kernel-5.15/kernel.spec

# _get_email() in %%build contains bashisms for regexping
%define _buildshell /bin/bash

# Prevent RPM scripts from stripping signatures,
# we strip binaries manually in %%build
%define __strip %(which true)

%define kernelversion	5
%define patchlevel	3
# sublevel is used for stable-based kernels
%define sublevel	10

# Release number. Increase this before a rebuild.
%define rpmrel		5
%define fullrpmrel	%{rpmrel}

%define rpmtag		%{disttag}

# fakerel and fakever never change, they are used to fool
# rpm/urpmi/smart and ensure the kernels are installed,
# not upgraded so old kernel is not overwritten or removed
%define fakever		1
%define fakerel 	%mkrel 1

# version defines
%define kversion  	%{kernelversion}.%{patchlevel}.%{sublevel}
%define kverrel   	%{kversion}-%{fullrpmrel}
%define tar_ver   	%{kernelversion}.%{patchlevel}

%ifarch %{ix86}
# Use a standard suffix for 32-bit x86
%define arch_suffix	i586
%else
%define arch_suffix	%{_arch}
%endif

%define buildrpmrel     %{fullrpmrel}%{rpmtag}-%{arch_suffix}
%define buildrel     	%{kversion}-%{buildrpmrel}

# %%build_selinux may be defined in branding-configs
%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
%if %{with selinux}
%global enhanced_security 1
%else
%global enhanced_security 0
%endif
# Allow "rpmbuild --with enhanced_security <...>"
%{?_with_enhanced_security:%global enhanced_security 1}

# Kernel flavour
%if %{enhanced_security}
%define flavour		nickel
%else
%define flavour		nrj-desktop
%endif

# The full kernel version
%define kver_full	%{kversion}-%{flavour}-%{buildrpmrel}
############################################################################

%define top_dir_name 	kernel-%{_arch}
%define build_dir 	${RPM_BUILD_DIR}/%{top_dir_name}
%define src_dir 	%{build_dir}/linux-%{tar_ver}

# Common target directories
%define _bootdir	/boot
%define _modulesdir	/lib/modules

%define devel_root	/usr/src/linux-%{kver_full}

# Directories needed for building
%define temp_root	%{build_dir}/temp-root
%define temp_boot	%{temp_root}%{_bootdir}
%define temp_modules	%{temp_root}%{_modulesdir}
%define temp_devel_root	%{temp_root}%{devel_root}

# Directories definition needed for installing
%define target_boot	%{buildroot}%{_bootdir}
%define target_modules	%{buildroot}%{_modulesdir}

# Manual control of creating and deleting keys
# "rnd" is "random" and means that a key pair is generated at build time
# and is not saved anywhere.
%define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
%define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
%define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
%define certs_verify_tmp %{certs_dir_rnd}/verify.tmp
############################################################################

# Build defines
%define build_doc 		0
%define build_devel 		1
%define build_debug		1

# Build kernel-headers package
%define build_headers		1

# build perf and cpupower tools
%define build_perf		1
%define build_cpupower		1

# compress modules with xz
%define build_modxz		1
# End of user definitions

# buildtime flags
%{?_without_doc: %global build_doc 0}
%{?_without_devel: %global build_devel 0}
%{?_without_debug: %global build_debug 0}
%{?_without_perf: %global build_perf 0}
%{?_without_cpupower: %global build_cpupower 0}
%{?_without_modxz: %global build_modxz 0}

%{?_with_doc: %global build_doc 1}
%{?_with_devel: %global build_devel 1}
%{?_with_debug: %global build_debug 1}
%{?_with_perf: %global build_perf 1}
%{?_with_cpupower: %global build_cpupower 1}
%{?_with_modxz: %global build_modxz 1}

%if !%{build_debug}
# Disable debug rpms.
%define _enable_debug_packages 	%{nil}
%define debug_package 		%{nil}
%endif

%if %(if [ -z "$CC" ] ; then echo 0; else echo 1; fi)
%define kmake %make CC="$CC"
%else
%define kmake %make
%endif
# there are places where parallel make don't work
%define smake make

# Parallelize xargs invocations on smp machines
%define kxargs xargs %([ -z "$RPM_BUILD_NCPUS" ] \\\
	&& RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\
	[ "$RPM_BUILD_NCPUS" -gt 1 ] && echo "-P $RPM_BUILD_NCPUS")

