# _get_email() in %%build contains bashisms for regexping %define _buildshell /bin/bash # Prevent RPM scripts from stripping signatures, # we strip binaries manually in %%build %define __strip %(which true) %define kernelversion 5 %define patchlevel 4 # sublevel is used for stable-based kernels %define sublevel 25 # Release number. Increase this before a rebuild. %define rpmrel 3 %define fullrpmrel %{rpmrel} %define rpmtag %{disttag} # fakerel and fakever never change, they are used to fool # rpm/urpmi/smart and ensure the kernels are installed, # not upgraded so old kernel is not overwritten or removed %define fakever 1 %define fakerel %mkrel 1 # version defines %define kversion %{kernelversion}.%{patchlevel}.%{sublevel} %define kverrel %{kversion}-%{fullrpmrel} %define tar_ver %{kernelversion}.%{patchlevel} %ifarch %{ix86} # Use a standard suffix for 32-bit x86 %define arch_suffix i586 %else %define arch_suffix %{_arch} %endif %define buildrpmrel %{fullrpmrel}%{rpmtag}-%{arch_suffix} %define buildrel %{kversion}-%{buildrpmrel} # %%build_selinux may be defined in branding-configs %{?build_selinux}%{?!build_selinux:%bcond_with selinux} %if %{with selinux} %global enhanced_security 1 %else %global enhanced_security 0 %endif # Allow "rpmbuild --with enhanced_security <...>" %{?_with_enhanced_security:%global enhanced_security 1} %if %{enhanced_security} %bcond_without additional_keys %bcond_with oblig_signed_modules %endif # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/ %bcond_without uml # Kernel flavour %if %{enhanced_security} %define flavour nickel %else %define flavour nrj-desktop %endif # The full kernel version %define kver_full %{kversion}-%{flavour}-%{buildrpmrel} ############################################################################ %define top_dir_name kernel-%{_arch} %define build_dir ${RPM_BUILD_DIR}/%{top_dir_name} %define src_dir %{build_dir}/linux-%{tar_ver} # Common target directories %define _bootdir /boot %define _modulesdir /lib/modules %define devel_root /usr/src/linux-%{kver_full} # Directories needed for building %define temp_root %{build_dir}/temp-root %define temp_boot %{temp_root}%{_bootdir} %define temp_modules %{temp_root}%{_modulesdir} %define temp_devel_root %{temp_root}%{devel_root} # Directories definition needed for installing %define target_boot %{buildroot}%{_bootdir} %define target_modules %{buildroot}%{_modulesdir} # Manual control of creating and deleting keys # "rnd" is "random" and means that a key pair is generated at build time # and is not saved anywhere. %define certs_dir_rnd certs %define certs_signing_key_priv_rnd %{certs_dir_rnd}/signing_key_priv.key %define certs_signing_der %{certs_dir_rnd}/signing_key.x509 %define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey %define certs_public_keys %{certs_dir_rnd}/public.pem %define certs_verify_tmp %{certs_dir_rnd}/verify.tmp ############################################################################ # Build defines %define build_doc 0 %define build_devel 1 %define build_debug 1 # Build kernel-headers package %define build_headers 1 # build perf and cpupower tools %define build_perf 1 %define build_cpupower 1 # compress modules with xz %define build_modxz 1 # End of user definitions # buildtime flags %{?_without_doc: %global build_doc 0} %{?_without_devel: %global build_devel 0} %{?_without_debug: %global build_debug 0} %{?_without_perf: %global build_perf 0} %{?_without_cpupower: %global build_cpupower 0} %{?_without_modxz: %global build_modxz 0} %{?_with_doc: %global build_doc 1} %{?_with_devel: %global build_devel 1} %{?_with_debug: %global build_debug 1} %{?_with_perf: %global build_perf 1} %{?_with_cpupower: %global build_cpupower 1} %{?_with_modxz: %global build_modxz 1} %if !%{build_debug} # Disable debug rpms. %define _enable_debug_packages %{nil} %define debug_package %{nil} %endif %if %(if [ -z "$CC" ] ; then echo 0; else echo 1; fi) %define kmake %make CC="$CC" %else %define kmake %make %endif # there are places where parallel make don't work %define smake make # Parallelize xargs invocations on smp machines %define kxargs xargs %([ -z "$RPM_BUILD_NCPUS" ] \\\ && RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\ [ "$RPM_BUILD_NCPUS" -gt 1 ] && echo "-P $RPM_BUILD_NCPUS") # # SRC RPM description # Summary: The Linux kernel Name: kernel Version: %{kversion} Release: %{fullrpmrel} License: GPLv2 Group: System/Kernel and hardware ExclusiveArch: %{ix86} x86_64 URL: http://www.kernel.org #################################################################### # # Sources # Source0: https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{tar_ver}.tar.xz # This is for disabling *config, mrproper, prepare, scripts on -devel rpms # Needed, because otherwise the -devel won't build correctly. Source2: disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch # Kernel configuration files. Source110: kernel-%{arch_suffix}.config # Cpupower: the service, the config, etc. Source50: cpupower.service Source51: cpupower.config Source52: cpupower-start.sh Source53: cpupower.path Source80: