kernel-5.15/kernel.spec

# _get_email() in %%build contains bashisms for regexping
%define _buildshell /bin/bash

# Prevent RPM scripts from stripping signatures,
# we strip binaries manually in %%build
%define __strip %(which true)

# brp-python-bytecompile uses /usr/bin/python,
# but it is a different python version in different ROSA
# releases; there is no good way to tell brp-python-bytecompile
# which iterpreter to use; so just disable it to avoid problems
%define _python_bytecompile_build 0

# Probably dwz bug, on i686 only file is not packaged:
# /usr/lib/debug/usr/bin/trace-5.4.40-3.i386.debug.#dwz#.b5xuKG
# dwz compresses only debuginfo from perf, cpupower, uml,
# not the kernel itself (because it is stripped not by RPM),
# so we do not loose much by disabling it.
%global _find_debuginfo_dwz_opts %{nil}

%define kernelversion	5
%define patchlevel	4
# sublevel is used for stable-based kernels
%define sublevel	72

# Release number. Increase this before a rebuild.
%define rpmrel		2
%define fullrpmrel	%{rpmrel}

%define rpmtag		%{disttag}

# fakerel and fakever never change, they are used to fool
# rpm/urpmi/smart and ensure the kernels are installed,
# not upgraded so old kernel is not overwritten or removed
%define fakever		1
%define fakerel 	%mkrel 1

# version defines
%define kversion  	%{kernelversion}.%{patchlevel}.%{sublevel}
%define kverrel   	%{kversion}-%{fullrpmrel}
%define tar_ver   	%{kernelversion}.%{patchlevel}

%ifarch %{ix86}
# Use a standard suffix for 32-bit x86
%define arch_suffix	i586
%else
%define arch_suffix	%{_arch}
%endif

%define buildrpmrel     %{fullrpmrel}%{rpmtag}-%{arch_suffix}
%define buildrel     	%{kversion}-%{buildrpmrel}

# %%build_selinux may be defined in branding-configs
#%%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
#%%if %{with selinux}
%global enhanced_security 1
#%%else
#%%global enhanced_security 0
#%%endif
# Allow "rpmbuild --without enhanced_security <...>"
%{?_without_enhanced_security:%global enhanced_security 0}

%if %{enhanced_security}
%bcond_without additional_keys
%endif
# User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
%bcond_without uml

# "Nickel" is a special brand for certified distros
# gost_sign will probably be enabled outside of Nickel later,
# but for now let's better do not make such experiments in stable platforms
%if %{mdvver} == 201900 || %{mdvver} == 201905
%bcond_without nickel
%bcond_without gost_sign
%bcond_without oblig_signed_modules
%else
%bcond_with nickel
%bcond_with gost_sign
%bcond_with oblig_signed_modules
%endif

# Build binary out-of-tree kernel modules (experimental)
%if %{mdvver} >= 201905
%bcond_without binary_extra_modules
%else
%bcond_with binary_extra_modules
%endif

%bcond_with ccache
%bcond_without flow_abi

# Kernel flavour
%if %{with nickel}
%define flavour		nickel
%else
%define flavour		generic
%endif

# The full kernel version
%define kver_full	%{kversion}-%{flavour}-%{buildrpmrel}
############################################################################

%define top_dir_name 	kernel-%{_arch}
%define build_dir 	${RPM_BUILD_DIR}/%{top_dir_name}
%define src_dir 	%{build_dir}/linux-%{tar_ver}

# Common target directories
%define _bootdir	/boot
%define _modulesdir	/lib/modules

%define devel_root	/usr/src/linux-%{kver_full}

# Directories needed for building
%define temp_root	%{build_dir}/temp-root
%define temp_boot	%{temp_root}%{_bootdir}
%define temp_modules	%{temp_root}%{_modulesdir}
%define temp_devel_root	%{temp_root}%{devel_root}

# Directories definition needed for installing
%define target_boot	%{buildroot}%{_bootdir}
%define target_modules	%{buildroot}%{_modulesdir}

# Manual control of creating and deleting keys
# "rnd" is "random" and means that a key pair is generated at build time
# and is not saved anywhere.
%define certs_dir_rnd certs
%define certs_signing_key_priv_rnd %{certs_dir_rnd}/signing_key_priv.key
%define certs_signing_der %{certs_dir_rnd}/signing_key.x509
%define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
%define certs_public_keys %{certs_dir_rnd}/public.pem
%define certs_verify_tmp %{certs_dir_rnd}/verify.tmp
############################################################################

# Build defines
%define build_doc 		0
%define build_devel 		1
%define build_debug		1

# Build kernel-headers package
# Make headers of this kernel not default for rosa2016.1
%if %{mdvver} <= 201610
%define build_headers 0
%else
%define build_headers 1
%endif

# build perf and cpupower tools
%define build_perf		1
%define build_cpupower		1

# compress modules with xz
%define build_modxz		1
# End of user definitions

# buildtime flags
%{?_without_doc: %global build_doc 0}
%{?_without_devel: %global build_devel 0}
%{?_without_debug: %global build_debug 0}
%{?_without_perf: %global build_perf 0}
%{?_without_cpupower: %global build_cpupower 0}
%{?_without_modxz: %global build_modxz 0}

%{?_with_doc: %global build_doc 1}
%{?_with_devel: %global build_devel 1}
%{?_with_debug: %global build_debug 1}
%{?_with_perf: %global build_perf 1}
%{?_with_cpupower: %global build_cpupower 1}
%{?_with_modxz: %global build_modxz 1}

%if %{build_modxz}
%define kmod_suffix .xz
%else
%define kmod_suffix .gz
%endif

%if !%{build_debug}
# Disable debug rpms.
%define _enable_debug_packages 	%{nil}
%define debug_package 		%{nil}
%endif

# http://nickdesaulniers.github.io/blog/2018/06/02/speeding-up-linux-kernel-builds-with-ccache/
%if %{with ccache}
%define kmake KBUILD_BUILD_TIMESTAMP='' %make CC='ccache gcc'
%else
%define kmake %make CC='gcc'
%endif

# there are places where parallel make don't work
%define smake make

# Parallelize xargs invocations on smp machines
%define kxargs xargs %([ -z "$RPM_BUILD_NCPUS" ] \\\
	&& RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\
	[ "$RPM_BUILD_NCPUS" -gt 1 ] && echo "-P $RPM_BUILD_NCPUS")

#
# SRC RPM description
#
Summary: 	The Linux kernel
Name:		kernel
Version: 	%{kversion}
Release: 	%{fullrpmrel}
License: 	GPLv2
Group: 	 	System/Kernel and hardware
ExclusiveArch: %{ix86} x86_64
URL:            http://www.kernel.org

####################################################################
#
# Sources
#
Source0: 	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{tar_ver}.tar.xz

# This is for disabling *config, mrproper, prepare, scripts on -devel rpms
# Needed, because otherwise the -devel won't build correctly.
Source2: 	disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch

# TODO: make a separate package "ksobirator" and BR it
# after testing these macros properly
Source3:	macros.ksobirator
%{load:%{SOURCE3}}