#
# SRC RPM description
#
Summary: 	The Linux kernel
Name:		kernel
Version: 	%{kversion}
Release: 	%{fullrpmrel}
License: 	GPLv2
Group: 	 	System/Kernel and hardware
ExclusiveArch: %{ix86} x86_64
URL:            http://www.kernel.org

####################################################################
#
# Sources
#
Source0: 	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{tar_ver}.tar.xz

# This is for disabling *config, mrproper, prepare, scripts on -devel rpms
# Needed, because otherwise the -devel won't build correctly.
Source2: 	disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch

# Kernel configuration files.
Source110:	kernel-%{arch_suffix}.config

# Cpupower: the service, the config, etc.
Source50:	cpupower.service
Source51:	cpupower.config
Source52:	cpupower-start.sh
Source53:	cpupower.path

Source80:	kernel.rpmlintrc
####################################################################

# Patches

# The patch to make kernel x.y.z from x.y.0.
Patch1:   	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{kversion}.xz

# Patches from mainline
# none

# ROSA-specific patches

# Perf docs are built after all the kernels. To validate the xml files
# generated during that process, xmlto tries to get DTD files from the Net.
# If it fails, the whole build fails, which is unfortunate. Let us avoid
# this.
Patch101:	perf-xmlto-skip-validation.patch

# http://bugs.rosalinux.ru/show_bug.cgi?id=6235
# http://bugs.rosalinux.ru/show_bug.cgi?id=6459
Patch102:	audit-make-it-less-verbose.patch

# May help when building with GCC 8+.
Patch105:	perf-silence-format-warnings-gcc8.patch

# AUFS from http://aufs.sourceforge.net/
Patch109:	fs-aufs.patch
####################################################################

Autoreqprov: 	no

BuildRequires(pre): 	bash
BuildRequires: 	bc
BuildRequires: 	binutils
BuildRequires: 	gcc
# For power tools
BuildRequires:	pkgconfig(ncurses)

BuildRequires:	kmod-devel kmod-compat

BuildRequires:	bison
BuildRequires:	flex

BuildRequires:	bzip2

BuildRequires:	rsync

%ifarch x86_64
BuildRequires:  numa-devel
%endif

# for perf, cpufreq and all other tools
# for cpupower
%if %{build_cpupower}
BuildRequires:		pciutils-devel
%endif
# for perf
%if %{build_perf}
BuildRequires:		asciidoc
BuildRequires:		audit-devel
BuildRequires:		binutils-devel
BuildRequires:		elfutils-devel
BuildRequires:		libunwind-devel
BuildRequires:		newt-devel
BuildRequires:		perl-devel
BuildRequires:		python-devel
BuildRequires:		xmlto
BuildRequires:		zlib-devel
BuildRequires:		pkgconfig(libcrypto)
%endif

%if %{enhanced_security}
# To generate keys
BuildRequires:		openssl
# To verify signatures (find, xargs, hexdump)
BuildRequires:		findutils util-linux
%endif

# might be useful too:
Suggests:		microcode


%description
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

############################################################################

%package -n kernel-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}

Provides:	kernel = %{kverrel}
Provides:	kernel = %{kernelversion}.%{patchlevel}
Provides:	kernel-%{flavour} = %{kverrel}
Provides:	alsa = 1.0.27
Provides:	should-restart = system

Requires(pre):	grub2
Requires(pre):	dracut >= 046
Requires(pre):	kmod >= 20-1
Requires(pre):	sysfsutils >=  2.1.0-12
Requires:	dracut >= 046
Requires:	linux-firmware >= 20181026
Requires:	wireless-regdb

Suggests:	crda

%if %build_devel
Requires:	kernel-%{flavour}-devel-%{buildrel}
Requires(post):	kernel-%{flavour}-devel-%{buildrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Summary:	A general-purpose Linux Kernel
Group:		System/Kernel and hardware

%description -n kernel-%{flavour}-%{buildrel}
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc. This is a general-purpose kernel.