kernel.rpmlintrc # Additional keys that can be used to sign kernel modules # Source201..212: public_rsa_1..12.pem %{expand:%(for i in `seq 1 12`; do echo "Source$((200+${i})): public_rsa_${i}.pem"; done)} #################################################################### # Patches # The patch to make kernel x.y.z from x.y.0. Patch1: https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{kversion}.xz # Patches from mainline # none # ROSA-specific patches # Perf docs are built after all the kernels. To validate the xml files # generated during that process, xmlto tries to get DTD files from the Net. # If it fails, the whole build fails, which is unfortunate. Let us avoid # this. Patch101: perf-xmlto-skip-validation.patch # http://bugs.rosalinux.ru/show_bug.cgi?id=6235 # http://bugs.rosalinux.ru/show_bug.cgi?id=6459 Patch102: audit-make-it-less-verbose.patch # AUFS from http://aufs.sourceforge.net/ Patch109: fs-aufs.patch # Other patches Patch110: objtool-sync-check.sh-set-the-exit-code-explicitly.patch Patch200: WIP-Sign-modules-with-GOST-by-LibreSSL.patch # Disable AutoReq AutoReq: 0 # but keep autoprov for kmod(xxx) AutoProv: 1 BuildRequires: bash BuildRequires: bc BuildRequires: binutils BuildRequires: gcc # For power tools BuildRequires: pkgconfig(ncurses) BuildRequires: kmod-devel kmod-compat BuildRequires: bison BuildRequires: flex BuildRequires: bzip2 BuildRequires: rsync %ifarch x86_64 BuildRequires: numa-devel %endif # for perf, cpufreq and all other tools # for cpupower %if %{build_cpupower} BuildRequires: pciutils-devel %endif # for perf %if %{build_perf} BuildRequires: asciidoc BuildRequires: audit-devel BuildRequires: binutils-devel BuildRequires: elfutils-devel BuildRequires: libunwind-devel BuildRequires: newt-devel BuildRequires: perl-devel BuildRequires: pkgconfig(python) BuildRequires: xmlto BuildRequires: zlib-devel BuildRequires: pkgconfig(libcrypto) %endif %if %{enhanced_security} # (To generate keys) # LibreSSL has GOST support without editing openssl.cnf # or dlopen()-ing external library BuildRequires: libressl libressl-devel # To verify signatures (find, xargs, hexdump) BuildRequires: findutils util-linux %endif # might be useful too: Recommends: microcode %description The kernel package contains the Linux kernel (vmlinuz), the core of your operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. ############################################################################ %package -n kernel-%{flavour}-%{buildrel} Version: %{fakever} Release: %{fakerel} Provides: kernel = %{kverrel} Provides: kernel = %{kernelversion}.%{patchlevel} Provides: kernel-%{flavour} = %{kverrel} %if %{enhanced_security} Provides: kernel-hardened = %{kverrel} Provides: kernel-hardened = %{kernelversion}.%{patchlevel} Provides: kernel-hardened-%{flavour} = %{kverrel} %endif Provides: alsa = 1.0.27 Provides: should-restart = system Requires(pre): grub2 Requires(pre): dracut >= 046 Requires(pre): kmod >= 20-1 Requires(pre): sysfsutils >= 2.1.0-12 Requires: dracut >= 046 Requires: linux-firmware >= 20181026 Requires: wireless-regdb Recommends: crda %if %build_devel Requires: kernel-%{flavour}-devel-%{buildrel} Requires(post): kernel-%{flavour}-devel-%{buildrel} %endif %ifarch %{ix86} Conflicts: arch(x86_64) %endif Summary: A general-purpose Linux Kernel Group: System/Kernel and hardware %description -n kernel-%{flavour}-%{buildrel} The kernel package contains the Linux kernel (vmlinuz), the core of your operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. This is a general-purpose kernel. %post -n kernel-%{flavour}-%{buildrel} # We always regenerate initrd here, even if it already exists. This may # happen if kernel-<...>-devel is installed first, triggers rebuild of # DKMS modules and some of these request remaking of initrd. The initrd # that is created then will be non-functional. But when the user installs # kernel-<...> package, that defunct initrd will be replaced with a working # one here. # # depmod is also needed, because some DKMS-modules might have been installed # when the devel package was installed but that was before the main modules # were installed. # This is also the reason the devel package is in Requires(post) for this # package now: it must be installed completely before we call depmod here. /sbin/depmod -a %{kver_full} /sbin/dracut -f /boot/initrd-%{kver_full}.img %{kver_full} # File triggers from grub packages will handle this. #/usr/sbin/update-grub2 pushd /boot > /dev/null if [ -L vmlinuz-%{flavour} ]; then rm -f vmlinuz-%{flavour} fi if [ -L initrd-%{flavour}.img ]; then rm -f initrd-%{flavour}.img fi popd > /dev/null exit 0 %preun -n kernel-%{flavour}-%{buildrel} pushd /boot > /dev/null if [ -L vmlinuz-%{flavour} ]; then if [ "$(readlink vmlinuz-%{flavour})" = "vmlinuz-%{kver_full}" ]; then rm -f vmlinuz-%{flavour} fi fi if [ -L initrd-%{flavour}.img ]; then if [ "$(readlink initrd-%{flavour}.img)" = "initrd-%{kver_full}.img" ]; then rm -f initrd-%{flavour}.img fi fi # File triggers from grub packages will handle this. #/usr/sbin/update-grub2 popd > /dev/null exit 0 %postun -n kernel-%{flavour}-%{buildrel} rm -f /boot/initrd-%{kver_full}.img rm -f /boot/initrd-%{kver_full}_old.img rm -f /boot/initrd-%{kver_full}kdump.img rm -f /boot/initramfs-%{kver_full}kdump.img # Third-party modules might have left something in /lib/modules/.../kernel/. rm -rf /lib/modules/%{kver_full}/kernel/ rm -rf /lib/modules/%{kver_full}/modules* # Remove /lib/modules/<...