# Kernel configuration files.
Source110:	kernel-%{arch_suffix}.config

# Cpupower: the service, the config, etc.
Source50:	cpupower.service
Source51:	cpupower.config
Source52:	cpupower-start.sh
Source53:	cpupower.path

Source80:	kernel.rpmlintrc

# Additional keys that can be used to sign kernel modules
# Generated by https://abf.io/soft/kernel-keys
# Source201..206: public_key_GOST_*.pem
%{expand:%(for i in `seq 1 6`; do echo "Source$((200+${i})): public_key_GOST_${i}.pem"; done)}
# Source207..212: public_key_RSA_*.pem
%{expand:%(for i in `seq 7 12`; do echo "Source$((200+${i})): public_key_RSA_${i}.pem"; done)}

####################################################################

# Patches

# The patch to make kernel x.y.z from x.y.0.
Patch1:   	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{kversion}.xz

# Patches from mainline
# none

# ROSA-specific patches

# Perf docs are built after all the kernels. To validate the xml files
# generated during that process, xmlto tries to get DTD files from the Net.
# If it fails, the whole build fails, which is unfortunate. Let us avoid
# this.
Patch101:	perf-xmlto-skip-validation.patch

# http://bugs.rosalinux.ru/show_bug.cgi?id=6235
# http://bugs.rosalinux.ru/show_bug.cgi?id=6459
Patch102:	audit-make-it-less-verbose.patch

# AUFS 5 from http://aufs.sourceforge.net/
Patch109:	fs-aufs.patch
Patch110:	fs-aufs-2.patch

# For kmod() generator of RPM Provides
# Changes version of aacraid.ko
Patch111:	0001-Remove-RPM-illegal-chars-from-module-version.patch

# AltHa LSM Module
# https://www.altlinux.org/AltHa
# http://git.altlinux.org/gears/k/kernel-image-un-def.git
# TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
Patch201:	0001-AltHa-LSM-module.patch
Patch202:	0002-Documentation-for-AltHa-LSM.patch

# Other patches
Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch
# sent to upstream, https://patchwork.kernel.org/patch/11446123/
Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch
# Add sysctl to disable disk-based swap
Patch304: 	0001-mm-add-sysctl-to-disable-disk-based-swap.patch
# Support loading GOST-signed modules
Patch305:	0001-crypto-support-loading-GOST-signed-kernel-modules.patch
# Allow to off modules signature check dynamically
Patch306:	0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch

# Disable AutoReq
AutoReq: 	0
# but keep autoprov for kmod(xxx)
AutoProv: 	1

BuildRequires: 	bash
BuildRequires: 	bc
BuildRequires: 	binutils
BuildRequires: 	gcc
# For power tools
BuildRequires:	pkgconfig(ncurses)
BuildRequires:	kmod-devel kmod-compat
BuildRequires:	bison
BuildRequires:	flex
BuildRequires:	bzip2
BuildRequires:	rsync

%ifarch x86_64
BuildRequires:  numa-devel
%endif

# for perf, cpufreq and all other tools
# for cpupower
%if %{build_cpupower}
BuildRequires:		pciutils-devel
%endif
# for perf
%if %{build_perf}
BuildRequires:		asciidoc
BuildRequires:		audit-devel
BuildRequires:		binutils-devel
BuildRequires:		elfutils-devel
BuildRequires:		libunwind-devel
BuildRequires:		newt-devel
BuildRequires:		perl-devel
BuildRequires:		pkgconfig(python)
BuildRequires:		xmlto
BuildRequires:		zlib-devel
BuildRequires:		pkgconfig(libcrypto)
%endif

%if %{enhanced_security}
# (To generate keys)
# LibreSSL has GOST support without editing openssl.cnf
# or dlopen()-ing external library
BuildRequires:		libressl libressl-devel
# To verify signatures (find, xargs, hexdump)
BuildRequires:		findutils util-linux
%endif

%if %{with binary_extra_modules}
BuildRequires: kernel-source-rtl8821ce
BuildRequires: kernel-source-shredder-kernel
BuildRequires: kernel-source-tripso
BuildRequires: kernel-source-virtualbox
# TODO: drop it for kernels >= 5.6
# because all guest modules have been upstreamized
# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
BuildRequires: kernel-source-virtualbox-vboxadditions
# rosa-test-suite is maintained in certified branches only
# nlkm, memfreetest, pcietest
%if %{with nickel}
BuildRequires: kernel-source-rosa-test-suite
%endif
%endif #with binary_extra_modules

%if %{with ccache}
BuildRequires: ccache
%endif

# might be useful too:
Recommends:		microcode


%description
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

############################################################################

%package -n kernel-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}

Provides:	kernel = %{kverrel}
Provides:	kernel = %{kernelversion}.%{patchlevel}
Provides:	kernel-%{flavour} = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened = %{kverrel}
Provides:	kernel-hardened = %{kernelversion}.%{patchlevel}
Provides:	kernel-hardened-%{flavour} = %{kverrel}
%endif
Provides:	alsa = 1.0.27
Provides:	should-restart = system

Requires(pre):	grub2
Requires(pre):	dracut >= 046
Requires(pre):	kmod >= 20-1
Requires(pre):	sysfsutils >=  2.1.0-12
Requires:	dracut >= 046
Requires:	linux-firmware >= 20181026
Requires:	wireless-regdb

%if %{with flow_abi}
Requires:	kernel-%{kernelversion}.%{patchlevel}-rosa-flow-abi
%endif

Recommends:	crda

# Keep these deps on old platforms
# but get rid of puling gcc etc. by the kernel on newer platforms
%if %{build_devel} && %{mdvver} < 201900
Requires:	kernel-%{flavour}-devel-%{buildrel}
Requires(post):	kernel-%{flavour}-devel-%{buildrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Summary:	A general-purpose Linux Kernel
Group:		System/Kernel and hardware

%description -n kernel-%{flavour}-%{buildrel}
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc. This is a general-purpose kernel.

%post -n kernel-%{flavour}-%{buildrel}
# We always regenerate initrd here, even if it already exists. This may
# happen if kernel-<...>-devel is installed first, triggers rebuild of
# DKMS modules and some of these request remaking of initrd. The initrd
# that is created then will be non-functional. But when the user installs
# kernel-<...> package, that defunct initrd will be replaced with a working
# one here.
#
# depmod is also needed, because some DKMS-modules might have been installed
# when the devel package was installed but that was before the main modules
# were installed.
# This is also the reason the devel package is in Requires(post) for this
# package now: it must be installed completely before we call depmod here.
/sbin/depmod -a %{kver_full}
/sbin/dracut -f /boot/initrd-%{kver_full}.img %{kver_full}

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	rm -f vmlinuz-%{flavour}
fi
if [ -L initrd-%{flavour}.img ]; then
	rm -f initrd-%{flavour}.img
fi
popd > /dev/null
exit 0