%post -n kernel-%{flavour}-%{buildrel}
# We always regenerate initrd here, even if it already exists. This may
# happen if kernel-<...>-devel is installed first, triggers rebuild of
# DKMS modules and some of these request remaking of initrd. The initrd
# that is created then will be non-functional. But when the user installs
# kernel-<...> package, that defunct initrd will be replaced with a working
# one here.
#
# depmod is also needed, because some DKMS-modules might have been installed
# when the devel package was installed but that was before the main modules
# were installed.
# This is also the reason the devel package is in Requires(post) for this
# package now: it must be installed completely before we call depmod here.
/sbin/depmod -a %{kver_full}
/sbin/dracut -f /boot/initrd-%{kver_full}.img %{kver_full}

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	rm -f vmlinuz-%{flavour}
fi
if [ -L initrd-%{flavour}.img ]; then
	rm -f initrd-%{flavour}.img
fi
popd > /dev/null
exit 0

%preun -n kernel-%{flavour}-%{buildrel}
pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	if [ "$(readlink vmlinuz-%{flavour})" = "vmlinuz-%{kver_full}" ]; then
		rm -f vmlinuz-%{flavour}
	fi
fi
if [ -L initrd-%{flavour}.img ]; then
	if [ "$(readlink initrd-%{flavour}.img)" = "initrd-%{kver_full}.img" ]; then
		rm -f initrd-%{flavour}.img
	fi
fi

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

popd > /dev/null
exit 0

%postun -n kernel-%{flavour}-%{buildrel}
rm -f /boot/initrd-%{kver_full}.img
rm -f /boot/initrd-%{kver_full}_old.img
rm -f /boot/initrd-%{kver_full}kdump.img
rm -f /boot/initramfs-%{kver_full}kdump.img

# Third-party modules might have left something in /lib/modules/.../kernel/.
rm -rf /lib/modules/%{kver_full}/kernel/
rm -rf /lib/modules/%{kver_full}/modules*
# Remove /lib/modules/<...>/ if it is empty (-devel uses it too).
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-%{buildrel} -f kernel_files.%{flavour}

############################################################################

%if %build_devel
%package -n	kernel-%{flavour}-devel-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Development files for kernel-%{flavour}-%{buildrel}
Group:		Development/Kernel

Requires:	glibc-devel
Requires:	ncurses-devel
Requires:	make
Requires:	gcc
Requires:	perl

# Loading kernel modules without valid signature is prohobibited
# when building with enhanced_security
%if ! %{enhanced_security}
Requires(post):		dkms
Requires(preun):	dkms
%endif

Provides:	kernel-devel = %{kverrel}
Provides:	kernel-%{flavour}-devel = %{kverrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-devel-%{buildrel}
This package contains the kernel files (headers and build tools)
that should be enough to build additional drivers for
use with kernel-%{flavour}-%{buildrel}.

%if ! %{enhanced_security}
%post -n kernel-%{flavour}-devel-%{buildrel}
/usr/sbin/dkms_autoinstaller start %{kver_full}
%endif

%preun -n kernel-%{flavour}-devel-%{buildrel}

%if ! %{enhanced_security}
for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do
	mod=$(echo $ii | awk -v FS=',' '{ print $1; }')
	ver=$(echo $ii | awk -v FS=',' '{ print $2; }')
	/usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || true
done
%endif

# If any DKMS modules with REMAKE_INITRD=yes in their configs have been
# uninstalled, initrd has been regenerated for the given kernel. However,
# the kernel itself might have been uninstalled before, so that (defunct)
# initrd image files would be left behind. Remove them if the kernel itself
# is no longer installed. Should work if they are uninstalled in parallel
# too.
if ! test -f /boot/vmlinuz-%{kver_full}; then
	rm -f /boot/initrd-%{kver_full}.img
	rm -f /boot/initrd-%{kver_full}_old.img
fi

