Minify build-time changes of configs, ship a config for UML, include all configs into SRPM

2025-02-23 10:32:54 +00:00 · 2020-12-30 19:47:16 +03:00 · 2020-12-30 19:47:16 +03:00 · 9f71e1f99e
commit 9f71e1f99e
parent d23f37a9c9
5 changed files with 4125 additions and 122 deletions
--- a/kernel-arm64.config
+++ b/kernel-arm64.config
@ -11936,7 +11936,7 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key_priv.key"
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/public.pem"
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
@ -12178,9 +12178,8 @@ CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
 CONFIG_ARCH_HAS_DEBUG_WX=y
-CONFIG_DEBUG_WX=y
+# CONFIG_DEBUG_WX is not set
 CONFIG_GENERIC_PTDUMP=y
-CONFIG_PTDUMP_CORE=y
 # CONFIG_PTDUMP_DEBUGFS is not set
 # CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_SLUB_DEBUG_ON is not set
--- a/kernel-i586.config
+++ b/kernel-i586.config
@ -469,12 +469,8 @@ CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
-CONFIG_RANDOMIZE_BASE=y
-CONFIG_X86_NEED_RELOCS=y
+# CONFIG_RANDOMIZE_BASE is not set
 CONFIG_PHYSICAL_ALIGN=0x200000
-CONFIG_DYNAMIC_MEMORY_LAYOUT=y
-CONFIG_RANDOMIZE_MEMORY=y
-CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
@ -10616,9 +10612,8 @@ CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
 CONFIG_ARCH_HAS_DEBUG_WX=y
-CONFIG_DEBUG_WX=y
+# CONFIG_DEBUG_WX is not set
 CONFIG_GENERIC_PTDUMP=y
-CONFIG_PTDUMP_CORE=y
 # CONFIG_PTDUMP_DEBUGFS is not set
 # CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_SLUB_DEBUG_ON is not set
--- a/kernel-uml.config
+++ b/kernel-uml.config
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@ -10389,7 +10389,7 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key_priv.key"
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/public.pem"
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
@ -10625,9 +10625,8 @@ CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
 CONFIG_ARCH_HAS_DEBUG_WX=y
-CONFIG_DEBUG_WX=y
+# CONFIG_DEBUG_WX is not set
 CONFIG_GENERIC_PTDUMP=y
-CONFIG_PTDUMP_CORE=y
 # CONFIG_PTDUMP_DEBUGFS is not set
 # CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_SLUB_DEBUG_ON is not set
--- a/kernel.spec
+++ b/kernel.spec
@ -55,19 +55,10 @@
 %define buildrpmrel     %{fullrpmrel}%{rpmtag}-%{arch_suffix}
 %define buildrel     	%{kversion}-%{buildrpmrel}

-# %%build_selinux may be defined in branding-configs
-#%%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
-#%%if %{with selinux}
-%global enhanced_security 1
-#%%else
-#%%global enhanced_security 0
-#%%endif
-# Allow "rpmbuild --without enhanced_security <...>"
-%{?_without_enhanced_security:%global enhanced_security 0}
-
-%if %{enhanced_security}
+# Add not only the build time generated key to the trusted keyring,
+# but also add public keys of private ROSA's keys
 %bcond_without additional_keys
-%endif
+
 # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
 %ifarch %{ix86} %{x86_64}
 %bcond_without uml
@ -252,7 +243,10 @@ Source3:	macros.ksobirator
 %{load:%{SOURCE3}}

 # Kernel configuration files.
-Source110:	kernel-%{arch_suffix}.config
+Source111:	kernel-x86_64.config
+Source112:	kernel-i586.config
+Source113:	kernel-arm64.config
+Source114:	kernel-uml.config

 # Cpupower: the service, the config, etc.
 Source50:	cpupower.service
@ -375,15 +369,12 @@ BuildRequires:		xmlto
 BuildRequires:		zlib-devel
 BuildRequires:		pkgconfig(libcrypto)
 %endif
-
-%if %{enhanced_security}
 # (To generate keys)
 # LibreSSL has GOST support without editing openssl.cnf
 # or dlopen()-ing external library
 BuildRequires:		libressl libressl-devel
 # To verify signatures (find, xargs, hexdump)
 BuildRequires:		findutils util-linux
-%endif

 %if %{with binary_extra_modules}
 BuildRequires: kernel-source-rtl8821ce
@ -424,11 +415,6 @@ Release:	%{fakerel}
 Provides:	kernel = %{kverrel}
 Provides:	kernel = %{kernelversion}.%{patchlevel}
 Provides:	kernel-%{flavour} = %{kverrel}
-%if %{enhanced_security}
-Provides:	kernel-hardened = %{kverrel}
-Provides:	kernel-hardened = %{kernelversion}.%{patchlevel}
-Provides:	kernel-hardened-%{flavour} = %{kverrel}
-%endif
 Provides:	alsa = 1.0.27
 Provides:	should-restart = system