%preun -n kernel-%{flavour}-%{buildrel}
pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	if [ "$(readlink vmlinuz-%{flavour})" = "vmlinuz-%{kver_full}" ]; then
		rm -f vmlinuz-%{flavour}
	fi
fi
if [ -L initrd-%{flavour}.img ]; then
	if [ "$(readlink initrd-%{flavour}.img)" = "initrd-%{kver_full}.img" ]; then
		rm -f initrd-%{flavour}.img
	fi
fi

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

popd > /dev/null
exit 0

%postun -n kernel-%{flavour}-%{buildrel}
rm -f /boot/initrd-%{kver_full}.img
rm -f /boot/initrd-%{kver_full}_old.img
rm -f /boot/initrd-%{kver_full}kdump.img
rm -f /boot/initramfs-%{kver_full}kdump.img

# Third-party modules might have left something in /lib/modules/.../kernel/.
rm -rf /lib/modules/%{kver_full}/kernel/
rm -rf /lib/modules/%{kver_full}/modules*
# Remove /lib/modules/<...>/ if it is empty (-devel uses it too).
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-%{buildrel} -f kernel_files.%{flavour}

############################################################################

%if %build_devel
%package -n	kernel-%{flavour}-devel-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Development files for kernel-%{flavour}-%{buildrel}
Group:		Development/Kernel
Requires:	glibc-devel
Requires:	ncurses-devel
Requires:	make
Requires:	gcc
Requires:	perl
Provides:	kernel-devel = %{kverrel}
Provides:	kernel-%{flavour}-devel = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened-devel = %{kverrel}
Provides:	kernel-hardened-%{flavour}-devel = %{kverrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-devel-%{buildrel}
This package contains the kernel files (headers and build tools)
that should be enough to build additional drivers for
use with kernel-%{flavour}-%{buildrel}.

%post -n kernel-%{flavour}-devel-%{buildrel}
if command -v dkms_autoinstaller >/dev/null 2>&1; then
	dkms_autoinstaller start %{kver_full}
fi

%preun -n kernel-%{flavour}-devel-%{buildrel}

# If any DKMS modules with REMAKE_INITRD=yes in their configs have been
# uninstalled, initrd has been regenerated for the given kernel. However,
# the kernel itself might have been uninstalled before, so that (defunct)
# initrd image files would be left behind. Remove them if the kernel itself
# is no longer installed. Should work if they are uninstalled in parallel
# too.
if ! test -f /boot/vmlinuz-%{kver_full}; then
	rm -f /boot/initrd-%{kver_full}.img
	rm -f /boot/initrd-%{kver_full}_old.img
fi

if ! command -v dkms >/dev/null 2>&1; then exit 0; fi

for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do
	mod=$(echo $ii | awk -v FS=',' '{ print $1; }')
	ver=$(echo $ii | awk -v FS=',' '{ print $2; }')
	/usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || :
done

%postun -n kernel-%{flavour}-devel-%{buildrel}
rm -rf /usr/src/linux-%{kver_full} >/dev/null
# depmod (called when removing DKMS modules) might have created files in
# /lib/modules/.../. Remove these first.
rm -rf /lib/modules/%{kver_full}/modules*
# Remove the dir if it is already empty.
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-devel-%{buildrel}
%dir %{devel_root}
%dir %{devel_root}/arch
%dir %{devel_root}/include
%{devel_root}/Documentation
%{devel_root}/arch/um
%{devel_root}/arch/x86
%{devel_root}/block
%{devel_root}/certs
%{devel_root}/crypto
%{devel_root}/drivers
%{devel_root}/fs
%{devel_root}/include/acpi
%{devel_root}/include/asm-generic
%{devel_root}/include/clocksource
%{devel_root}/include/config
%{devel_root}/include/crypto
%{devel_root}/include/drm
%{devel_root}/include/dt-bindings
%{devel_root}/include/generated
%{devel_root}/include/keys
%{devel_root}/include/kvm
%{devel_root}/include/linux
%{devel_root}/include/math-emu
%{devel_root}/include/media
%{devel_root}/include/misc
%{devel_root}/include/net
%{devel_root}/include/pcmcia
%{devel_root}/include/ras
%{devel_root}/include/rdma
%{devel_root}/include/scsi
%{devel_root}/include/sound
%{devel_root}/include/target
%{devel_root}/include/trace
%{devel_root}/include/uapi
%{devel_root}/include/vdso
%{devel_root}/include/video
%{devel_root}/include/xen
%{devel_root}/init
%{devel_root}/ipc
%{devel_root}/kernel
%{devel_root}/lib
%{devel_root}/mm
%{devel_root}/net
%{devel_root}/samples
%{devel_root}/scripts
%{devel_root}/security
%{devel_root}/sound
%{devel_root}/tools
%{devel_root}/usr
%{devel_root}/virt
%{devel_root}/.config
%{devel_root}/Kbuild
%{devel_root}/Kconfig
%{devel_root}/Makefile
%{devel_root}/Module.symvers
%{devel_root}/arch/Kconfig
%{_modulesdir}/%{kver_full}/build
%{_modulesdir}/%{kver_full}/source

%endif

############################################################################

%if %build_debug
%package -n	kernel-%{flavour}-%{buildrel}-debuginfo
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Debuginfo for kernel-%{flavour}-%{buildrel}
Group:		Development/Debug
Provides:	kernel-debug = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened-debug = %{kverrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{buildrel}-debuginfo
This package contains the files with debuginfo for kernel-%{flavour}-%{buildrel}.

%files -n kernel-%{flavour}-%{buildrel}-debuginfo -f kernel_debug_files.%{flavour}

%endif

############################################################################

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour} %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files

############################################################################

%if %build_devel

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour}-devel in %{kernelversion}.%{patchlevel} series
Group:		Development/Kernel
Requires:	kernel-%{flavour}-devel-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Provides:	kernel-devel-latest
%if %{enhanced_security}
Provides:	kernel-hardened-devel-latest
%endif

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour}-devel %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
# no files

%endif

############################################################################

%if %build_doc
%package -n kernel-doc
Version: 	%{kversion}
Release: 	%{fullrpmrel}
Summary: 	Various documentation bits found in the kernel source
Group: 		Documentation
Buildarch:	noarch

%description -n kernel-doc
This package contains documentation files from the kernel source.

%files -n kernel-doc
%doc linux-%{tar_ver}/Documentation/*

%endif

############################################################################

%if %{build_perf}
%package -n perf
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	perf tool and the supporting documentation
Group:		System/Kernel and hardware

%description -n perf
The package contains perf tool and the supporting documentation.

%files -n perf
%{_bindir}/perf
%ifarch x86_64
%{_bindir}/perf-read-vdso32
%endif
%{_bindir}/trace
%dir %{_prefix}/libexec/perf-core
%dir %{_libdir}/traceevent
%dir %{_libdir}/traceevent/plugins
%{_libdir}/traceevent/plugins/*
%{_prefix}/libexec/perf-core/*
%{_mandir}/man[1-8]/perf*
%{_sysconfdir}/bash_completion.d/perf
%{_datadir}/perf-core/strace/groups/*
%{_datadir}/doc/perf-tip/*.txt
/usr/lib/perf/examples/bpf/*
/usr/lib/perf/include/bpf/*

%endif

############################################################################

%if %{build_cpupower}
%package -n cpupower
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	The cpupower tools
Group:		System/Kernel and hardware
Requires(post):  rpm-helper >= 0.24.0-3
Requires(preun): rpm-helper >= 0.24.0-3
Obsoletes:	cpufreq < 3.0
Obsoletes:	cpufrequtils < 10.0

%description -n cpupower
The cpupower tools.