%postun -n kernel-%{flavour}-devel-%{buildrel}
rm -rf /usr/src/linux-%{kver_full} >/dev/null
# depmod (called when removing DKMS modules) might have created files in
# /lib/modules/.../. Remove these first.
rm -rf /lib/modules/%{kver_full}/modules*
# Remove the dir if it is already empty.
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-devel-%{buildrel}
%dir %{devel_root}
%dir %{devel_root}/arch
%dir %{devel_root}/include
%{devel_root}/Documentation
%{devel_root}/arch/um
%{devel_root}/arch/x86
%{devel_root}/block
%{devel_root}/certs
%{devel_root}/crypto
%{devel_root}/drivers
%{devel_root}/fs
%{devel_root}/include/Kbuild
%{devel_root}/include/acpi
%{devel_root}/include/asm-generic
%{devel_root}/include/clocksource
%{devel_root}/include/config
%{devel_root}/include/crypto
%{devel_root}/include/drm
%{devel_root}/include/dt-bindings
%{devel_root}/include/generated
%{devel_root}/include/keys
%{devel_root}/include/kvm
%{devel_root}/include/linux
%{devel_root}/include/math-emu
%{devel_root}/include/media
%{devel_root}/include/misc
%{devel_root}/include/net
%{devel_root}/include/pcmcia
%{devel_root}/include/ras
%{devel_root}/include/rdma
%{devel_root}/include/scsi
%{devel_root}/include/sound
%{devel_root}/include/target
%{devel_root}/include/trace
%{devel_root}/include/uapi
%{devel_root}/include/vdso
%{devel_root}/include/video
%{devel_root}/include/xen
%{devel_root}/init
%{devel_root}/ipc
%{devel_root}/kernel
%{devel_root}/lib
%{devel_root}/mm
%{devel_root}/net
%{devel_root}/samples
%{devel_root}/scripts
%{devel_root}/security
%{devel_root}/sound
%{devel_root}/tools
%{devel_root}/usr
%{devel_root}/virt
%{devel_root}/.config
%{devel_root}/Kbuild
%{devel_root}/Kconfig
%{devel_root}/Makefile
%{devel_root}/Module.symvers
%{devel_root}/arch/Kconfig
%{_modulesdir}/%{kver_full}/build
%{_modulesdir}/%{kver_full}/source

%endif

############################################################################

%if %build_debug
%package -n	kernel-%{flavour}-%{buildrel}-debuginfo
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Debuginfo for kernel-%{flavour}-%{buildrel}
Group:		Development/Debug
Provides:	kernel-debug = %{kverrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{buildrel}-debuginfo
This package contains the files with debuginfo for kernel-%{flavour}-%{buildrel}.

%files -n kernel-%{flavour}-%{buildrel}-debuginfo -f kernel_debug_files.%{flavour}

%endif

############################################################################

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour} %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files

############################################################################

%if %build_devel

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour}-devel in %{kernelversion}.%{patchlevel} series
Group:		Development/Kernel
Requires:	kernel-%{flavour}-devel-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Provides:	kernel-devel-latest

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour}-devel %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
# no files

%endif

############################################################################

%if %build_doc
%package -n kernel-doc
Version: 	%{kversion}
Release: 	%{fullrpmrel}
Summary: 	Various documentation bits found in the kernel source
Group: 		Documentation
Buildarch:	noarch

%description -n kernel-doc
This package contains documentation files from the kernel source.

%files -n kernel-doc
%doc linux-%{tar_ver}/Documentation/*

%endif

############################################################################

%if %{build_perf}
%package -n perf
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	perf tool and the supporting documentation
Group:		System/Kernel and hardware

%description -n perf
The package contains perf tool and the supporting documentation.

%files -n perf
%{_bindir}/perf
%ifarch x86_64
%{_bindir}/perf-read-vdso32
%endif
%{_bindir}/trace
%dir %{_prefix}/libexec/perf-core
%dir %{_libdir}/traceevent
%dir %{_libdir}/traceevent/plugins
%{_libdir}/traceevent/plugins/*
%{_prefix}/libexec/perf-core/*
%{_mandir}/man[1-8]/perf*
%{_sysconfdir}/bash_completion.d/perf
%{_datadir}/perf-core/strace/groups/*
%{_datadir}/doc/perf-tip/*.txt
/usr/lib/perf/examples/bpf/*
/usr/lib/perf/include/bpf/*

%endif

############################################################################

%if %{build_cpupower}
%package -n cpupower
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	The cpupower tools
Group:		System/Kernel and hardware
Requires(post):  rpm-helper >= 0.24.0-3
Requires(preun): rpm-helper >= 0.24.0-3
Obsoletes:	cpufreq < 3.0
Obsoletes:	cpufrequtils < 10.0

%description -n cpupower
The cpupower tools.

%post -n cpupower

if [ $1 -ge 0 ]; then
# Do not enable/disable cpupower.service directly, because it should start
# when cpupower.path triggers it.
	/bin/systemctl enable cpupower.path >/dev/null 2>&1 || :
	/bin/systemctl start cpupower.path >/dev/null 2>&1 || :
fi

%preun -n cpupower
if [ $1 -eq 0 ]; then
        /bin/systemctl --no-reload disable cpupower.path > /dev/null 2>&1 || :
        /bin/systemctl stop cpupower.path > /dev/null 2>&1 || :
fi

%files -n cpupower -f cpupower.lang
%{_bindir}/cpupower
%{_bindir}/cpupower-start.sh
%{_libdir}/libcpupower.so.0
%{_libdir}/libcpupower.so.0.0.1
%{_unitdir}/cpupower.service
%{_unitdir}/cpupower.path
%{_datadir}/bash-completion/completions/cpupower
%{_mandir}/man[1-8]/cpupower*
%config(noreplace) %{_sysconfdir}/sysconfig/cpupower

############################################################################

%package -n cpupower-devel
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Development files for cpupower
Group:		Development/Kernel
Requires:	cpupower = %{kversion}-%{fullrpmrel}
Conflicts:	%{_lib}cpufreq-devel

%description -n cpupower-devel
This package contains the development files for cpupower.

