kernel-6.1/kernel.spec

# _get_email() in %%build contains bashisms for regexping
%define _buildshell /bin/bash

# Prevent RPM scripts from stripping signatures,
# we strip binaries manually in %%build
%define __strip %(which true)

%define kernelversion	5
%define patchlevel	4
# sublevel is used for stable-based kernels
%define sublevel	40

# Release number. Increase this before a rebuild.
%define rpmrel		1
%define fullrpmrel	%{rpmrel}

%define rpmtag		%{disttag}

# fakerel and fakever never change, they are used to fool
# rpm/urpmi/smart and ensure the kernels are installed,
# not upgraded so old kernel is not overwritten or removed
%define fakever		1
%define fakerel 	%mkrel 1

# version defines
%define kversion  	%{kernelversion}.%{patchlevel}.%{sublevel}
%define kverrel   	%{kversion}-%{fullrpmrel}
%define tar_ver   	%{kernelversion}.%{patchlevel}

%ifarch %{ix86}
# Use a standard suffix for 32-bit x86
%define arch_suffix	i586
%else
%define arch_suffix	%{_arch}
%endif

%define buildrpmrel     %{fullrpmrel}%{rpmtag}-%{arch_suffix}
%define buildrel     	%{kversion}-%{buildrpmrel}

# %%build_selinux may be defined in branding-configs
#%%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
#%%if %{with selinux}
%global enhanced_security 1
#%%else
#%%global enhanced_security 0
#%%endif
# Allow "rpmbuild --without enhanced_security <...>"
%{?_without_enhanced_security:%global enhanced_security 0}

%if %{enhanced_security}
%bcond_without additional_keys
%bcond_with oblig_signed_modules
%endif
# User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
%bcond_without uml

# "Nickel" is a special brand for certified distros
# gost_sign will probably be enabled outside of Nickel later,
# but for now let's better do not make such experiments in stable platforms
%if %{mdvver} == 201900 || %{mdvver} == 201905
%bcond_without nickel
%bcond_without gost_sign
%else
%bcond_with nickel
%bcond_with gost_sign
%endif

# Kernel flavour
%if %{with nickel}
%define flavour		nickel
%else
%define flavour		generic
%endif

# The full kernel version
%define kver_full	%{kversion}-%{flavour}-%{buildrpmrel}
############################################################################

%define top_dir_name 	kernel-%{_arch}
%define build_dir 	${RPM_BUILD_DIR}/%{top_dir_name}
%define src_dir 	%{build_dir}/linux-%{tar_ver}

# Common target directories
%define _bootdir	/boot
%define _modulesdir	/lib/modules

%define devel_root	/usr/src/linux-%{kver_full}

# Directories needed for building
%define temp_root	%{build_dir}/temp-root
%define temp_boot	%{temp_root}%{_bootdir}
%define temp_modules	%{temp_root}%{_modulesdir}
%define temp_devel_root	%{temp_root}%{devel_root}

# Directories definition needed for installing
%define target_boot	%{buildroot}%{_bootdir}
%define target_modules	%{buildroot}%{_modulesdir}

# Manual control of creating and deleting keys
# "rnd" is "random" and means that a key pair is generated at build time
# and is not saved anywhere.
%define certs_dir_rnd certs
%define certs_signing_key_priv_rnd %{certs_dir_rnd}/signing_key_priv.key
%define certs_signing_der %{certs_dir_rnd}/signing_key.x509
%define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
%define certs_public_keys %{certs_dir_rnd}/public.pem
%define certs_verify_tmp %{certs_dir_rnd}/verify.tmp
############################################################################

# Build defines
%define build_doc 		0
%define build_devel 		1
%define build_debug		1

# Build kernel-headers package
# Make headers of this kernel not default for rosa2016.1
%if %{mdvver} <= 201610
%define build_headers 0
%else
%define build_headers 1
%endif

# build perf and cpupower tools
%define build_perf		1
%define build_cpupower		1

# compress modules with xz
%define build_modxz		1
# End of user definitions

# buildtime flags
%{?_without_doc: %global build_doc 0}
%{?_without_devel: %global build_devel 0}
%{?_without_debug: %global build_debug 0}
%{?_without_perf: %global build_perf 0}
%{?_without_cpupower: %global build_cpupower 0}
%{?_without_modxz: %global build_modxz 0}

%{?_with_doc: %global build_doc 1}
%{?_with_devel: %global build_devel 1}
%{?_with_debug: %global build_debug 1}
%{?_with_perf: %global build_perf 1}
%{?_with_cpupower: %global build_cpupower 1}
%{?_with_modxz: %global build_modxz 1}