%post -n cpupower

if [ $1 -ge 0 ]; then
# Do not enable/disable cpupower.service directly, because it should start
# when cpupower.path triggers it.
	/bin/systemctl enable cpupower.path >/dev/null 2>&1 || :
	/bin/systemctl start cpupower.path >/dev/null 2>&1 || :
fi

%preun -n cpupower
if [ $1 -eq 0 ]; then
        /bin/systemctl --no-reload disable cpupower.path > /dev/null 2>&1 || :
        /bin/systemctl stop cpupower.path > /dev/null 2>&1 || :
fi

%files -n cpupower -f cpupower.lang
%{_bindir}/cpupower
%{_bindir}/cpupower-start.sh
%{_libdir}/libcpupower.so.0
%{_libdir}/libcpupower.so.0.0.1
%{_unitdir}/cpupower.service
%{_unitdir}/cpupower.path
%{_datadir}/bash-completion/completions/cpupower
%{_mandir}/man[1-8]/cpupower*
%config(noreplace) %{_sysconfdir}/sysconfig/cpupower

############################################################################

%package -n cpupower-devel
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Development files for cpupower
Group:		Development/Kernel
Requires:	cpupower = %{kversion}-%{fullrpmrel}
Conflicts:	%{_lib}cpufreq-devel

%description -n cpupower-devel
This package contains the development files for cpupower.

%files -n cpupower-devel
%{_libdir}/libcpupower.so
%{_includedir}/cpufreq.h
%{_includedir}/cpuidle.h

%endif

############################################################################

%if %{build_headers}
%package headers
Version:	%kversion
Release:	%fullrpmrel
Summary:	Linux kernel header files mostly used by your C library
Group:		System/Kernel and hardware
Epoch:		1
Provides:	linux-userspace-headers = %{EVRD}
Provides:	kernel-release-headers = %{EVRD}

%description headers
C header files from the Linux kernel. The header files define
structures and constants that are needed for building most
standard programs, notably the C library.

This package is not suitable for building kernel modules, you
should use the 'kernel-devel' package instead.

%files headers
%{_includedir}/*
# Don't conflict with cpupower-devel
%if %{build_cpupower}
%exclude %{_includedir}/cpufreq.h
%exclude %{_includedir}/cpuidle.h
%endif
%endif

############################################################################

%if %{with uml}

%package -n kernel-uml-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Provides:	kernel-uml = %{kverrel}
Provides:	kernel-uml-%{flavour} = %{kverrel}
Summary:	User Mode Linux binary
Group:		System/Kernel and hardware

%description -n kernel-uml-%{flavour}-%{buildrel}
User Mode Linux binary.
Stripped, debug is in kernel-%{flavour}-%{buildrel}-debuginfo.

%files -n kernel-uml-%{flavour}-%{buildrel}
%{_bindir}/linux-uml-%{kver_full}
#------------------------------------------------

%package -n kernel-uml-modules-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Provides:	kernel-uml-modules = %{kverrel}
Provides:	kernel-uml-modules-%{flavour} = %{kverrel}
Summary:	User Mode Linux (UML) kernel modules
Group:		System/Kernel and hardware

%description -n kernel-uml-modules-%{flavour}-%{buildrel}
User Mode Linux (UML) kernel modules
- not compressed
- not stripped
- signed

%files -n kernel-uml-modules-%{flavour}-%{buildrel}
/lib/modules-uml/%{kver_full}
#------------------------------------------------

%package -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-uml-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-uml-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-uml-%{flavour} %{kernelversion}.%{patchlevel}.x
(User Mode Linux binary) installed.

%files -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files
#------------------------------------------------

%package -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-uml-modules-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-uml-modules-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
(User Mode Linux kernel modules) installed.

%files -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files
#------------------------------------------------

%endif #endif uml

#------------------------------------------------

%if %{with binary_extra_modules}

%ksob_mk_module_pkg -n 8821ce -s net/wireless
%ksob_mk_module_pkg -n shredder-kernel -s extra -r rosa-shredder-user
%ksob_mk_module_pkg -n xt_TRIPSO -s net -r tripso

# virtualbox host
%ksob_mk_module_pkg -n vboxnetflt -s misc
%ksob_mk_module_pkg -n vboxnetadp -s misc
%ksob_mk_module_pkg -n vboxdrv -s misc
%ksob_mk_module_pkg -n vboxpci -s misc

#------------------------------------------------
# a package which will pull all those modules
%package -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Summary: Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
Group: System/Kernel and hardware
Version: %{kversion}
Release: %{fullrpmrel}
Requires: kernel-module-vboxnetflt-%{flavour}-%{buildrel}
Requires: kernel-module-vboxnetadp-%{flavour}-%{buildrel}
Requires: kernel-module-vboxdrv-%{flavour}-%{buildrel}
Requires: kernel-module-vboxpci-%{flavour}-%{buildrel}

%description -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}

%files -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# empty
#------------------------------------------------

# virtualbox guest, to be dropped in kernels 5.6+ (upsreamized)
%ksob_mk_module_pkg -n vboxvideo -s misc
%ksob_mk_module_pkg -n vboxguest -s misc
%ksob_mk_module_pkg -n vboxsf -s misc

#------------------------------------------------
# a package which will pull all those modules
%package -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Summary: Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
Group: System/Kernel and hardware
Version: %{kversion}
Release: %{fullrpmrel}
Requires: kernel-module-vboxvideo-%{flavour}-%{buildrel}
Requires: kernel-module-vboxguest-%{flavour}-%{buildrel}
Requires: kernel-module-vboxsf-%{flavour}-%{buildrel}

%description -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}

%files -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# empty
#------------------------------------------------

%if %{with nickel}
%ksob_mk_module_pkg -n nlkm -s misc
%ksob_mk_module_pkg -n memfreetest -s misc
%ksob_mk_module_pkg -n pcietest -s misc
%endif

%endif #binary_extra_modules

############################

%if %{with flow_abi}
%package -n kernel-%{kernelversion}.%{patchlevel}-rosa-flow-abi
Summary: Directory to install third-party binary kernel modules for kernels %{kernelversion}.%{patchlevel}.x
Group: System/Kernel and hardware

%description -n kernel-%{kernelversion}.%{patchlevel}-rosa-flow-abi
This package contains a directory to install third-party binary kernel modules for kernels %{kernelversion}.%{patchlevel}.x.
Some vendors provide binary-only kernel modules. They can put them into /lib/modules/%{kernelversion}.%{patchlevel}-rosa-flow-abi.
kmod tools will find them for kernels 5.4.x of "generic" and "nickel" flavours,
but there is no guarantee that these modules will load and work correctly on newer
or older kernels then the ones they were build against.