%files -n cpupower-devel
%{_libdir}/libcpupower.so
%{_includedir}/cpufreq.h

%endif

############################################################################

%if %{build_headers}
%package headers
Version:	%kversion
Release:	%fullrpmrel
Summary:	Linux kernel header files mostly used by your C library
Group:		System/Kernel and hardware
Epoch:		1
%rename linux-userspace-headers

%description headers
C header files from the Linux kernel. The header files define
structures and constants that are needed for building most
standard programs, notably the C library.

This package is not suitable for building kernel modules, you
should use the 'kernel-devel' package instead.

%files headers
%_includedir/*
# Don't conflict with cpupower-devel
%if %{build_cpupower}
%exclude %_includedir/cpufreq.h
%endif
%endif

############################################################################

%prep
%setup -q -n %top_dir_name -c
cd %src_dir

%apply_patches

#
# Setup Begin
#

# Kernel configuration

echo "Creating the kernel configuration file."

# Configs
cp %{SOURCE110} .config

# Disable ASLR for 32-bit systems because it does not play well with
# hibernate.
%ifarch %{ix86}
sed -i	's/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/' .config
%endif

# Disable checking for W+X memory mappings for 32-bit systems. The warnings
# may confuse the users and noone is eager to fix the underlying problem,
# it seems.
%ifarch %{ix86}
sed -i	's/CONFIG_DEBUG_WX=y/# CONFIG_DEBUG_WX is not set/' .config
%endif

# GCC 5.5 may not support -fstack-protector-* on 32-bit systems.
# Let us disable the stack protector in the config explicitly.
%ifarch %{ix86}
sed -i	's/CONFIG_STACKPROTECTOR=y/# CONFIG_STACKPROTECTOR is not set/' .config
sed -i	's/CONFIG_STACKPROTECTOR_STRONG=y/# CONFIG_STACKPROTECTOR_STRONG is not set/' .config
%endif

# Enable debug info if requested.
%if %build_debug
sed -i	's/# CONFIG_DEBUG_INFO is not set/CONFIG_DEBUG_INFO=y\nCONFIG_DEBUG_INFO_DWARF4=y\nCONFIG_GDB_SCRIPTS=y/' .config
%endif

%if %{enhanced_security}
### SELinux enablement
# seems to be needed to boot system in enforcing selinux mode
# note: cpio fpormat of initramfs does not support xattrs without patches
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
echo CONFIG_SECURITY_SELINUX_DISABLE=y >> .config
# enable selinux in kernel by default if not disabled explicitly
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config

### Signing kernel modules
# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
sed -i '/CONFIG_MODULE_SIG/d' .config
echo CONFIG_MODULE_SIG=y >> .config
# Disallow loading not signed modules
echo CONFIG_MODULE_SIG_FORCE=y >> .config
# Do not sign all built modules automatically because we strip
# and sign them later, otherwise signatures wil be stripped
echo CONFIG_MODULE_SIG_ALL=n >> .config
# Use SHA-512 algo
echo CONFIG_MODULE_SIG_SHA512=y >> .config
# Set path to the key that will be generated later by openssl
echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config

# Memory wiping
# Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
# Estimated performance impact is described in the commit
# "Fill newly allocated pages and heap objects with zeroes."
# To enable, add to cmdline: init_on_alloc=1
#sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
#echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y >> .config
# "Fill freed pages and heap objects with zeroes"
# To disable, add to cmdline: init_on_free=0
sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_O/d' .config
echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> .config
# Here enabling only either only init_on_free or only init_on_alloc
# makes sense; init_on_alloc is not about protecting information.
%endif

# Store the config file in the appropriate directory.
CONFIG_DIR=arch/x86/configs
mkdir -p "${CONFIG_DIR}"

cfg_file=arch/x86/configs/%{arch_suffix}_defconfig-%{flavour}
make ARCH=%{_arch} oldconfig && \
mv .config ${cfg_file}

# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
# reason. For now, let us restore it.
%ifarch %{ix86}
sed -i 's/CONFIG_64BIT=y//' ${cfg_file}
echo '# CONFIG_64BIT is not set' >> ${cfg_file}
%endif

echo "Created ${cfg_file}."