@ -516,10 +502,6 @@ Requires:	gcc
 Requires:	perl
 Provides:	kernel-devel = %{kverrel}
 Provides:	kernel-%{flavour}-devel = %{kverrel}
-%if %{enhanced_security}
-Provides:	kernel-hardened-devel = %{kverrel}
-Provides:	kernel-hardened-%{flavour}-devel = %{kverrel}
-%endif

 %ifarch %{ix86}
 Conflicts:	arch(x86_64)
@ -641,9 +623,6 @@ Release:	%{fakerel}
 Summary:	Debuginfo for kernel-%{flavour}-%{buildrel}
 Group:		Development/Debug
 Provides:	kernel-debug = %{kverrel}
-%if %{enhanced_security}
-Provides:	kernel-hardened-debug = %{kverrel}
-%endif

 %ifarch %{ix86}
 Conflicts:	arch(x86_64)
@ -686,16 +665,12 @@ Release:	%{fullrpmrel}
 Summary:	Meta package for the latest kernel-%{flavour}-devel in %{kernelversion}.%{patchlevel} series
 Group:		Development/Kernel
 Requires:	kernel-%{flavour}-devel-%{buildrel}
+Provides:	kernel-devel-latest

 %ifarch %{ix86}
 Conflicts:	arch(x86_64)
 %endif

-Provides:	kernel-devel-latest
-%if %{enhanced_security}
-Provides:	kernel-hardened-devel-latest
-%endif
-
 %description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
 This meta package aims to make sure you always have the
 latest kernel-%{flavour}-devel %{kernelversion}.%{patchlevel}.x installed.
@ -1017,20 +992,11 @@ cd %src_dir
 echo "Creating the kernel configuration file."

 # Configs
-cp %{SOURCE110} .config
-
-# Disable ASLR for 32-bit systems because it does not play well with
-# hibernate.
-%ifarch %{ix86}
-sed -i	's/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/' .config
-%endif
-
-# Disable checking for W+X memory mappings for 32-bit systems. The warnings
-# may confuse the users and noone is eager to fix the underlying problem,
-# it seems.
-%ifarch %{ix86}
-sed -i	's/CONFIG_DEBUG_WX=y/# CONFIG_DEBUG_WX is not set/' .config
-%endif
+cp %{SOURCE111} .
+cp %{SOURCE112} .
+cp %{SOURCE113} .
+cp %{SOURCE114} .
+cp kernel-%{arch_suffix}.config .config

 touch %{build_dir}/.config.append

@ -1049,42 +1015,23 @@ echo 'CONFIG_GDB_SCRIPTS=y' >> %{build_dir}/.config.append
 echo 'CONFIG_DEBUG_INFO=n' >> %{build_dir}/.config.append
 %endif

-# tmp
-sed -i '/CONFIG_UNEVICTABLE_ACTIVEFILE/d' .config
-echo 'CONFIG_UNEVICTABLE_ACTIVEFILE=y' >> %{build_dir}/.config.append
-
-%if %{enhanced_security}
-### SELinux enablement
-# seems to be needed to boot system in enforcing selinux mode
-# note: cpio fpormat of initramfs does not support xattrs without patches
-# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
-sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
-echo CONFIG_SECURITY_SELINUX_DISABLE=y >> %{build_dir}/.config.append
-# enable selinux in kernel by default if not disabled explicitly
-sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
-echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> %{build_dir}/.config.append
-
-### Signing kernel modules
-# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
-sed -i '/CONFIG_MODULE_SIG/d' .config
-echo CONFIG_MODULE_SIG=y >> %{build_dir}/.config.append
+sed -i '/CONFIG_MODULE_SIG_FORCE/d' .config
 %if %{with oblig_signed_modules}
 # Disallow loading not signed modules
+# But 0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch allows to override this in cmdline
 echo CONFIG_MODULE_SIG_FORCE=y >> %{build_dir}/.config.append
 %else
 echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append
 %endif
-# If %%build_debig is true, signatures will be stripped
-# We sign modules manually in a tricky way bellow
-echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append
+
+sed -i '/CONFIG_MODULE_SIG_KEY/d' .config
 # Set path to the key that will be generated later by openssl/libressl
 echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append
+
 # Set path to one PEM file with all keys that the kernel must trust
 sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
 echo CONFIG_SYSTEM_TRUSTED_KEYS=\"%{certs_public_keys}\" >> %{build_dir}/.config.append
-# Reserve area for inserting a certificate without recompiling
-sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config
-echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> %{build_dir}/.config.append
+