We call this "flow ABI" because most ABIs are not changed between %{kernelversion}.%{patchlevel}.x releases,
but there are no specific guarantees. ABI may evolve and change.
We highly recommend to use DKMS and build third-party kernel modules from source for every kernel!

This package does nothing, just owns a directory for third-party binary kernel modules.

%files -n kernel-%{kernelversion}.%{patchlevel}-rosa-flow-abi
/lib/modules/%{kernelversion}.%{patchlevel}-rosa-flow-abi
%endif #with flow_abi

################################################

%prep
%setup -q -n %top_dir_name -c
%if %{with uml}
cp -r %{src_dir} %{src_dir}.uml
%endif
cd %src_dir

%apply_patches

#
# Setup Begin
#

# Kernel configuration

echo "Creating the kernel configuration file."

# Configs
cp %{SOURCE110} .config

# Disable ASLR for 32-bit systems because it does not play well with
# hibernate.
%ifarch %{ix86}
sed -i	's/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/' .config
%endif

# Disable checking for W+X memory mappings for 32-bit systems. The warnings
# may confuse the users and noone is eager to fix the underlying problem,
# it seems.
%ifarch %{ix86}
sed -i	's/CONFIG_DEBUG_WX=y/# CONFIG_DEBUG_WX is not set/' .config
%endif

touch %{build_dir}/.config.append

# Enable debug info if requested.
sed -i '/CONFIG_DEBUG_INFO/d' .config
%if %build_debug
echo 'CONFIG_DEBUG_INFO=y' >> %{build_dir}/.config.append
echo 'CONFIG_DEBUG_INFO_DWARF4=y' >> %{build_dir}/.config.append
echo 'CONFIG_GDB_SCRIPTS=y' >> %{build_dir}/.config.append
%else
echo 'CONFIG_DEBUG_INFO=n' >> %{build_dir}/.config.append
%endif

%if %{enhanced_security}
### SELinux enablement
# seems to be needed to boot system in enforcing selinux mode
# note: cpio fpormat of initramfs does not support xattrs without patches
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
echo CONFIG_SECURITY_SELINUX_DISABLE=y >> %{build_dir}/.config.append
# enable selinux in kernel by default if not disabled explicitly
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> %{build_dir}/.config.append

### Signing kernel modules
# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
sed -i '/CONFIG_MODULE_SIG/d' .config
echo CONFIG_MODULE_SIG=y >> %{build_dir}/.config.append
%if %{with oblig_signed_modules}
# Disallow loading not signed modules
echo CONFIG_MODULE_SIG_FORCE=y >> %{build_dir}/.config.append
%else
echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append
%endif
# If %%build_debig is true, signatures will be stripped
# We sign modules manually in a tricky way bellow
echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append
# Set path to the key that will be generated later by openssl/libressl
echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append
# Set path to one PEM file with all keys that the kernel must trust
sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
echo CONFIG_SYSTEM_TRUSTED_KEYS=\"%{certs_public_keys}\" >> %{build_dir}/.config.append
# Reserve area for inserting a certificate without recompiling
sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config
echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> %{build_dir}/.config.append

# Memory wiping
# Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
# Estimated performance impact is described in the commit
# "Fill newly allocated pages and heap objects with zeroes."
# To enable, add to cmdline: init_on_alloc=1
sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=n >> %{build_dir}/.config.append
# "Fill freed pages and heap objects with zeroes"
# To disable, add to cmdline: init_on_free=0
sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_ON/d' .config
%if %{with nickel}
echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> %{build_dir}/.config.append
%else
echo CONFIG_INIT_ON_FREE_DEFAULT_ON=n >> %{build_dir}/.config.append
%endif
# Here enabling only either only init_on_free or only init_on_alloc
# makes sense; init_on_alloc is not about protecting information.

# To load kernel keyring in UML
for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
	sed -i "/CONFIG_CRYPTO_${i}/d" .config
	echo "CONFIG_CRYPTO_${i}=y" >> %{build_dir}/.config.append
done

sed -i '/CONFIG_LSM/d' .config
echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
sed -i '/CONFIG_SECURITY_ALTHA/d' .config
echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
%endif

# Disable disk-based swap (swap files and partitions) on certified systems by default
# because we cannot guarantee that data stored in swap is erased from disk securely.
# Our patch, based on Chromium OS kernel, allows to use only zram if CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y.
# sysctl vm.disk_based_swap = 1 to allow disk-based swap, = 0 to disable it.
# Note that CONFIG_ZRAM_WRITEBACK is still on.
#sed -i '/CONFIG_DISK_BASED_SWAP_DEFAULT_ON/d' .config
#%if %{with nickel}
#echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=n' >> %{build_dir}/.config.append
#%else
echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y' >> %{build_dir}/.config.append
#%endif

cat %{build_dir}/.config.append >> .config

# Store the config file in the appropriate directory.
CONFIG_DIR=arch/x86/configs
mkdir -p "${CONFIG_DIR}"

cfg_file=arch/x86/configs/%{arch_suffix}_defconfig-%{flavour}
make ARCH=%{_arch} oldconfig && \
mv .config ${cfg_file}

# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
# reason. For now, let us restore it.
%ifarch %{ix86}
sed -i 's/CONFIG_64BIT=y//' ${cfg_file}
echo '# CONFIG_64BIT is not set' >> ${cfg_file}
%endif

echo "Created ${cfg_file}."

# make sure the kernel has the sublevel we know it has...
LC_ALL=C sed -ri "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile

# get rid of unwanted files
find . -name '*~' -o -name '*.orig' -o -name '*.append' | %kxargs rm -f
find . -name '.get_maintainer.ignore' | %kxargs rm -f

############################################################################

%build

# Ensure that build time generated private keys don't get published
# as e.g. "RPM build root" on ABF!
# Note that ABF sends SIGKILL to rpm-build.sh when the build is terminated;
# in this case trap will not work, but RPM build root also will not be
# saved because rpm-build.sh saves it, but it is SIGKILLed.
# For best security we could store private keys in RAM (not reachable from
# filesystem, so not in /tmp!) and override sth like fopen() by LD_PRELOAD
# to give the content of keys from RAM when a virtual address of a key file
# is accessed, but currently I don't know how to implement this (TODO: ).
_cleanup(){
	# Show resulting kernel public keys for debugging
	cat "%{src_dir}/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || :
	rm -fvr "%{src_dir}/%{certs_dir_rnd}"
%if %{with uml}
	cat "%{src_dir}.uml/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || :
	rm -fvr "%{src_dir}.uml/%{certs_dir_rnd}"
%endif
}
# Make a trap to delete keys even if %%build fails in the middle
trap "_cleanup" EXIT

rm -rf %{temp_root}
install -d %{temp_root}

cd %src_dir

### Keys for signing kernel modules
# Keys can be generated both manually and automatically,
# let's generate them by ourselves to take full control of the process
# https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
# See also certs/Makefile in kernel source
%if %{enhanced_security}
mkdir -p "%{certs_dir_rnd}"