# make sure the kernel has the sublevel we know it has...
LC_ALL=C sed -ri "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile

# get rid of unwanted files
find . -name '*~' -o -name '*.orig' -o -name '*.append' | %kxargs rm -f
find . -name '.get_maintainer.ignore' | %kxargs rm -f

############################################################################

%build

# Ensure that build time generated private keys don't get published
# as e.g. "RPM build root" on ABF!
# Note that ABF sends SIGKILL to rpm-build.sh when the build is terminated;
# in this case trap will not work, but RPM build root also will not be
# saved because rpm-build.sh saves it, but it is SIGKILLed.
# For best security we could store private keys in RAM (not reachable from
# filesystem, so not in /tmp!) and override sth like fopen() by LD_PRELOAD
# to give the content of keys from RAM when a virtual address of a key file
# is accessed, but currently I don't know how to implement this (TODO: ).
_cleanup(){
	rm -fvr "%{certs_dir_rnd}"
}
# Make a trap to delete keys even if %%build fails in the middle
trap "_cleanup" EXIT

rm -rf %{temp_root}
install -d %{temp_root}

cd %src_dir

### Keys for signing kernel modules
# Keys can be generated both manually and automatically,
# let's generate them by ourselves to take full control of the process
# https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
%if %{enhanced_security}
mkdir -p "%{certs_dir_rnd}"

# On ABF, %%packager == $username <$email>
# Try to extract email from %%packager if it is set
_get_email(){
	# Check that macro %%packager was set and is not empty
	if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ]
		# If was not set or is empty, use default email
		then echo 'rpmbuild@rosa.unknown' && return
		# Otherwise try to extract email from 'name <email>' or sth else
		else temp="$(echo '%{packager}' | tr '[:upper:]' '[:lower:]' | tr ' ' '\n' | tr -d '<>' | grep -E '@.*\..*' | head -n 1)"
	fi
	# Validate that what we have now is a valid email
	# https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733
	# Note that we set %%_buildshell to /bin/bash to guarantee the work of this bashism
	regex_email="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$"
	if [[ "$temp" =~ ${regex_email} ]]
		# If it is, use it
		then echo "$temp" && return
		# Otherwise use default email
		else echo 'rpmbuild@rosa.unknown' && return
	fi
	# If script above has not return'ed for any reason,
	# e.g. because of non-bash shell being not able to
	# process regexp, use default email
	echo 'rpmbuild@rosa.unknown'
}
email="$(_get_email)"

cat <<EOF > "%{certs_key_config_rnd}"
[ req ]
# https://github.com/openssl/openssl/issues/3536
prompt = no
default_bits = 4096
default_md = sha512
days = 109500
default_keyfile = %{certs_signing_key_rnd}
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
organizationName = %{vendor} rpmbuild
commonName = Build time autogenerated kernel key
emailAddress = ${email}
EOF
cat "%{certs_key_config_rnd}"

openssl req -new -nodes -utf8 -batch -x509 \
	-config "%{certs_key_config_rnd}" \
	-outform PEM \
	-out "%{certs_signing_key_rnd}" \
	-keyout "%{certs_signing_key_rnd}"
%endif

# .config
%smake -s mrproper
cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config

# make sure EXTRAVERSION says what we want it to say
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{flavour}-%{buildrpmrel}/" Makefile

# build the kernel
echo "Building kernel %{kver_full}"

%kmake -s all

# Start installing stuff
install -d %{temp_boot}
install -m 644 System.map %{temp_boot}/System.map-%{kver_full}
install -m 644 .config %{temp_boot}/config-%{kver_full}
xz -c Module.symvers > %{temp_boot}/symvers-%{kver_full}.xz

cp -f arch/x86/boot/bzImage %{temp_boot}/vmlinuz-%{kver_full}

# modules
install -d %{temp_modules}/%{kver_full}
%smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install

# headers
%if %{build_headers}
%make INSTALL_HDR_PATH=%{temp_root}%{_prefix} KERNELRELEASE=%{kver_full} headers_install
find %{temp_root}%{_prefix} -name .install -or -name ..install.cmd | %kxargs rm -f
%endif