%if !%{build_debug}
# Disable debug rpms.
%define _enable_debug_packages 	%{nil}
%define debug_package 		%{nil}
%endif

%if %(if [ -z "$CC" ] ; then echo 0; else echo 1; fi)
%define kmake %make CC="$CC"
%else
%define kmake %make
%endif
# there are places where parallel make don't work
%define smake make

# Parallelize xargs invocations on smp machines
%define kxargs xargs %([ -z "$RPM_BUILD_NCPUS" ] \\\
	&& RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\
	[ "$RPM_BUILD_NCPUS" -gt 1 ] && echo "-P $RPM_BUILD_NCPUS")

#
# SRC RPM description
#
Summary: 	The Linux kernel
Name:		kernel
Version: 	%{kversion}
Release: 	%{fullrpmrel}
License: 	GPLv2
Group: 	 	System/Kernel and hardware
ExclusiveArch: %{ix86} x86_64
URL:            http://www.kernel.org

####################################################################
#
# Sources
#
Source0: 	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{tar_ver}.tar.xz

# This is for disabling *config, mrproper, prepare, scripts on -devel rpms
# Needed, because otherwise the -devel won't build correctly.
Source2: 	disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch

# Kernel configuration files.
Source110:	kernel-%{arch_suffix}.config

# Cpupower: the service, the config, etc.
Source50:	cpupower.service
Source51:	cpupower.config
Source52:	cpupower-start.sh
Source53:	cpupower.path

Source80:	kernel.rpmlintrc

# Additional keys that can be used to sign kernel modules
# Generated by https://abf.io/soft/kernel-keys
# Source201..206: public_key_GOST_*.pem
%{expand:%(for i in `seq 1 6`; do echo "Source$((200+${i})): public_key_GOST_${i}.pem"; done)}
# Source207..212: public_key_RSA_*.pem
%{expand:%(for i in `seq 7 12`; do echo "Source$((200+${i})): public_key_RSA_${i}.pem"; done)}

####################################################################

# Patches

# The patch to make kernel x.y.z from x.y.0.
Patch1:   	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{kversion}.xz

# Patches from mainline
# none

# ROSA-specific patches

# Perf docs are built after all the kernels. To validate the xml files
# generated during that process, xmlto tries to get DTD files from the Net.
# If it fails, the whole build fails, which is unfortunate. Let us avoid
# this.
Patch101:	perf-xmlto-skip-validation.patch

# http://bugs.rosalinux.ru/show_bug.cgi?id=6235
# http://bugs.rosalinux.ru/show_bug.cgi?id=6459
Patch102:	audit-make-it-less-verbose.patch

# AUFS from http://aufs.sourceforge.net/
Patch109:	fs-aufs.patch

# AltHa LSM Module
# https://www.altlinux.org/AltHa
# http://git.altlinux.org/gears/k/kernel-image-un-def.git
# TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
Patch201:	0001-AltHa-LSM-module.patch
Patch202:	0002-Documentation-for-AltHa-LSM.patch

# Other patches
Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch
# sent to upstream, https://patchwork.kernel.org/patch/11446123/
Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch

# Disable AutoReq
AutoReq: 	0
# but keep autoprov for kmod(xxx)
AutoProv: 	1

BuildRequires: 	bash
BuildRequires: 	bc
BuildRequires: 	binutils
BuildRequires: 	gcc
# For power tools
BuildRequires:	pkgconfig(ncurses)
BuildRequires:	kmod-devel kmod-compat
BuildRequires:	bison
BuildRequires:	flex
BuildRequires:	bzip2
BuildRequires:	rsync

%ifarch x86_64
BuildRequires:  numa-devel
%endif

# for perf, cpufreq and all other tools
# for cpupower
%if %{build_cpupower}
BuildRequires:		pciutils-devel
%endif
# for perf
%if %{build_perf}
BuildRequires:		asciidoc
BuildRequires:		audit-devel
BuildRequires:		binutils-devel
BuildRequires:		elfutils-devel
BuildRequires:		libunwind-devel
BuildRequires:		newt-devel
BuildRequires:		perl-devel
BuildRequires:		pkgconfig(python)
BuildRequires:		xmlto
BuildRequires:		zlib-devel
BuildRequires:		pkgconfig(libcrypto)
%endif

