Archive-Team
/
zfs
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 103 Wiki Activity

fix: preserve linux kmod signature in zfs-kmod rpm spec 

This change provides rpm spec macros to sign the zfs and spl kmods as
the final step after the %install scriptlet. This is needed since the
find-debuginfo.sh script strips out debug symbols plus signatures.

Kernel module signing only occurs when the required files are present
as typically required in the Linux source tree:
- certs/signing_key.pem
- certs/signing_key.x509

The method for overriding the default __spec_install_post macro is
inspired by (and largely copied from) the Fedora kernel.spec.

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Benjamin Sherman <benjamin@holyarmy.org>
Closes #15744
This commit is contained in:
Benjamin Sherman 2024-01-12 14:33:41 -06:00 committed by GitHub
parent 5a703d1368
commit 363368c670
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
rpm/generic/zfs-kmod.spec.in
View File

@ -150,6 +150,30 @@ for kernel_version in %{?kernel_versions}; do
done done
# Module signing (modsign)
#
# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
# the signature off of the modules.
# (Based on Fedora's kernel.spec workaround)
%define __modsign_install_post \
sign_pem="%{ksrc}/certs/signing_key.pem"; \
sign_x509="%{ksrc}/certs/signing_key.x509"; \
if [ -f "${sign_x509}" ]\
then \
echo "Signing kernel modules ..."; \
for kmod in $(find ${RPM_BUILD_ROOT}%{kmodinstdir_prefix}/*/extra/ -name \*.ko); do \
%{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
done \
fi \
%{nil}
# hack to ensure signing happens after find-debuginfo.sh runs
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modsign_install_post}
%install %install
rm -rf ${RPM_BUILD_ROOT} rm -rf ${RPM_BUILD_ROOT}

24
rpm/redhat/zfs-kmod.spec.in
View File

@ -72,6 +72,30 @@ fi
%{?kernel_llvm} %{?kernel_llvm}
make %{?_smp_mflags} make %{?_smp_mflags}
# Module signing (modsign)
#
# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
# the signature off of the modules.
# (Based on Fedora's kernel.spec workaround)
%define __modsign_install_post \
sign_pem="%{ksrc}/certs/signing_key.pem"; \
sign_x509="%{ksrc}/certs/signing_key.x509"; \
if [ -f "${sign_x509}" ]\
then \
echo "Signing kernel modules ..."; \
for kmod in $(find %{buildroot}/lib/modules/%{kverrel}/extra/ -name \*.ko); do \
%{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
done \
fi \
%{nil}
# hack to ensure signing happens after find-debuginfo.sh runs
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modsign_install_post}
%install %install
make install \ make install \
DESTDIR=${RPM_BUILD_ROOT} \ DESTDIR=${RPM_BUILD_ROOT} \