# remove /lib/firmware, we use a separate linux-firmware package
rm -rf %{temp_root}/lib/firmware

# Prepare the files for kernel*-devel
%if %build_devel

mkdir -p %{temp_devel_root}
for i in $(find . -name 'Makefile*'); do cp -R --parents $i %{temp_devel_root}; done
for i in $(find . -name 'Kconfig*' -o -name 'Kbuild*'); do cp -R --parents $i %{temp_devel_root}; done

cp -fR include %{temp_devel_root}

cp -fR scripts %{temp_devel_root}
cp -fR kernel/bounds.c %{temp_devel_root}/kernel
cp -fR kernel/time/timeconst.bc %{temp_devel_root}/kernel/time
cp -fR tools %{temp_devel_root}/
cp -fR arch/x86/kernel/asm-offsets.{c,s} %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/kernel/asm-offsets_{32,64}.c %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/purgatory/* %{temp_devel_root}/arch/x86/purgatory/
cp -fR arch/x86/entry/syscalls/syscall* %{temp_devel_root}/arch/x86/entry/syscalls/
cp -fR arch/x86/include %{temp_devel_root}/arch/x86/
cp -fR arch/x86/tools %{temp_devel_root}/arch/x86/
cp -fR .config Module.symvers %{temp_devel_root}

# Needed for truecrypt build (Danny)
cp -fR drivers/md/dm.h %{temp_devel_root}/drivers/md/

# Needed for lirc_gpio (#39004)
cp -fR drivers/media/pci/bt8xx/bttv{,p}.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/pci/bt8xx/bt848.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/common/btcx-risc.h %{temp_devel_root}/drivers/media/common/

# add acpica header files, needed for fglrx build
cp -fR drivers/acpi/acpica/*.h %{temp_devel_root}/drivers/acpi/acpica/

# aufs2 has a special file needed
cp -fR fs/aufs/magic.mk %{temp_devel_root}/fs/aufs

# SELinux needs security/selinux/include
cp -fR security/selinux/include %{temp_devel_root}/security/selinux

# needed for kexec
cp -fR arch/x86/boot/*.h %{temp_devel_root}/arch/x86/boot/
cp -fR arch/x86/boot/*.c %{temp_devel_root}/arch/x86/boot/

# needed for arch/x86/purgatory
cp -fR lib/*.h lib/*.c %{temp_devel_root}/lib/

for i in alpha arc avr32 blackfin c6x cris csky frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \
	mips mn10300 nds32 nios2 openrisc parisc powerpc riscv s390 score sh sparc tile unicore32 xtensa; do
	rm -rf %{temp_devel_root}/arch/$i
done

rm -rf %{temp_devel_root}/arch/arm*
rm -rf %{temp_devel_root}/include/kvm/arm*
rm -rf %{temp_devel_root}/include/soc

# Clean the scripts tree, and make sure everything is ok (sanity check)
# running prepare+scripts (tree was already "prepared" in build)
pushd %{temp_devel_root} >/dev/null
	%smake -s prepare scripts
	%smake -s clean
popd >/dev/null
rm -f %{temp_devel_root}/.config.old

# fix permissions
chmod -R a+rX %{temp_devel_root}

# disable mrproper in -devel rpms
patch -p1 --fuzz=0 -d %{temp_devel_root} -i %{SOURCE2}

# Create the symlinks needed by DKMS
mkdir -p %{temp_modules}/%{kver_full}

# endif build_devel
%endif

# Manage the files with debug info, provide the debug links in the
# kernel modules.
%if %build_debug
install -m 644 vmlinux %{temp_boot}/vmlinux-%{kver_full}
kernel_debug_files=../kernel_debug_files.%{flavour}
echo "%{_bootdir}/vmlinux-%{kver_full}" >> $kernel_debug_files

find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | \
	%kxargs -I '{}' objcopy --only-keep-debug '{}' '{}'.debug
find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | %kxargs -I '{}' \
	sh -c 'cd `dirname {}`; \
		objcopy --add-gnu-debuglink=`basename {}`.debug \
		--strip-debug `basename {}`'

pushd %{temp_modules}
find %{kver_full}/kernel -name "*.ko.debug" > debug_module_list
popd
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%{_modulesdir}/\1|' >> $kernel_debug_files
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%exclude %{_modulesdir}/\1|' \
	>> ../kernel_exclude_debug_files.%{flavour}
rm -f %{temp_modules}/debug_module_list