%if %{enhanced_security}
# (To generate keys)
# LibreSSL has GOST support without editing openssl.cnf
# or dlopen()-ing external library
BuildRequires:		libressl libressl-devel
# To verify signatures (find, xargs, hexdump)
BuildRequires:		findutils util-linux
%endif

# might be useful too:
Recommends:		microcode


%description
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

############################################################################

%package -n kernel-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}

Provides:	kernel = %{kverrel}
Provides:	kernel = %{kernelversion}.%{patchlevel}
Provides:	kernel-%{flavour} = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened = %{kverrel}
Provides:	kernel-hardened = %{kernelversion}.%{patchlevel}
Provides:	kernel-hardened-%{flavour} = %{kverrel}
%endif
Provides:	alsa = 1.0.27
Provides:	should-restart = system

Requires(pre):	grub2
Requires(pre):	dracut >= 046
Requires(pre):	kmod >= 20-1
Requires(pre):	sysfsutils >=  2.1.0-12
Requires:	dracut >= 046
Requires:	linux-firmware >= 20181026
Requires:	wireless-regdb

Recommends:	crda

%if %build_devel
Requires:	kernel-%{flavour}-devel-%{buildrel}
Requires(post):	kernel-%{flavour}-devel-%{buildrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Summary:	A general-purpose Linux Kernel
Group:		System/Kernel and hardware

%description -n kernel-%{flavour}-%{buildrel}
The kernel package contains the Linux kernel (vmlinuz), the core of your
operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc. This is a general-purpose kernel.

%post -n kernel-%{flavour}-%{buildrel}
# We always regenerate initrd here, even if it already exists. This may
# happen if kernel-<...>-devel is installed first, triggers rebuild of
# DKMS modules and some of these request remaking of initrd. The initrd
# that is created then will be non-functional. But when the user installs
# kernel-<...> package, that defunct initrd will be replaced with a working
# one here.
#
# depmod is also needed, because some DKMS-modules might have been installed
# when the devel package was installed but that was before the main modules
# were installed.
# This is also the reason the devel package is in Requires(post) for this
# package now: it must be installed completely before we call depmod here.
/sbin/depmod -a %{kver_full}
/sbin/dracut -f /boot/initrd-%{kver_full}.img %{kver_full}

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	rm -f vmlinuz-%{flavour}
fi
if [ -L initrd-%{flavour}.img ]; then
	rm -f initrd-%{flavour}.img
fi
popd > /dev/null
exit 0

%preun -n kernel-%{flavour}-%{buildrel}
pushd /boot > /dev/null
if [ -L vmlinuz-%{flavour} ]; then
	if [ "$(readlink vmlinuz-%{flavour})" = "vmlinuz-%{kver_full}" ]; then
		rm -f vmlinuz-%{flavour}
	fi
fi
if [ -L initrd-%{flavour}.img ]; then
	if [ "$(readlink initrd-%{flavour}.img)" = "initrd-%{kver_full}.img" ]; then
		rm -f initrd-%{flavour}.img
	fi
fi

# File triggers from grub packages will handle this.
#/usr/sbin/update-grub2

popd > /dev/null
exit 0

%postun -n kernel-%{flavour}-%{buildrel}
rm -f /boot/initrd-%{kver_full}.img
rm -f /boot/initrd-%{kver_full}_old.img
rm -f /boot/initrd-%{kver_full}kdump.img
rm -f /boot/initramfs-%{kver_full}kdump.img

# Third-party modules might have left something in /lib/modules/.../kernel/.
rm -rf /lib/modules/%{kver_full}/kernel/
rm -rf /lib/modules/%{kver_full}/modules*
# Remove /lib/modules/<...>/ if it is empty (-devel uses it too).
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-%{buildrel} -f kernel_files.%{flavour}

############################################################################

%if %build_devel
%package -n	kernel-%{flavour}-devel-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Development files for kernel-%{flavour}-%{buildrel}
Group:		Development/Kernel
Requires:	glibc-devel
Requires:	ncurses-devel
Requires:	make
Requires:	gcc
Requires:	perl
Provides:	kernel-devel = %{kverrel}
Provides:	kernel-%{flavour}-devel = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened-devel = %{kverrel}
Provides:	kernel-hardened-%{flavour}-devel = %{kverrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-devel-%{buildrel}
This package contains the kernel files (headers and build tools)
that should be enough to build additional drivers for
use with kernel-%{flavour}-%{buildrel}.