# On ABF, %%packager == $username <$email>
# Try to extract email from %%packager if it is set
_get_email(){
	# Check that macro %%packager was set and is not empty
	if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ]
		# If was not set or is empty, use default email
		then echo 'rpmbuild@rosa.unknown' && return
		# Otherwise try to extract email from 'name <email>' or sth else
		else temp="$(echo '%{packager}' | tr '[:upper:]' '[:lower:]' | tr ' ' '\n' | tr -d '<>' | grep -E '@.*\..*' | head -n 1)"
	fi
	# Validate that what we have now is a valid email
	# https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733
	# Note that we set %%_buildshell to /bin/bash to guarantee the work of this bashism
	regex_email="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$"
	if [[ "$temp" =~ ${regex_email} ]]
		# If it is, use it
		then echo "$temp" && return
		# Otherwise use default email
		else echo 'rpmbuild@rosa.unknown' && return
	fi
	# If script above has not return'ed for any reason,
	# e.g. because of non-bash shell being not able to
	# process regexp, use default email
	echo 'rpmbuild@rosa.unknown'
}
email="$(_get_email)"

cat <<EOF > "%{certs_key_config_rnd}"
[ req ]
prompt = no
string_mask = utf8only
#default_keyfile = %{certs_signing_key_priv_rnd}
distinguished_name = req_distinguished_name
x509_extensions = myexts
[ req_distinguished_name ]
organizationName = %{vendor} rpmbuild
commonName = Build time autogenerated @ALGO@ kernel key
emailAddress = ${email}
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
cat "%{certs_key_config_rnd}"
sed -e 's,@ALGO@,RSA,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.RSA"
sed -e 's,@ALGO@,GOST R 34.10-2012,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.GOST"
# avoid using the template
rm -f "%{certs_key_config_rnd}"

_libressl_gen_key(){
	if [ "$GOST_KEY" = 1 ]
	then
		lssl_req_gost_args="\
			-newkey gost2001 \
			-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
			-streebog512"
		OUT="%{certs_signing_key_priv_rnd}.GOST"
		CONFIG="%{certs_key_config_rnd}.GOST"
	else
		lssl_req_gost_args=""
		OUT="%{certs_signing_key_priv_rnd}.RSA"
		CONFIG="%{certs_key_config_rnd}.RSA"
	fi
		libressl req -new -nodes -utf8 -batch \
			$lssl_req_gost_args \
			-days 109500 \
			-x509 -config "$CONFIG" \
			-out "$OUT" \
			-keyout "$OUT"

	# Verify
	if [ "$GOST_KEY" = 1 ]; then
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
	fi
}

GOST_KEY=0 _libressl_gen_key
GOST_KEY=1 _libressl_gen_key
# Fake CONFIG_MODULE_SIG_KEY to make build scripts happy
cp -v "%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}"

# Strip public parts from the generated PEMs
sed -n \
	'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' \
	"%{certs_signing_key_priv_rnd}.GOST" \
	"%{certs_signing_key_priv_rnd}.RSA" \
	> "%{certs_public_keys}"

# link sign-file and extract-cert with LibreSSL instead of OpenSSL
libressl_cflags="$(pkg-config --cflags --libs libressl-libcrypto)"
if [ $? != 0 ] ; then exit $? ; fi
sed -i %{src_dir}/scripts/Makefile \
%if %{with uml}
    %{src_dir}.uml/scripts/Makefile \
%endif
	-e "s,-lcrypto,${libressl_cflags},g"

%if %{with additional_keys}
# Add additional public RSA keys to the list of trusted keys for kernel modules
# Build kernel --without additional_keys if you do not want to trust them
cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
	>> "%{certs_public_keys}"
%endif #endif additional_keys
cat %{certs_public_keys}
%endif #endif enhanced_security

# .config
%smake -s mrproper
cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config

# make sure EXTRAVERSION says what we want it to say
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{flavour}-%{buildrpmrel}/" Makefile

# Print debug messages when loglevel=7 in cmdline.
# Those messages can be caught by debugfs without -DDEBUG.
# but sometimes it is required to see them via a serial port when booting the kernel.
# '#ifdef DEBUG' is used in different places for different purposes,
# so change DEBUG to PRINTK_DEBUG in one specific place.
#%if %build_debug
#sed -i %{src_dir}/include/linux/printk.h \
#	-e 's,^#ifdef DEBUG$,#if defined(DEBUG) || defined(PRINTK_DEBUG),g'
#export KCPPFLAGS="-DPRINTK_DEBUG"
#%endif

# build the kernel
echo "Building kernel %{kver_full}"

%kmake V=1 -s all

# Install modules
mkdir -p %{temp_modules}/%{kver_full}
%smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install

%if %{with binary_extra_modules}
# Build and install procedure is specific to each Makefile from kernmel-source-* packages
# See also: https://www.kernel.org/doc/html/latest/kbuild/modules.html
# Copy directory because write permissions are required
# `make modules_install` must be done before this, otherwise these copied files will be deleted

cp -r "$(rpm -q --qf '/usr/src/rtl8821ce-%%{VERSION}-%%{RELEASE}' kernel-source-rtl8821ce)" kernel-source-rtl8821ce
pushd kernel-source-rtl8821ce
%kmake KSRC=%{src_dir} M="$PWD"
mkdir -p %{temp_modules}/%{kver_full}/kernel/net/wireless/
cp 8821ce.ko %{temp_modules}/%{kver_full}/kernel/net/wireless/8821ce.ko
popd
rm -fr kernel-source-rtl8821ce

cp -r "$(rpm -q --qf '/usr/src/shredder-kernel-%%{VERSION}-%%{RELEASE}' kernel-source-shredder-kernel)" kernel-source-shredder-kernel
pushd kernel-source-shredder-kernel
%kmake KERNEL_PATH=%{src_dir}
mkdir -p %{temp_modules}/%{kver_full}/kernel/extra/
cp shredder-kernel.ko %{temp_modules}/%{kver_full}/kernel/extra/
popd
rm -fr kernel-source-shredder-kernel

cp -r "$(rpm -q --qf '/usr/src/tripso-%%{VERSION}-%%{RELEASE}' kernel-source-tripso)" kernel-source-tripso
pushd kernel-source-tripso
%kmake KDIR=%{src_dir}
mkdir -p %{temp_modules}/%{kver_full}/kernel/net
cp xt_TRIPSO.ko %{temp_modules}/%{kver_full}/kernel/net/
popd
rm -fr kernel-source-tripso

# build commands for virtualbox are based on the ones from the virtualbox package
cp -r "$(rpm -q --qf '/usr/src/vboxadditions-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox-vboxadditions)" kernel-source-virtualbox-vboxadditions
mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
pushd kernel-source-virtualbox-vboxadditions
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxguest
cp -fv vboxguest/Module.symvers vboxsf/
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxsf
# TODO: vboxvideo is also build inside the upstream kernel...
# vboxsf is not in kernel 5.4
# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
cp -fv vboxsf/Module.symvers vboxvideo/
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxvideo
for i in vboxguest vboxsf vboxvideo
do
	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
done
popd

cp -r "$(rpm -q --qf '/usr/src/virtualbox-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox)" kernel-source-virtualbox
mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
pushd kernel-source-virtualbox
make -C vboxdrv KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
cp -fv vboxdrv/Module.symvers vboxnetflt
cp -fv vboxdrv/Module.symvers vboxnetadp
make -C vboxnetflt KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
make -C vboxnetadp KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
cp -fv vboxnetadp/Module.symvers vboxpci/
make -C vboxpci KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
for i in vboxnetflt vboxnetadp vboxdrv vboxpci
do
	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
done
popd