 # Memory wiping
 # Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
@ -1106,16 +1053,12 @@ echo CONFIG_INIT_ON_FREE_DEFAULT_ON=n >> %{build_dir}/.config.append

 # To load kernel keyring in UML
 for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
-	sed -i "/CONFIG_CRYPTO_${i}/d" .config
-	echo "CONFIG_CRYPTO_${i}=y" >> %{build_dir}/.config.append
+	if ! grep -q "^CONFIG_CRYPTO_${i}=y$" .config; then
+		sed -i "/CONFIG_CRYPTO_${i}/d" .config
+		echo "CONFIG_CRYPTO_${i}=y" >> %{build_dir}/.config.append
+	fi
 done

-sed -i '/CONFIG_LSM/d' .config
-echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"' >> %{build_dir}/.config.append
-sed -i '/CONFIG_SECURITY_ALTHA/d' .config
-echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
-%endif
-
 cat %{build_dir}/.config.append >> .config

 # Store the config file in the appropriate directory.
@ -1169,7 +1112,6 @@ cd %src_dir
 # let's generate them by ourselves to take full control of the process
 # https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
 # See also certs/Makefile in kernel source
-%if %{enhanced_security}
 mkdir -p "%{certs_dir_rnd}"

 # On ABF, %%packager == $username <$email>
@ -1282,7 +1224,6 @@ cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" "
 	>> "%{certs_public_keys}"
 %endif #endif additional_keys
 cat %{certs_public_keys}
-%endif #endif enhanced_security

 # .config
 %smake -s mrproper
@ -1291,17 +1232,6 @@ cp arch/%{arch_type}/configs/%{arch_suffix}_defconfig-%{flavour} .config
 # make sure EXTRAVERSION says what we want it to say
 LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{flavour}-%{buildrpmrel}/" Makefile

-# Print debug messages when loglevel=7 in cmdline.
-# Those messages can be caught by debugfs without -DDEBUG.
-# but sometimes it is required to see them via a serial port when booting the kernel.
-# '#ifdef DEBUG' is used in different places for different purposes,
-# so change DEBUG to PRINTK_DEBUG in one specific place.
-#%if %build_debug
-#sed -i %{src_dir}/include/linux/printk.h \
-#	-e 's,^#ifdef DEBUG$,#if defined(DEBUG) || defined(PRINTK_DEBUG),g'
-#export KCPPFLAGS="-DPRINTK_DEBUG"
-#%endif
-
 # build the kernel
 echo "Building kernel %{kver_full}"

@ -1366,7 +1296,6 @@ do
 	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
 done
 popd
-# end ifarch ix86
 %endif

 %if %{with nickel}
@ -1392,17 +1321,8 @@ popd
 %if %{with uml}
 cp -rv %{certs_dir_rnd} %{src_dir}.uml/
 pushd %{src_dir}.uml
-%kmake ARCH=um defconfig
-cp .config .config.default
-cat %{build_dir}/.config.append >> .config
-%kmake oldconfig ARCH=um
-diff -u .config.default .config || :
-# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
-# reason. For now, let us restore it.
-%ifarch %{ix86}
-sed -i 's/CONFIG_64BIT=y//' .config
-echo '# CONFIG_64BIT is not set' >> .config
-%endif
+cp %{SOURCE114} .config
+%kmake ARCH=um oldconfig
 %kmake ARCH=um linux
 install -Dm0755 linux %{temp_root}%{_bindir}/linux-uml-%{kver_full}
 #rm -fv linux
@ -1528,7 +1448,6 @@ rm -f %{temp_modules}/debug_module_list
 # endif build_debug
 %endif

-%if %{enhanced_security}
 # https://patchwork.kernel.org/patch/11446123/
 _libressl_sign(){
 	if [ ! -f "$1" ]; then
@ -1553,7 +1472,6 @@ find %{temp_modules}/%{kver_full}/kernel \
 -name '*.ko' -print0 | sort -u | \
 	xargs --null -P "$(nproc)" -I {} "$SHELL" -e -x -c 'if ! _libressl_sign "{}"; \
 		then echo Failed _libressl_sign on "{}" && exit 1; fi'
-%endif

 # Create the list of files for the kernel.
 kernel_files=../kernel_files.%{flavour}
@ -1613,7 +1531,6 @@ cd %src_dir
 rm -rf %{buildroot}
 cp -a %{temp_root} %{buildroot}

-%if %{enhanced_security}
 # Multithreaded verification that every kernel module
 # has a signature attached to it
 mkdir -p "%{certs_dir_rnd}"
@ -1643,7 +1560,6 @@ if [ -f %{certs_verify_tmp} ]; then
 	exit 1
 fi
 rm -f %{certs_verify_tmp}
-%endif

 # compressing modules
 %if %{build_modxz}