%post -n kernel-%{flavour}-devel-%{buildrel}
if ! command -v dkms >/dev/null 2>&1; then exit 0; fi
/usr/sbin/dkms_autoinstaller start %{kver_full}

%preun -n kernel-%{flavour}-devel-%{buildrel}

# If any DKMS modules with REMAKE_INITRD=yes in their configs have been
# uninstalled, initrd has been regenerated for the given kernel. However,
# the kernel itself might have been uninstalled before, so that (defunct)
# initrd image files would be left behind. Remove them if the kernel itself
# is no longer installed. Should work if they are uninstalled in parallel
# too.
if ! test -f /boot/vmlinuz-%{kver_full}; then
	rm -f /boot/initrd-%{kver_full}.img
	rm -f /boot/initrd-%{kver_full}_old.img
fi

if ! command -v dkms >/dev/null 2>&1; then exit 0; fi

for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do
	mod=$(echo $ii | awk -v FS=',' '{ print $1; }')
	ver=$(echo $ii | awk -v FS=',' '{ print $2; }')
	/usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || :
done

%postun -n kernel-%{flavour}-devel-%{buildrel}
rm -rf /usr/src/linux-%{kver_full} >/dev/null
# depmod (called when removing DKMS modules) might have created files in
# /lib/modules/.../. Remove these first.
rm -rf /lib/modules/%{kver_full}/modules*
# Remove the dir if it is already empty.
find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true


%files -n kernel-%{flavour}-devel-%{buildrel}
%dir %{devel_root}
%dir %{devel_root}/arch
%dir %{devel_root}/include
%{devel_root}/Documentation
%{devel_root}/arch/um
%{devel_root}/arch/x86
%{devel_root}/block
%{devel_root}/certs
%{devel_root}/crypto
%{devel_root}/drivers
%{devel_root}/fs
%{devel_root}/include/acpi
%{devel_root}/include/asm-generic
%{devel_root}/include/clocksource
%{devel_root}/include/config
%{devel_root}/include/crypto
%{devel_root}/include/drm
%{devel_root}/include/dt-bindings
%{devel_root}/include/generated
%{devel_root}/include/keys
%{devel_root}/include/kvm
%{devel_root}/include/linux
%{devel_root}/include/math-emu
%{devel_root}/include/media
%{devel_root}/include/misc
%{devel_root}/include/net
%{devel_root}/include/pcmcia
%{devel_root}/include/ras
%{devel_root}/include/rdma
%{devel_root}/include/scsi
%{devel_root}/include/sound
%{devel_root}/include/target
%{devel_root}/include/trace
%{devel_root}/include/uapi
%{devel_root}/include/vdso
%{devel_root}/include/video
%{devel_root}/include/xen
%{devel_root}/init
%{devel_root}/ipc
%{devel_root}/kernel
%{devel_root}/lib
%{devel_root}/mm
%{devel_root}/net
%{devel_root}/samples
%{devel_root}/scripts
%{devel_root}/security
%{devel_root}/sound
%{devel_root}/tools
%{devel_root}/usr
%{devel_root}/virt
%{devel_root}/.config
%{devel_root}/Kbuild
%{devel_root}/Kconfig
%{devel_root}/Makefile
%{devel_root}/Module.symvers
%{devel_root}/arch/Kconfig
%{_modulesdir}/%{kver_full}/build
%{_modulesdir}/%{kver_full}/source

%endif

############################################################################

%if %build_debug
%package -n	kernel-%{flavour}-%{buildrel}-debuginfo
Version:	%{fakever}
Release:	%{fakerel}
Summary:	Debuginfo for kernel-%{flavour}-%{buildrel}
Group:		Development/Debug
Provides:	kernel-debug = %{kverrel}
%if %{enhanced_security}
Provides:	kernel-hardened-debug = %{kverrel}
%endif

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{buildrel}-debuginfo
This package contains the files with debuginfo for kernel-%{flavour}-%{buildrel}.

%files -n kernel-%{flavour}-%{buildrel}-debuginfo -f kernel_debug_files.%{flavour}

%endif

############################################################################

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour} %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files

############################################################################

%if %build_devel

%package -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-%{flavour}-devel in %{kernelversion}.%{patchlevel} series
Group:		Development/Kernel
Requires:	kernel-%{flavour}-devel-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

Provides:	kernel-devel-latest
%if %{enhanced_security}
Provides:	kernel-hardened-devel-latest
%endif

%description -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
This meta package aims to make sure you always have the
latest kernel-%{flavour}-devel %{kernelversion}.%{patchlevel}.x installed.