%if %{with nickel}
# rosa-test-suite uses /sr/src/xxx-version, not /usr/src/xxx-version-release
cp -r "$(rpm -q --qf '/usr/src/rosa-test-suite-%%{VERSION}' kernel-source-rosa-test-suite)" kernel-source-rosa-test-suite
pushd kernel-source-rosa-test-suite
mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
for i in nlkm memfreetest pcietest
do
cat << EOF > Makefile
obj-m := ${i}.o
all:
	make -C %{src_dir} M=\$(PWD) modules
EOF
%kmake
cp -fv ${i}.ko %{temp_modules}/%{kver_full}/kernel/misc/
done
popd
%endif #with nickel <- with binary_extra_modules

%endif #with binary_extra_modules

%if %{with uml}
cp -rv %{certs_dir_rnd} %{src_dir}.uml/
pushd %{src_dir}.uml
%kmake ARCH=um defconfig
cp .config .config.default
cat %{build_dir}/.config.append >> .config
%kmake oldconfig ARCH=um
diff -u .config.default .config || :
# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
# reason. For now, let us restore it.
%ifarch %{ix86}
sed -i 's/CONFIG_64BIT=y//' .config
echo '# CONFIG_64BIT is not set' >> .config
%endif
%kmake ARCH=um linux
install -Dm0755 linux %{temp_root}%{_bindir}/linux-uml-%{kver_full}
#rm -fv linux
%kmake V=1 ARCH=um modules
mkdir -p %{temp_root}/lib/modules-uml/%{kver_full}/
%kmake ARCH=um INSTALL_MOD_PATH=%{temp_root}/lib/modules-uml/%{kver_full}/ modules_install
popd
%endif

install -d %{temp_boot}
install -m 644 System.map %{temp_boot}/System.map-%{kver_full}
install -m 644 .config %{temp_boot}/config-%{kver_full}
xz -c Module.symvers > %{temp_boot}/symvers-%{kver_full}.xz

cp -f arch/x86/boot/bzImage %{temp_boot}/vmlinuz-%{kver_full}

# headers
%if %{build_headers}
%make INSTALL_HDR_PATH=%{temp_root}%{_prefix} KERNELRELEASE=%{kver_full} headers_install
find %{temp_root}%{_prefix} -name .install -or -name ..install.cmd | %kxargs rm -f
%endif

# remove /lib/firmware, we use a separate linux-firmware package
rm -rf %{temp_root}/lib/firmware

# Prepare the files for kernel*-devel
%if %build_devel

mkdir -p %{temp_devel_root}
for i in $(find . -name 'Makefile*'); do cp -R --parents $i %{temp_devel_root}; done
for i in $(find . -name 'Kconfig*' -o -name 'Kbuild*'); do cp -R --parents $i %{temp_devel_root}; done

cp -fR include %{temp_devel_root}

cp -fR scripts %{temp_devel_root}
cp -fR kernel/bounds.c %{temp_devel_root}/kernel
cp -fR kernel/time/timeconst.bc %{temp_devel_root}/kernel/time
cp -fR tools %{temp_devel_root}/
cp -fR arch/x86/kernel/asm-offsets.{c,s} %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/kernel/asm-offsets_{32,64}.c %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/purgatory/* %{temp_devel_root}/arch/x86/purgatory/
cp -fR arch/x86/entry/syscalls/syscall* %{temp_devel_root}/arch/x86/entry/syscalls/
cp -fR arch/x86/include %{temp_devel_root}/arch/x86/
cp -fR arch/x86/tools %{temp_devel_root}/arch/x86/
cp -fR .config Module.symvers %{temp_devel_root}

# Needed for truecrypt build (Danny)
cp -fR drivers/md/dm.h %{temp_devel_root}/drivers/md/

# Needed for lirc_gpio (#39004)
cp -fR drivers/media/pci/bt8xx/bttv{,p}.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/pci/bt8xx/bt848.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/common/btcx-risc.h %{temp_devel_root}/drivers/media/common/

# add acpica header files, needed for fglrx build
cp -fR drivers/acpi/acpica/*.h %{temp_devel_root}/drivers/acpi/acpica/

# aufs2 has a special file needed
cp -fR fs/aufs/magic.mk %{temp_devel_root}/fs/aufs

# SELinux needs security/selinux/include
cp -fR security/selinux/include %{temp_devel_root}/security/selinux

# needed for kexec
cp -fR arch/x86/boot/*.h %{temp_devel_root}/arch/x86/boot/
cp -fR arch/x86/boot/*.c %{temp_devel_root}/arch/x86/boot/

# needed for arch/x86/purgatory
cp -fR lib/*.h lib/*.c %{temp_devel_root}/lib/

for i in alpha arc avr32 blackfin c6x cris csky frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \
	mips mn10300 nds32 nios2 openrisc parisc powerpc riscv s390 score sh sparc tile unicore32 xtensa; do
	rm -rf %{temp_devel_root}/arch/$i
done

rm -rf %{temp_devel_root}/arch/arm*
rm -rf %{temp_devel_root}/include/kvm/arm*
rm -rf %{temp_devel_root}/include/soc

# Clean the scripts tree, and make sure everything is ok (sanity check)
# running prepare+scripts (tree was already "prepared" in build)
pushd %{temp_devel_root}
	%smake V=1 -s prepare
	%smake V=1 -s scripts
	%smake V=1 -s clean
popd
rm -f %{temp_devel_root}/.config.old

# fix permissions
chmod -R a+rX %{temp_devel_root}

# disable mrproper in -devel rpms
patch -p1 --fuzz=0 -d %{temp_devel_root} -i %{SOURCE2}

# endif build_devel
%endif

# Manage the files with debug info, provide the debug links in the
# kernel modules.
%if %build_debug
install -m 644 vmlinux %{temp_boot}/vmlinux-%{kver_full}
kernel_debug_files=../kernel_debug_files.%{flavour}
echo "%{_bootdir}/vmlinux-%{kver_full}" >> $kernel_debug_files

find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | \
	%kxargs -I '{}' objcopy --only-keep-debug '{}' '{}'.debug
find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | %kxargs -I '{}' \
	sh -c 'cd `dirname {}`; \
		objcopy --add-gnu-debuglink=`basename {}`.debug \
		--strip-debug `basename {}`'

pushd %{temp_modules}
find %{kver_full}/kernel -name "*.ko.debug" > debug_module_list
popd
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%{_modulesdir}/\1|' >> $kernel_debug_files
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%exclude %{_modulesdir}/\1|' \
	>> ../kernel_exclude_debug_files.%{flavour}
rm -f %{temp_modules}/debug_module_list

