Revert "Build ROSA kernel shredder inside the kernel tree to ship a signed kernel module"

This reverts commit 742804747a.
2025-02-23 10:32:54 +00:00 · 2020-07-22 23:16:41 +03:00 · 2020-07-22 23:16:41 +03:00 · e4843eed84
commit e4843eed84
parent 742804747a
3 changed files with 1 additions and 60 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -13,4 +13,3 @@ sources:
  public_key_RSA_10.pem: ea4752f0a0671a998ba83050acad926a1cbd8c37
  public_key_RSA_11.pem: b71d76f7f322fcd107b3607dfcacb99a0ca20892
  public_key_RSA_12.pem: ce9600ed7fb5c505dc7208a4a2fab4c8ba20df72
-  shredder-kernel-e07e8bebc8dd4da5c0cd73214bccbd574b3dd9c6.tar.gz: d33ba46eb792c3b189ee7533714e8564cbab1398
--- a/kernel.spec
+++ b/kernel.spec
@ -24,7 +24,7 @@
 %define sublevel	40

 # Release number. Increase this before a rebuild.
-%define rpmrel		6
+%define rpmrel		5
 %define fullrpmrel	%{rpmrel}

 %define rpmtag		%{disttag}
@ -50,14 +50,6 @@
 %define buildrpmrel     %{fullrpmrel}%{rpmtag}-%{arch_suffix}
 %define buildrel     	%{kversion}-%{buildrpmrel}

-# We currently to have some external kernel modules be signed
-# with a valid kernel key. For now it is easier to just build them
-# here in the kernel and sign as all other modules are signed.
-# TODO: make it possible to build them externally.
-%bcond_without kernel_shredder
-# https://abf.io/soft/shredder-kernel/
-%define commit_shredder e07e8bebc8dd4da5c0cd73214bccbd574b3dd9c6
-
 # %%build_selinux may be defined in branding-configs
 #%%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
 #%%if %{with selinux}
@ -223,10 +215,6 @@ Source80:	kernel.rpmlintrc
 # Source207..212: public_key_RSA_*.pem
 %{expand:%(for i in `seq 7 12`; do echo "Source$((200+${i})): public_key_RSA_${i}.pem"; done)}

-# Make SRPM stable: always include these sources even when --without=kernel_shredder
-Source301:	https://abf.io/soft/shredder-kernel/archive/shredder-kernel-%{commit_shredder}.tar.gz
-Source302:	shredder.diff
-
 ####################################################################

 # Patches
@ -963,21 +951,11 @@ for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
 done

 sed -i '/CONFIG_LSM/d' .config
-%if %{with kernel_shredder}
-echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha,kernel-shredder"' >> %{build_dir}/.config.append
-%else
 echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
-%endif
 sed -i '/CONFIG_SECURITY_ALTHA/d' .config
 echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
 %endif

-%if %{with kernel_shredder}
-echo CONFIG_SECURITY_KERNEL_SHREDDER=m >> %{build_dir}/.config.append
-%else
-echo CONFIG_SECURITY_KERNEL_SHREDDER=n >> %{build_dir}/.config.append
-%endif
-
 cat %{build_dir}/.config.append >> .config

 # Store the config file in the appropriate directory.
@ -1032,30 +1010,6 @@ trap "_cleanup" EXIT
 rm -rf %{temp_root}
 install -d %{temp_root}

-%if %{with kernel_shredder}
-tar -xf %{SOURCE301}
-cp -r shredder-kernel-%{commit_shredder}/systable_version/kernelspace %{src_dir}/security
-mv %{src_dir}/security/kernelspace %{src_dir}/security/kernel-shredder
-rm -f {src_dir}/security/kernel-shredder/Makefile
-mv %{src_dir}/security/kernel-shredder/Makefile.kernel_tree %{src_dir}/security/kernel-shredder/Makefile
-# kmod rpm generator will make a versionized provide
-sed -i -e "s,MODULE_VERSION(\"1\"),MODULE_VERSION(\"0.git_$(echo %{commit_shredder} | head -c 6)\"),g" %{src_dir}/security/kernel-shredder/shredder-kernel.c
-# verify
-grep -qE "^MODULE_VERSION.*$(echo %{commit_shredder} | head -c 6)" %{src_dir}/security/kernel-shredder/shredder-kernel.c
-rm -fr shredder-kernel-%{commit_shredder}
-# hack Makefile to build this module
-echo '
-subdir-$(CONFIG_SECURITY_KERNEL_SHREDDER) += kernel-shredder
-obj-$(CONFIG_SECURITY_KERNEL_SHREDDER) += kernel-shredder/
-' >> %{src_dir}/security/Makefile
-( cd %{src_dir} ; patch -p1 < %{SOURCE302} )
-
-# XXX tmp
-echo 'obj-$(CONFIG_SECURITY_KERNEL_SHREDDER) := kernel-shredder.o' > %{src_dir}/security/kernel-shredder/Makefile
-sed -i -e 's,bool,tristate,g' -e 's,default y,default m,g' -e 's,kernel-shredder,shredder-kernel,g' %{src_dir}/security/kernel-shredder/Kconfig
-###
-%endif
-
 cd %src_dir

 ### Keys for signing kernel modules
--- a/shredder.diff
+++ b/shredder.diff
@ -1,12 +0,0 @@
-diff --git a/security/Kconfig b/security/Kconfig
-index d21a120b66d4..6d4ab3bb5bcb 100644
--- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -239,6 +239,7 @@ source "security/yama/Kconfig"
- source "security/safesetid/Kconfig"
- source "security/lockdown/Kconfig"
- source "security/altha/Kconfig"
-+source "security/kernel-shredder/Kconfig"
- 
- source "security/integrity/Kconfig"
-