>/ if it is empty (-devel uses it too). find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true %files -n kernel-%{flavour}-%{buildrel} -f kernel_files.%{flavour} ############################################################################ %if %build_devel %package -n kernel-%{flavour}-devel-%{buildrel} Version: %{fakever} Release: %{fakerel} Summary: Development files for kernel-%{flavour}-%{buildrel} Group: Development/Kernel Requires: glibc-devel Requires: ncurses-devel Requires: make Requires: gcc Requires: perl # Loading kernel modules without valid signature is prohobibited # when building with enhanced_security %if ! %{enhanced_security} Requires(post): dkms Requires(preun): dkms %endif Provides: kernel-devel = %{kverrel} Provides: kernel-%{flavour}-devel = %{kverrel} %if %{enhanced_security} Provides: kernel-hardened-devel = %{kverrel} Provides: kernel-hardened-%{flavour}-devel = %{kverrel} %endif %ifarch %{ix86} Conflicts: arch(x86_64) %endif %description -n kernel-%{flavour}-devel-%{buildrel} This package contains the kernel files (headers and build tools) that should be enough to build additional drivers for use with kernel-%{flavour}-%{buildrel}. %if ! %{enhanced_security} %post -n kernel-%{flavour}-devel-%{buildrel} /usr/sbin/dkms_autoinstaller start %{kver_full} %endif %preun -n kernel-%{flavour}-devel-%{buildrel} %if ! %{enhanced_security} for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do mod=$(echo $ii | awk -v FS=',' '{ print $1; }') ver=$(echo $ii | awk -v FS=',' '{ print $2; }') /usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || true done %endif # If any DKMS modules with REMAKE_INITRD=yes in their configs have been # uninstalled, initrd has been regenerated for the given kernel. However, # the kernel itself might have been uninstalled before, so that (defunct) # initrd image files would be left behind. Remove them if the kernel itself # is no longer installed. Should work if they are uninstalled in parallel # too. if ! test -f /boot/vmlinuz-%{kver_full}; then rm -f /boot/initrd-%{kver_full}.img rm -f /boot/initrd-%{kver_full}_old.img fi %postun -n kernel-%{flavour}-devel-%{buildrel} rm -rf /usr/src/linux-%{kver_full} >/dev/null # depmod (called when removing DKMS modules) might have created files in # /lib/modules/.../. Remove these first. rm -rf /lib/modules/%{kver_full}/modules* # Remove the dir if it is already empty. find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true %files -n kernel-%{flavour}-devel-%{buildrel} %dir %{devel_root} %dir %{devel_root}/arch %dir %{devel_root}/include %{devel_root}/Documentation %{devel_root}/arch/um %{devel_root}/arch/x86 %{devel_root}/block %{devel_root}/certs %{devel_root}/crypto %{devel_root}/drivers %{devel_root}/fs %{devel_root}/include/acpi %{devel_root}/include/asm-generic %{devel_root}/include/clocksource %{devel_root}/include/config %{devel_root}/include/crypto %{devel_root}/include/drm %{devel_root}/include/dt-bindings %{devel_root}/include/generated %{devel_root}/include/keys %{devel_root}/include/kvm %{devel_root}/include/linux %{devel_root}/include/math-emu %{devel_root}/include/media %{devel_root}/include/misc %{devel_root}/include/net %{devel_root}/include/pcmcia %{devel_root}/include/ras %{devel_root}/include/rdma %{devel_root}/include/scsi %{devel_root}/include/sound %{devel_root}/include/target %{devel_root}/include/trace %{devel_root}/include/uapi %{devel_root}/include/vdso %{devel_root}/include/video %{devel_root}/include/xen %{devel_root}/init %{devel_root}/ipc %{devel_root}/kernel %{devel_root}/lib %{devel_root}/mm %{devel_root}/net %{devel_root}/samples %{devel_root}/scripts %{devel_root}/security %{devel_root}/sound %{devel_root}/tools %{devel_root}/usr %{devel_root}/virt %{devel_root}/.config %{devel_root}/Kbuild %{devel_root}/Kconfig %{devel_root}/Makefile %{devel_root}/Module.symvers %{devel_root}/arch/Kconfig %{_modulesdir}/%{kver_full}/build %{_modulesdir}/%{kver_full}/source %endif ############################################################################ %if %build_debug %package -n kernel-%{flavour}-%{buildrel}-debuginfo Version: %{fakever} Release: %{fakerel} Summary: Debuginfo for kernel-%{flavour}-%{buildrel} Group: Development/Debug Provides: kernel-debug = %{kverrel} %if %{enhanced_security} Provides: kernel-hardened-debug = %{kverrel} %endif %ifarch %{ix86} Conflicts: arch(x86_64) %endif %description -n kernel-%{flavour}-%{buildrel}-debuginfo This package contains the files with debuginfo for kernel-%{flavour}-%{buildrel}. %files -n kernel-%{flavour}-%{buildrel}-debuginfo -f kernel_debug_files.