# endif build_debug
%endif

%if %{enhanced_security}
# https://patchwork.kernel.org/patch/11446123/
_libressl_sign(){
	if [ ! -f "$1" ]; then
	  echo "No file $1"
	  return 0
	fi
	f="$1"
%if %{with gost_sign}
	%{src_dir}/scripts/sign-file streebog512 \
		"%{certs_signing_key_priv_rnd}.GOST" "%{certs_signing_key_priv_rnd}.GOST" "$f"
%else
	%{src_dir}/scripts/sign-file sha512 \
		"%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}.RSA" "$f"
%endif
	unset f
}
export -f _libressl_sign
find %{temp_modules}/%{kver_full}/kernel \
%if %{with uml}
     %{temp_root}/lib/modules-uml/%{kver_full} \
%endif
-name '*.ko' -print0 | sort -u | \
	xargs --null -P "$(nproc)" -I {} "$SHELL" -e -x -c 'if ! _libressl_sign "{}"; \
		then echo Failed _libressl_sign on "{}" && exit 1; fi'
%endif

# Create the list of files for the kernel.
kernel_files=../kernel_files.%{flavour}

cat > $kernel_files <<EOF
%{_bootdir}/System.map-%{kver_full}
%{_bootdir}/symvers-%{kver_full}.xz
%{_bootdir}/config-%{kver_full}
%{_bootdir}/vmlinuz-%{kver_full}
%{_modulesdir}/%{kver_full}/kernel
%if %{with binary_extra_modules}
# 8821ce.ko.debug will not be excluded and will be in the main debug subpackage
%exclude %{_modulesdir}/%{kver_full}/kernel/net/wireless/8821ce.ko%{kmod_suffix}
%exclude %{_modulesdir}/%{kver_full}/kernel/extra/shredder-kernel.ko%{kmod_suffix}
%exclude %{_modulesdir}/%{kver_full}/kernel/net/xt_TRIPSO.ko%{kmod_suffix}
# vbox host: vboxnetflt vboxnetadp vboxdrv vboxpci
# vbox guest: vboxvideo vboxguest vboxsf
%exclude %{_modulesdir}/%{kver_full}/kernel/misc/vbox*.ko%{kmod_suffix}
%if %{with nickel}
%exclude %{_modulesdir}/%{kver_full}/kernel/misc/nlkm.ko%{kmod_suffix}
%exclude %{_modulesdir}/%{kver_full}/kernel/misc/memfreetest.ko%{kmod_suffix}
%exclude %{_modulesdir}/%{kver_full}/kernel/misc/pcietest.ko%{kmod_suffix}
%endif
%endif #with binary_extra_modules
%{_modulesdir}/%{kver_full}/modules.*
EOF

%if %build_debug
cat ../kernel_exclude_debug_files.%{flavour} >> $kernel_files
%endif

# set extraversion to match srpm to get nice version reported by the tools
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile

%if %{build_perf}
%ifarch x86_64
%define perf_is_x64	1
%else
%define perf_is_x64	0
%endif

%smake -C tools/perf -s IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} NO_GTK2=1 all
%smake -C tools/perf -s prefix=%{_prefix} NO_GTK2=1 man
%endif

%if %{build_cpupower}
# make sure version-gen.sh is executable.
chmod +x tools/power/cpupower/utils/version-gen.sh
%make -C tools/power/cpupower CPUFREQ_BENCH=false
%endif

_cleanup
############################################################################

%install
cd %src_dir

# We want to be able to test several times the install part
rm -rf %{buildroot}
cp -a %{temp_root} %{buildroot}

%if %{enhanced_security}
# Multithreaded verification that every kernel module
# has a signature attached to it
mkdir -p "%{certs_dir_rnd}"
touch %{certs_verify_tmp}
_verify_signature(){
	if [ -z "$1" ] || [ ! -f "$1" ]; then return; fi
	if hexdump -C "$1" | rev | cut -f 2 -d '|' | rev | tr -d '\n' | \
	   grep -q '~Module signature appended~'
		then
			if [ -f %{certs_verify_tmp} ]; then
				rm -f %{certs_verify_tmp}
			fi
		else
			echo "ERROR: Module $1 has no signature attached to it!"
			exit 1
	fi
}
export -f _verify_signature
find %{target_modules} \
%if %{with uml}
     %{buildroot}/lib/modules-uml/%{kver_full} \
%endif
-name '*.ko' -print0 | sort -u | \
	xargs --null -P "$(nproc)" -I {} "$SHELL" -c '_verify_signature "{}"'
if [ -f %{certs_verify_tmp} ]; then
	echo "ERROR: seems that signatures of none modules were verified!"
	exit 1
fi
rm -f %{certs_verify_tmp}
%endif

# compressing modules
%if %{build_modxz}
find %{target_modules} -name "*.ko" | %kxargs xz -6e
%else
find %{target_modules} -name "*.ko" | %kxargs gzip -9
%endif

pushd %{target_modules}
for i in *; do
	rm -f $i/build $i/source
	ln -sf /usr/src/linux-$i $i/build
	ln -sf /usr/src/linux-$i $i/source
done

# sniff, if we compressed all the modules, we change the stamp :(
# we really need the depmod -ae here
for i in *; do
	/sbin/depmod -ae -b %{buildroot} -F %{target_boot}/System.map-$i $i
	echo $?
done

# We used to create modules.description files which contained the
# description strings for the modules as shown by modinfo. These files
# are unlikely to be used right now, so create them (in case some old tool
# checks for their existence) but keep them empty.
for i in *; do
	touch $i/modules.description
done
popd

# need to set extraversion to match srpm again to avoid rebuild
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile
%if %{build_perf}

# perf tool binary and supporting scripts/binaries
make -C tools/perf -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install

# Versionize shebang (#!/usr/bin/env python -> #!/usr/bin/python3)
sed -i -e '1 s,^.*$,#!%{__python3},' %{buildroot}%{_prefix}/libexec/perf-core/scripts/python/exported-sql-viewer.py

# perf man pages (note: implicit rpm magic compresses them later)
make -C tools/perf  -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install-man
%endif

%if %{build_cpupower}
make -C tools/power/cpupower DESTDIR=%{buildroot} libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install
rm -f %{buildroot}%{_libdir}/*.{a,la}
%find_lang cpupower
mv cpupower.lang ../
chmod 0755 %{buildroot}%{_libdir}/libcpupower.so*
mkdir -p %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -m644 %{SOURCE50} %{buildroot}%{_unitdir}/cpupower.service
install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
%endif

# delete junk
rm -fr %{buildroot}%{_usr}/src/*/kernel-source-*

%if %{with flow_abi}
# Prefix with "zzz" to put this directory into the end of search list
# and avoid tricks with depmod configs
mkdir -p %{buildroot}/lib/modules/%{kernelversion}.%{patchlevel}-rosa-flow-abi
ln -s /lib/modules/%{kernelversion}.%{patchlevel}-rosa-flow-abi %{buildroot}%{_modulesdir}/%{kver_full}/kernel/zzz-%{kernelversion}.%{patchlevel}-rosa-flow-abi
%endif