "start sign" %ifarch %arm aarch64 gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi - /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi + sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi + mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip %endif %ifarch x86_64 mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi - /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi + sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi + mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} %endif %endif @@ -596,6 +607,15 @@ popd find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \ %{nil} +%if 0%{?openEuler_sign_rsa} +%define __modsign_install_post \ + if [ "%{with_signmodules}" -eq "1" ];then \ + sh %{SOURCE16} $RPM_BUILD_ROOT/lib/modules/%{KernelVer} || exit 1 \ + fi \ + find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \ +%{nil} +%endif + # deal with header %{make} ARCH=%{Arch} INSTALL_HDR_PATH=$RPM_BUILD_ROOT/usr KBUILD_SRC= headers_install find $RPM_BUILD_ROOT/usr/include -name "\.*" -exec rm -rf {} \; @@ -954,6 +974,9 @@ fi %endif %changelog +* Thu Mar 21 2024 jinlun - 6.6.0-10.0.0.8 +- Support generating moudle/kernel signature with openEuler signature platform + * Mon Feb 26 2024 huangzq6 - 6.6.0-10.0.0.7 - add signature for vmlinux diff --git a/openeuler_kernel_cert.cer b/openeuler_kernel_cert.cer new file mode 100644 index 0000000000000000000000000000000000000000..b344d679a0992e16b6a859fc1b5d94b821e4f644 --- /dev/null +++ b/openeuler_kernel_cert.cer @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGDzCCA/egAwIBAgIRAKnq386vzCkrb//p0VpXwOEwDQYJKoZIhvcNAQELBQAw +ZTELMAkGA1UEAwwCQ0ExDjAMBgNVBAsMBUluZnJhMRIwEAYDVQQKDAlvcGVuRXVs +ZXIxETAPBgNVBAcMCFNoZW5aaGVuMRIwEAYDVQQIDAlHdWFuZ0RvbmcxCzAJBgNV +BAYTAkNOMB4XDTI0MDMxMjAyNDMzMVoXDTM0MDIyODAyNDMzMVoweTEfMB0GA1UE +AwwWb3BlbkV1bGVyIGtlcm5lbCBJQ0EgMTEOMAwGA1UECwwFSW5mcmExEjAQBgNV +BAoMCW9wZW5FdWxlcjERMA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAgMCUd1YW5n +RG9uZzELMAkGA1UEBhMCQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCuGUP8/b1zxFAGV/3Vj/1B40SY9vnmkb8Kk+F8tRUEB1k36WxnxTQ3REb70ViM +Y69L0ITzyC4qwmyEjvEyKF5/H13q0u7f6jwrBxD6J3yaePY7W60NlzO1XB5n0Ul0 +Q4FSzjLEXpL9dEcdvVHQX7DCdCxHguOf02UCrbS+QGY4ZqV4joESCo7dxn7Dpe89 +nNlvaoB/lJ2zTyk7L4/iv7nhRDpt1anI08yOYVxhf37fVeYD8YL4NnES7RvQWANA +VEe0/UYukO14xhD27NrmYX1u96FCOtThH8GuuPqHC1Pd9hWdlHRnLXNC6JOaBPkF +cIdwMoRiC1pryKUH5dJCFrtfN8906rq9A63eA0OMAwJ+DCotgm4qzeSUVYWrA/DM +5ZpAqnKp55MkOHif32jtFzNfplNN9QzcTHe9eSAUClhPtPbWbQ1U1K9EPQblbrNy +y1o+/WH5zYomLc5fnvSmiAY92YLS0i0IkLwWc/sEKV7KmYqxdUU7pSadwNR1xRyz +7f5iWV7biWdluHBeGmVYQaMia/OJ03Gslt/lRKk4GoUdnqi0LzpTK+2fwFZfDpC1 +GyFt8d7WoDUI8E5IeGqdVFQj1rYr5mlH83bacWw9AGWsuTbgoxuOhhg8WKKorZcs +Nj9DULBbKlS+aAc86aBGIc+W6AarU1tPrPtq9ZupsNaLgwIDAQABo4GlMIGiMBIG +A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJC7Z+tLV+tiv2+Gfk9WvU4Z59BB +MB8GA1UdIwQYMBaAFB4bqpJoNc3ZSRnUM8NEAaLl9T35MA4GA1UdDwEB/wQEAwIB +hjApBglghkgBhvhCAQ0EHBYaU2lnbmF0cnVzdCBJbnRlcm1lZGlhdGUgQ0EwEQYJ +YIZIAYb4QgEBBAQDAgABMA0GCSqGSIb3DQEBCwUAA4ICAQBDICG0Jjcjt+aKxE0E +TK0sdl0CE0e8O/8wY5DWNkU79g2+LqU6T4g0JAV41lR/tFtrth+kP/S1H1FS50fe +xIiWN+/RbcyB1QgOKnCWzutsozqPryKtl0dBLcD/KJepH89thWSTtCNPlCwsP10d +VDeNEwpvLw9R7Uedl5WbXdfcv8up9g9UC0mCDAUUGonAl+1Q3fmOtfwSYd3MvslR +sSda83kfYrMZY9av4MgyV4IyRAi97wvFY14jPjevZEr7Hfg67t85kiEthSFH5z0/ +v8U/pJ1d/HuIf9Sz+FbTeZM13OttdBlPvqw+N3oVCWuomC00DDQoznKySfd+pHEz +PInSb3IQcAhQY0gTc+GILd0FQpahb7WCXjd3xs1S/oNsHgfjEFif80c4nG/GDVpk +vIKwSxxGQ6GfGLw/VTOwRUta4n5WNzdIsPRi/tEz7Dpn0ay9IEh1q+sl2yLAxMUQ +xUrEYKz1izPYgWAzUKZ3NXtCFRLhBvowj5REJXs6xIthOrDpa1Qfx5Q18pMfc+qW +kEBLiNqEDYe2aBiWaTZKL39U9M8i3ND4JMQODgEiUrZLhACKLa6r2Vs8y61dMMs4 +ATKSZtuzfPaE7b+oKv/f47jvzG0BJM+mq0rC9A9hElztDSNfLnLgh9OJ3jHM7caF +/V6mKr3gR8aQytJy+1JBXKzjyw== +-----END CERTIFICATE----- diff --git a/sign-modules-openeuler b/sign-modules-openeuler new file mode 100644 index 0000000000000000000000000000000000000000..756f187bfea31015e51402ae36002905dd3d8437 --- /dev/null +++ b/sign-modules-openeuler @@ -0,0 +1,32 @@ +#! /bin/bash + +sign_module() +{ + sh /usr/lib/rpm/brp-ebs-sign --module $1 &> /dev/null + mv $1.sig $1 +} + +sign_module_list() +{ + IFS=$'\n' + for m in $1; do + sign_module $m & + done + wait +} + +moddir=$1 +find $moddir -name *.ko > module_openeuler_unsign.list +row_num=`wc -l module_openeuler_unsign.list | awk '{print $1}'` +for((i=1;i<$row_num;i+=10)); do + IFS="" + sign_module_list $(sed -n "$i,$((i+9))p" module_openeuler_unsign.list) +done + +RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | tail -n 1) +if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then + echo "*** Modules are unsigned! ***" + exit 1 +fi + +exit 0