%{flavour} %endif ############################################################################ %package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest Version: %{kversion} Release: %{fullrpmrel} Summary: Meta package for the latest kernel-%{flavour} in %{kernelversion}.%{patchlevel} series Group: System/Kernel and hardware Requires: kernel-%{flavour}-%{buildrel} %ifarch %{ix86} Conflicts: arch(x86_64) %endif %description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest This meta package aims to make sure you always have the latest kernel-%{flavour} %{kernelversion}.%{patchlevel}.x installed. %files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest # no files ############################################################################ %if %build_devel %package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest Version: %{kversion} Release: %{fullrpmrel} Summary: Meta package for the latest kernel-%{flavour}-devel in %{kernelversion}.%{patchlevel} series Group: Development/Kernel Requires: kernel-%{flavour}-devel-%{buildrel} %ifarch %{ix86} Conflicts: arch(x86_64) %endif Provides: kernel-devel-latest %if %{enhanced_security} Provides: kernel-hardened-devel-latest %endif %description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest This meta package aims to make sure you always have the latest kernel-%{flavour}-devel %{kernelversion}.%{patchlevel}.x installed. %files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest # no files %endif ############################################################################ %if %build_doc %package -n kernel-doc Version: %{kversion} Release: %{fullrpmrel} Summary: Various documentation bits found in the kernel source Group: Documentation Buildarch: noarch %description -n kernel-doc This package contains documentation files from the kernel source. %files -n kernel-doc %doc linux-%{tar_ver}/Documentation/* %endif ############################################################################ %if %{build_perf} %package -n perf Version: %{kversion} Release: %{fullrpmrel} Summary: perf tool and the supporting documentation Group: System/Kernel and hardware %description -n perf The package contains perf tool and the supporting documentation. %files -n perf %{_bindir}/perf %ifarch x86_64 %{_bindir}/perf-read-vdso32 %endif %{_bindir}/trace %dir %{_prefix}/libexec/perf-core %dir %{_libdir}/traceevent %dir %{_libdir}/traceevent/plugins %{_libdir}/traceevent/plugins/* %{_prefix}/libexec/perf-core/* %{_mandir}/man[1-8]/perf* %{_sysconfdir}/bash_completion.d/perf %{_datadir}/perf-core/strace/groups/* %{_datadir}/doc/perf-tip/*.txt /usr/lib/perf/examples/bpf/* /usr/lib/perf/include/bpf/* %endif ############################################################################ %if %{build_cpupower} %package -n cpupower Version: %{kversion} Release: %{fullrpmrel} Summary: The cpupower tools Group: System/Kernel and hardware Requires(post): rpm-helper >= 0.24.0-3 Requires(preun): rpm-helper >= 0.24.0-3 Obsoletes: cpufreq < 3.0 Obsoletes: cpufrequtils < 10.0 %description -n cpupower The cpupower tools. %post -n cpupower if [ $1 -ge 0 ]; then # Do not enable/disable cpupower.service directly, because it should start # when cpupower.path triggers it. /bin/systemctl enable cpupower.path >/dev/null 2>&1 || : /bin/systemctl start cpupower.path >/dev/null 2>&1 || : fi %preun -n cpupower if [ $1 -eq 0 ]; then /bin/systemctl --no-reload disable cpupower.path > /dev/null 2>&1 || : /bin/systemctl stop cpupower.path > /dev/null 2>&1 || : fi %files -n cpupower -f cpupower.lang %{_bindir}/cpupower %{_bindir}/cpupower-start.sh %{_libdir}/libcpupower.so.0 %{_libdir}/libcpupower.so.0.0.1 %{_unitdir}/cpupower.service %{_unitdir}/cpupower.path %{_datadir}/bash-completion/completions/cpupower %{_mandir}/man[1-8]/cpupower* %config(noreplace) %{_sysconfdir}/sysconfig/cpupower ############################################################################ %package -n cpupower-devel Version: %{kversion} Release: %{fullrpmrel} Summary: Development files for cpupower Group: Development/Kernel Requires: cpupower = %{kversion}-%{fullrpmrel} Conflicts: %{_lib}cpufreq-devel %description -n cpupower-devel This package contains the development files for cpupower. %files -n cpupower-devel %{_libdir}/libcpupower.so %{_includedir}/cpufreq.h %endif ############################################################################ %if %{build_headers} %package headers Version: %kversion Release: %fullrpmrel Summary: Linux kernel header files mostly used by your C library Group: System/Kernel and hardware Epoch: 1 %rename linux-userspace-headers %description headers C header files from the Linux kernel. The header files define structures and constants that are needed for building most standard programs, notably the C library. This package is not suitable for building kernel modules, you should use the 'kernel-devel' package instead. %files headers %_includedir/* # Don't conflict with cpupower-devel %if %{build_cpupower} %exclude %_includedir/cpufreq.h %endif %endif ############################################################################ %if %{with uml} %package -n kernel-uml-%{flavour}-%{buildrel} Version: %{fakever} Release: %{fakerel} Provides: kernel-uml = %{kverrel} Provides: kernel-uml-%{flavour} = %{kverrel} Summary: User Mode Linux binary Group: System/Kernel and hardware %description -n kernel-uml-%{flavour}-%{buildrel} User Mode Linux binary, not stripped %files -n kernel-uml-%{flavour}-%{buildrel} %{_bindir}/linux-uml-%{kver_full} #------------------------------------------------ %package -n kernel-uml-modules-%{flavour}-%{buildrel} Version: %{fakever} Release: %{fakerel} Provides: kernel-uml-modules = %{kverrel} Provides: kernel-uml-modules-%{flavour} = %{kverrel} Summary: User Mode Linux (UML) kernel modules Group: System/Kernel and hardware %description -n kernel-uml-modules-%{flavour}-%{buildrel} User Mode Linux (UML) kernel modules - not compressed - not stripped - signed %files -n kernel-uml-modules-%{flavour}-%{buildrel} /lib/modules-uml/%{kver_full} %endif ############################################################################ %prep %setup -q -n %top_dir_name -c %if %{with uml} cp -r %{src_dir} %{src_dir}.uml %endif cd %src_dir %apply_patches # # Setup Begin # # Kernel configuration echo "Creating the kernel configuration file." # Configs cp %{SOURCE110} .config # Disable ASLR for 32-bit systems because it does not play well with # hibernate. %ifarch %{ix86} sed -i 's/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/' .config %endif # Disable checking for W+X memory mappings for 32-bit systems. The warnings # may confuse the users and noone is eager to fix the underlying problem, # it seems. %ifarch %{ix86} sed -i 's/CONFIG_DEBUG_WX=y/# CONFIG_DEBUG_WX is not set/' .config %endif # GCC 5.5 may not support -fstack-protector-* on 32-bit systems. # Let us disable the stack protector in the config explicitly. %ifarch %{ix86} sed -i 's/CONFIG_STACKPROTECTOR=y/# CONFIG_STACKPROTECTOR is not set/' .config sed -i 's/CONFIG_STACKPROTECTOR_STRONG=y/# CONFIG_STACKPROTECTOR_STRONG is not set/' .config %endif touch %{build_dir}/.config.append # Enable debug info if requested. sed -i '/CONFIG_DEBUG_INFO/d' .config %if %build_debug echo 'CONFIG_DEBUG_INFO=y' >> %{build_dir}/.config.append echo 'CONFIG_DEBUG_INFO_DWARF4=y' >> %{build_dir}/.config.append echo 'CONFIG_GDB_SCRIPTS=y' >> %{build_dir}/.config.append %else echo 'CONFIG_DEBUG_INFO=n' >> %{build_dir}/.config.append %endif %if %{enhanced_security} ### SELinux enablement # seems to be needed to boot system in enforcing selinux mode # note: cpio fpormat of initramfs does not support xattrs without patches # see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315 sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config echo CONFIG_SECURITY_SELINUX_DISABLE=y >> %{build_dir}/.config.append # enable selinux in kernel by default if not disabled explicitly sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> %{build_dir}/.config.append ### Signing kernel modules # https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html sed -i '/CONFIG_MODULE_SIG/d' .config echo CONFIG_MODULE_SIG=y >> %{build_dir}/.config.append %if %{with oblig_signed_modules} # Disallow loading not signed modules echo CONFIG_MODULE_SIG_FORCE=y >> %{build_dir}/.config.append %else echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append %endif # If %%build_debig is true, signatures will be stripped # We sign modules manually in a tricky way bellow echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append # Use STREEBOG-512 algo (GOST R 34.11-12) echo CONFIG_MODULE_SIG_STREEBOG512=y >> %{build_dir}/.config.append # Set path to the key that will be generated later by openssl/libressl echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append # Set path to one PEM file with all keys that the kernel must trust sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config echo CONFIG_SYSTEM_TRUSTED_KEYS=\"%{certs_public_keys}\" >> %{build_dir}/.config.append # Reserve area for inserting a certificate without recompiling sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> %{build_dir}/.config.append # Memory wiping # Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef # Estimated performance impact is described in the commit # "Fill newly allocated pages and heap objects with zeroes." # To enable, add to cmdline: init_on_alloc=1 #sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config #echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y >> %{build_dir}/.config.append # "Fill freed pages and heap objects with zeroes" # To disable, add to cmdline: init_on_free=0 sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_O/d' .config echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> %{build_dir}/.config.append # Here enabling only either only init_on_free or only init_on_alloc # makes sense; init_on_alloc is not about protecting information. # Keep GOST crypto built-in to enable loading GOST-signed kernel modules # and GOST keys from the kernel keyring sed -i '/CONFIG_CRYPTO_STREEBOG/d' .config echo 'CONFIG_CRYPTO_STREEBOG=y' >> %{build_dir}/.config.append sed -i '/CONFIG_CRYPTO_ECRDSA/d' .config echo 'CONFIG_CRYPTO_ECRDSA=y' >> %{build_dir}/.config.append %endif cat %{build_dir}/.config.append >> .config # Store the config file in the appropriate directory. CONFIG_DIR=arch/x86/configs mkdir -p "${CONFIG_DIR}" cfg_file=arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} make ARCH=%{_arch} oldconfig && \ mv .config ${cfg_file} # Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some # reason. For now, let us restore it. %ifarch %{ix86} sed -i 's/CONFIG_64BIT=y//' ${cfg_file} echo '# CONFIG_64BIT is not set' >> ${cfg_file} %endif echo "Created ${cfg_file}." # make sure the kernel has the sublevel we know it has... LC_ALL=C sed -ri "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile # get rid of unwanted files find . -name '*~' -o -name '*.orig' -o -name '*.append' | %kxargs rm -f find . -name '.get_maintainer.ignore' | %kxargs rm -f ############################################################################ %build # Ensure that build time generated private keys don't get published # as e.g. "RPM build root" on ABF! # Note that ABF sends SIGKILL to rpm-build.sh when the build is terminated; # in this case trap will not work, but RPM build root also will not be # saved because rpm-build.sh saves it, but it is SIGKILLed. # For best security we could store private keys in RAM (not reachable from # filesystem, so not in /tmp!) and override sth like fopen() by LD_PRELOAD # to give the content of keys from RAM when a virtual address of a key file # is accessed, but currently I don't know how to implement this (TODO: ). _cleanup(){ # Show resulting kernel public keys for debugging cat "%{src_dir}/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || : rm -fvr "%{src_dir}/%{certs_dir_rnd}" %if %{with uml} cat "%{src_dir}.uml/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || : rm -fvr "%{src_dir}.uml/%{certs_dir_rnd}" %endif } # Make a trap to delete keys even if %%build fails in the middle trap "_cleanup" EXIT rm -rf %{temp_root} install -d %{temp_root} cd %src_dir ### Keys for signing kernel modules # Keys can be generated both manually and automatically, # let's generate them by ourselves to take full control of the process # https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html # See also certs/Makefile in kernel source %if %{enhanced_security} mkdir -p "%{certs_dir_rnd}" # On ABF, %%packager == $username <$email> # Try to extract email from %%packager if it is set _get_email(){ # Check that macro %%packager was set and is not empty if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ] # If was not set or is empty, use default email then echo 'rpmbuild@rosa.unknown' && return # Otherwise try to extract email from 'name ' or sth else else temp="$(echo '%{packager}' | tr '[:upper:]' '[:lower:]' | tr ' ' '\n' | tr -d '<>' | grep -E '@.*\..*' | head -n 1)" fi # Validate that what we have now is a valid email # https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733 # Note that we set %%_buildshell to /bin/bash to guarantee the work of this bashism regex_email="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$" if [[ "$temp" =~ ${regex_email} ]] # If it is, use it then echo "$temp" && return # Otherwise use default email else echo 'rpmbuild@rosa.unknown' && return fi # If script above has not return'ed for any reason, # e.g. because of non-bash shell being not able to # process regexp, use default email echo 'rpmbuild@rosa.unknown' } email="$(_get_email)" cat < "%{certs_key_config_rnd}" [ req ] prompt = no string_mask = utf8only default_keyfile = %{certs_signing_key_priv_rnd} distinguished_name = req_distinguished_name x509_extensions = myexts [ req_distinguished_name ] organizationName = %{vendor} rpmbuild commonName = Build time autogenerated kernel key emailAddress = ${email} [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid EOF cat "%{certs_key_config_rnd}" libressl req -new -nodes -utf8 -batch \ -newkey gost2001 \ -pkeyopt dgst:streebog512 -pkeyopt paramset:A \ -streebog512 \ -days 109500 \ -x509 -config "%{certs_key_config_rnd}" \ -outform PEM \ -out "%{certs_signing_key_priv_rnd}" \ -keyout "%{certs_signing_key_priv_rnd}" # Verify libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \ | grep -E 'Signature Algorithm:.*GOST R 34.10-2012' libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \ | grep -E 'Digest Algorithm:.*GOST R 34-11-2012' libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \ | grep -E 'Public Key Algorithm:.