# endif build_debug
%endif

%if %{enhanced_security}
# Sign modules (after stripping)
# scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
find %{temp_modules}/%{kver_full}/kernel -name '*.ko' | sort -u | \
	%kxargs -I '{}' \
	%{src_dir}/scripts/sign-file \
		sha512 \
		%{certs_signing_key_rnd} \
		%{certs_signing_key_rnd} \
		'{}'
%endif

# Create the list of files for the kernel.
kernel_files=../kernel_files.%{flavour}

cat > $kernel_files <<EOF
%{_bootdir}/System.map-%{kver_full}
%{_bootdir}/symvers-%{kver_full}.xz
%{_bootdir}/config-%{kver_full}
%{_bootdir}/vmlinuz-%{kver_full}
%{_modulesdir}/%{kver_full}/kernel
%{_modulesdir}/%{kver_full}/modules.*
EOF

%if %build_debug
cat ../kernel_exclude_debug_files.%{flavour} >> $kernel_files
%endif

# set extraversion to match srpm to get nice version reported by the tools
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile

%if %{build_perf}
%ifarch x86_64
%define perf_is_x64	1
%else
%define perf_is_x64	0
%endif

%smake -C tools/perf -s IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} NO_GTK2=1 all
%smake -C tools/perf -s prefix=%{_prefix} NO_GTK2=1 man
%endif

%if %{build_cpupower}
# make sure version-gen.sh is executable.
chmod +x tools/power/cpupower/utils/version-gen.sh
%make -C tools/power/cpupower CPUFREQ_BENCH=false
%endif

_cleanup
############################################################################

%install
cd %src_dir

# We want to be able to test several times the install part
rm -rf %{buildroot}
cp -a %{temp_root} %{buildroot}

%if %{enhanced_security}
# Multithreaded verification that every kernel module
# has a signature attached to it
mkdir -p "%{certs_dir_rnd}"
touch %{certs_verify_tmp}
_verify_signature(){
	if [ -z "$1" ] || [ ! -f "$1" ]; then return; fi
	if hexdump -C "$1" | rev | cut -f 2 -d '|' | rev | tr -d '\n' | \
	   grep -q '~Module signature appended~'
		then
			if [ -f %{certs_verify_tmp} ]; then
				rm -f %{certs_verify_tmp}
			fi
		else
			echo "ERROR: Module $1 has no signature attached to it!"
			exit 1
	fi
}
export -f _verify_signature
find %{target_modules} -name '*.ko' -print0 | sort -u | \
	xargs --null -P "$(nproc)" -I {} "$SHELL" -c '_verify_signature "{}"'
if [ -f %{certs_verify_tmp} ]; then
	echo "ERROR: seems that signatures of none modules were verified!"
	exit 1
fi
rm -f %{certs_verify_tmp}
%endif

# compressing modules
%if %{build_modxz}
find %{target_modules} -name "*.ko" | %kxargs xz -6e
%else
find %{target_modules} -name "*.ko" | %kxargs gzip -9
%endif

pushd %{target_modules}
for i in *; do
	rm -f $i/build $i/source
	ln -sf /usr/src/linux-$i $i/build
	ln -sf /usr/src/linux-$i $i/source
done

# sniff, if we compressed all the modules, we change the stamp :(
# we really need the depmod -ae here
for i in *; do
	/sbin/depmod -ae -b %{buildroot} -F %{target_boot}/System.map-$i $i
	echo $?
done

# We used to create modules.description files which contained the
# description strings for the modules as shown by modinfo. These files
# are unlikely to be used right now, so create them (in case some old tool
# checks for their existence) but keep them empty.
for i in *; do
	touch $i/modules.description
done
popd

# need to set extraversion to match srpm again to avoid rebuild
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile
%if %{build_perf}

# perf tool binary and supporting scripts/binaries
make -C tools/perf -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install

# perf man pages (note: implicit rpm magic compresses them later)
make -C tools/perf  -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install-man
%endif

%if %{build_cpupower}
make -C tools/power/cpupower DESTDIR=%{buildroot} libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install
rm -f %{buildroot}%{_libdir}/*.{a,la}
%find_lang cpupower
mv cpupower.lang ../
chmod 0755 %{buildroot}%{_libdir}/libcpupower.so*
mkdir -p %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -m644 %{SOURCE50} %{buildroot}%{_unitdir}/cpupower.service
install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
%endif