*GOST R 34.10-2012' # Strip public part from the generated PEM sed -n \ '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' \ "%{certs_signing_key_priv_rnd}" > "%{certs_public_keys}" # link sign-file and extract-cert with LibreSSL instead of OpenSSL libressl_cflags="$(pkg-config --cflags --libs libressl-libcrypto)" if [ $? != 0 ] ; then exit $? ; fi sed -i %{src_dir}/scripts/Makefile \ %if %{with uml} %{src_dir}.uml/scripts/Makefile \ %endif -e "s,-lcrypto,${libressl_cflags},g" %if %{with additional_keys} # Add additional public keys to the list of trusted keys for kernel modules # Build kernel --without additional_keys if you do not want to trust them ##cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \ ## >> "%{certs_public_keys}" %endif #endif additional_keys cat %{certs_public_keys} %endif #endif enhanced_security # .config %smake -s mrproper cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config # make sure EXTRAVERSION says what we want it to say LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{flavour}-%{buildrpmrel}/" Makefile # Print debug messages when loglevel=7 in cmdline. # Those messages can be caught by debugfs without -DDEBUG. # but sometimes it is required to see them via a serial port when booting the kernel. # '#ifdef DEBUG' is used in different places for different purposes, # so change DEBUG to PRINTK_DEBUG in one specific place. %if %build_debug sed -i %{src_dir}/include/linux/printk.h \ -e 's,^#ifdef DEBUG$,#if defined(DEBUG) || defined(PRINTK_DEBUG),g' export KCPPFLAGS="-DPRINTK_DEBUG" %endif # build the kernel echo "Building kernel %{kver_full}" %kmake V=1 -s all %if %{with uml} cp -rv %{certs_dir_rnd} %{src_dir}.uml/ pushd %{src_dir}.uml %kmake ARCH=um defconfig cp .config .config.default cat %{build_dir}/.config.append >> .config %kmake oldconfig ARCH=um diff -u .config.default .config || : %kmake ARCH=um linux install -Dm0755 linux %{temp_root}%{_bindir}/linux-uml-%{kver_full} #rm -fv linux %kmake V=1 ARCH=um modules mkdir -p %{temp_root}/lib/modules-uml/%{kver_full}/ %kmake ARCH=um INSTALL_MOD_PATH=%{temp_root}/lib/modules-uml/%{kver_full}/ modules_install popd %endif # Start installing stuff install -d %{temp_boot} install -m 644 System.map %{temp_boot}/System.map-%{kver_full} install -m 644 .config %{temp_boot}/config-%{kver_full} xz -c Module.symvers > %{temp_boot}/symvers-%{kver_full}.xz cp -f arch/x86/boot/bzImage %{temp_boot}/vmlinuz-%{kver_full} # modules install -d %{temp_modules}/%{kver_full} %smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install # headers %if %{build_headers} %make INSTALL_HDR_PATH=%{temp_root}%{_prefix} KERNELRELEASE=%{kver_full} headers_install find %{temp_root}%{_prefix} -name .install -or -name ..install.cmd | %kxargs rm -f %endif # remove /lib/firmware, we use a separate linux-firmware package rm -rf %{temp_root}/lib/firmware # Prepare the files for kernel*-devel %if %build_devel mkdir -p %{temp_devel_root} for i in $(find . -name 'Makefile*'); do cp -R --parents $i %{temp_devel_root}; done for i in $(find . -name 'Kconfig*' -o -name 'Kbuild*'); do cp -R --parents $i %{temp_devel_root}; done cp -fR include %{temp_devel_root} cp -fR scripts %{temp_devel_root} cp -fR kernel/bounds.c %{temp_devel_root}/kernel cp -fR kernel/time/timeconst.bc %{temp_devel_root}/kernel/time cp -fR tools %{temp_devel_root}/ cp -fR arch/x86/kernel/asm-offsets.{c,s} %{temp_devel_root}/arch/x86/kernel/ cp -fR arch/x86/kernel/asm-offsets_{32,64}.c %{temp_devel_root}/arch/x86/kernel/ cp -fR arch/x86/purgatory/* %{temp_devel_root}/arch/x86/purgatory/ cp -fR arch/x86/entry/syscalls/syscall* %{temp_devel_root}/arch/x86/entry/syscalls/ cp -fR arch/x86/include %{temp_devel_root}/arch/x86/ cp -fR arch/x86/tools %{temp_devel_root}/arch/x86/ cp -fR .config Module.symvers %{temp_devel_root} # Needed for truecrypt build (Danny) cp -fR drivers/md/dm.h %{temp_devel_root}/drivers/md/ # Needed for lirc_gpio (#39004) cp -fR drivers/media/pci/bt8xx/bttv{,p}.h %{temp_devel_root}/drivers/media/pci/bt8xx/ cp -fR drivers/media/pci/bt8xx/bt848.h %{temp_devel_root}/drivers/media/pci/bt8xx/ cp -fR drivers/media/common/btcx-risc.h %{temp_devel_root}/drivers/media/common/ # add acpica header files, needed for fglrx build cp -fR drivers/acpi/acpica/*.h %{temp_devel_root}/drivers/acpi/acpica/ # aufs2 has a special file needed cp -fR fs/aufs/magic.mk %{temp_devel_root}/fs/aufs # SELinux needs security/selinux/include cp -fR security/selinux/include %{temp_devel_root}/security/selinux # needed for kexec cp -fR arch/x86/boot/*.h %{temp_devel_root}/arch/x86/boot/ cp -fR arch/x86/boot/*.c %{temp_devel_root}/arch/x86/boot/ # needed for arch/x86/purgatory cp -fR lib/*.h lib/*.c %{temp_devel_root}/lib/ for i in alpha arc avr32 blackfin c6x cris csky frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \ mips mn10300 nds32 nios2 openrisc parisc powerpc riscv s390 score sh sparc tile unicore32 xtensa; do rm -rf %{temp_devel_root}/arch/$i done rm -rf %{temp_devel_root}/arch/arm* rm -rf %{temp_devel_root}/include/kvm/arm* rm -rf %{temp_devel_root}/include/soc # Clean the scripts tree, and make sure everything is ok (sanity check) # running prepare+scripts (tree was already "prepared" in build) pushd %{temp_devel_root} %smake V=1 -s prepare %smake V=1 -s scripts %smake V=1 -s clean popd rm -f %{temp_devel_root}/.config.old # fix permissions chmod -R a+rX %{temp_devel_root} # disable mrproper in -devel rpms patch -p1 --fuzz=0 -d %{temp_devel_root} -i %{SOURCE2} # Create the symlinks needed by DKMS mkdir -p %{temp_modules}/%{kver_full} # endif build_devel %endif # Manage the files with debug info, provide the debug links in the # kernel modules. %if %build_debug install -m 644 vmlinux %{temp_boot}/vmlinux-%{kver_full} kernel_debug_files=../kernel_debug_files.%{flavour} echo "%{_bootdir}/vmlinux-%{kver_full}" >> $kernel_debug_files find %{temp_modules}/%{kver_full}/kernel \ -name "*.ko" | \ %kxargs -I '{}' objcopy --only-keep-debug '{}' '{}'.debug find %{temp_modules}/%{kver_full}/kernel \ -name "*.ko" | %kxargs -I '{}' \ sh -c 'cd `dirname {}`; \ objcopy --add-gnu-debuglink=`basename {}`.debug \ --strip-debug `basename {}`' pushd %{temp_modules} find %{kver_full}/kernel -name "*.ko.debug" > debug_module_list popd cat %{temp_modules}/debug_module_list | \ sed 's|\(.*\)|%{_modulesdir}/\1|' >> $kernel_debug_files cat %{temp_modules}/debug_module_list | \ sed 's|\(.*\)|%exclude %{_modulesdir}/\1|' \ >> ../kernel_exclude_debug_files.%{flavour} rm -f %{temp_modules}/debug_module_list # endif build_debug %endif %if %{enhanced_security} # scripts/sign-file.c fails to sign modules: # "CMS routines:func(4095):not supported for this key type" # So make a dettached signature via libressl and attach it # as a raw signature via sign-file. # TODO: fix scripts/sign-file.c _libressl_sign(){ if [ ! -f "$1" ]; then echo "No file $1" return 0 fi f="$1" libressl dgst -streebog512 \ -sign "%{certs_signing_key_priv_rnd}" "$f" \ > "${f}.sig" %{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \ "%{certs_signing_key_priv_rnd}" "$f" rm "${f}.sig" unset f } export -f _libressl_sign find %{temp_modules}/%{kver_full}/kernel \ %if %{with uml} %{temp_root}/lib/modules-uml/%{kver_full} \ %endif -name '*.ko' -print0 | sort -u | \ xargs --null -P "$(nproc)" -I {} "$SHELL" -e -x -c 'if ! _libressl_sign "{}"; \ then echo Failed _libressl_sign on "{}" && exit 1; fi' %endif # Create the list of files for the kernel. kernel_files=../kernel_files.%{flavour} cat > $kernel_files <> $kernel_files %endif # set extraversion to match srpm to get nice version reported by the tools LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile %if %{build_perf} %ifarch x86_64 %define perf_is_x64 1 %else %define perf_is_x64 0 %endif %smake -C tools/perf -s IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} NO_GTK2=1 all %smake -C tools/perf -s prefix=%{_prefix} NO_GTK2=1 man %endif %if %{build_cpupower} # make sure version-gen.sh is executable. chmod +x tools/power/cpupower/utils/version-gen.sh %make -C tools/power/cpupower CPUFREQ_BENCH=false %endif _cleanup ############################################################################ %install cd %src_dir # We want to be able to test several times the install part rm -rf %{buildroot} cp -a %{temp_root} %{buildroot} %if %{enhanced_security} # Multithreaded verification that every kernel module # has a signature attached to it mkdir -p "%{certs_dir_rnd}" touch %{certs_verify_tmp} _verify_signature(){ if [ -z "$1" ] || [ ! -f "$1" ]; then return; fi if hexdump -C "$1" | rev | cut -f 2 -d '|' | rev | tr -d '\n' | \ grep -q '~Module signature appended~' then if [ -f %{certs_verify_tmp} ]; then rm -f %{certs_verify_tmp} fi else echo "ERROR: Module $1 has no signature attached to it!" exit 1 fi } export -f _verify_signature find %{target_modules} \ %if %{with uml} %{buildroot}/lib/modules-uml/%{kver_full} \ %endif -name '*.ko' -print0 | sort -u | \ xargs --null -P "$(nproc)" -I {} "$SHELL" -c '_verify_signature "{}"' if [ -f %{certs_verify_tmp} ]; then echo "ERROR: seems that signatures of none modules were verified!" exit 1 fi rm -f %{certs_verify_tmp} %endif # compressing modules %if %{build_modxz} find %{target_modules} -name "*.ko" | %kxargs xz -6e %else find %{target_modules} -name "*.ko" | %kxargs gzip -9 %endif pushd %{target_modules} for i in *; do rm -f $i/build $i/source ln -sf /usr/src/linux-$i $i/build ln -sf /usr/src/linux-$i $i/source done # sniff, if we compressed all the modules, we change the stamp :( # we really need the depmod -ae here for i in *; do /sbin/depmod -ae -b %{buildroot} -F %{target_boot}/System.map-$i $i echo $? done # We used to create modules.description files which contained the # description strings for the modules as shown by modinfo. These files # are unlikely to be used right now, so create them (in case some old tool # checks for their existence) but keep them empty. for i in *; do touch $i/modules.description done popd # need to set extraversion to match srpm again to avoid rebuild LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile %if %{build_perf} # perf tool binary and supporting scripts/binaries make -C tools/perf -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install # perf man pages (note: implicit rpm magic compresses them later) make -C tools/perf -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install-man %endif %if %{build_cpupower} make -C tools/power/cpupower DESTDIR=%{buildroot} libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install rm -f %{buildroot}%{_libdir}/*.{a,la} %find_lang cpupower mv cpupower.lang ../ chmod 0755 %{buildroot}%{_libdir}/libcpupower.so* mkdir -p %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -m644 %{SOURCE50} %{buildroot}%{_unitdir}/cpupower.service install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh %endif