%files -n kernel-%{flavour}-%{kernelversion}.%{patchlevel}-devel-latest
# no files

%endif

############################################################################

%if %build_doc
%package -n kernel-doc
Version: 	%{kversion}
Release: 	%{fullrpmrel}
Summary: 	Various documentation bits found in the kernel source
Group: 		Documentation
Buildarch:	noarch

%description -n kernel-doc
This package contains documentation files from the kernel source.

%files -n kernel-doc
%doc linux-%{tar_ver}/Documentation/*

%endif

############################################################################

%if %{build_perf}
%package -n perf
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	perf tool and the supporting documentation
Group:		System/Kernel and hardware

%description -n perf
The package contains perf tool and the supporting documentation.

%files -n perf
%{_bindir}/perf
%ifarch x86_64
%{_bindir}/perf-read-vdso32
%endif
%{_bindir}/trace
%dir %{_prefix}/libexec/perf-core
%dir %{_libdir}/traceevent
%dir %{_libdir}/traceevent/plugins
%{_libdir}/traceevent/plugins/*
%{_prefix}/libexec/perf-core/*
%{_mandir}/man[1-8]/perf*
%{_sysconfdir}/bash_completion.d/perf
%{_datadir}/perf-core/strace/groups/*
%{_datadir}/doc/perf-tip/*.txt
/usr/lib/perf/examples/bpf/*
/usr/lib/perf/include/bpf/*

%endif

############################################################################

%if %{build_cpupower}
%package -n cpupower
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	The cpupower tools
Group:		System/Kernel and hardware
Requires(post):  rpm-helper >= 0.24.0-3
Requires(preun): rpm-helper >= 0.24.0-3
Obsoletes:	cpufreq < 3.0
Obsoletes:	cpufrequtils < 10.0

%description -n cpupower
The cpupower tools.

%post -n cpupower

if [ $1 -ge 0 ]; then
# Do not enable/disable cpupower.service directly, because it should start
# when cpupower.path triggers it.
	/bin/systemctl enable cpupower.path >/dev/null 2>&1 || :
	/bin/systemctl start cpupower.path >/dev/null 2>&1 || :
fi

%preun -n cpupower
if [ $1 -eq 0 ]; then
        /bin/systemctl --no-reload disable cpupower.path > /dev/null 2>&1 || :
        /bin/systemctl stop cpupower.path > /dev/null 2>&1 || :
fi

%files -n cpupower -f cpupower.lang
%{_bindir}/cpupower
%{_bindir}/cpupower-start.sh
%{_libdir}/libcpupower.so.0
%{_libdir}/libcpupower.so.0.0.1
%{_unitdir}/cpupower.service
%{_unitdir}/cpupower.path
%{_datadir}/bash-completion/completions/cpupower
%{_mandir}/man[1-8]/cpupower*
%config(noreplace) %{_sysconfdir}/sysconfig/cpupower

############################################################################

%package -n cpupower-devel
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Development files for cpupower
Group:		Development/Kernel
Requires:	cpupower = %{kversion}-%{fullrpmrel}
Conflicts:	%{_lib}cpufreq-devel

%description -n cpupower-devel
This package contains the development files for cpupower.

%files -n cpupower-devel
%{_libdir}/libcpupower.so
%{_includedir}/cpufreq.h
%{_includedir}/cpuidle.h

%endif

############################################################################

%if %{build_headers}
%package headers
Version:	%kversion
Release:	%fullrpmrel
Summary:	Linux kernel header files mostly used by your C library
Group:		System/Kernel and hardware
Epoch:		1
Provides:	linux-userspace-headers = %{EVRD}
Provides:	kernel-release-headers = %{EVRD}

%description headers
C header files from the Linux kernel. The header files define
structures and constants that are needed for building most
standard programs, notably the C library.

This package is not suitable for building kernel modules, you
should use the 'kernel-devel' package instead.

%files headers
%{_includedir}/*
# Don't conflict with cpupower-devel
%if %{build_cpupower}
%exclude %{_includedir}/cpufreq.h
%exclude %{_includedir}/cpuidle.h
%endif
%endif

############################################################################

%if %{with uml}

%package -n kernel-uml-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Provides:	kernel-uml = %{kverrel}
Provides:	kernel-uml-%{flavour} = %{kverrel}
Summary:	User Mode Linux binary
Group:		System/Kernel and hardware

%description -n kernel-uml-%{flavour}-%{buildrel}
User Mode Linux binary.
Stripped, debug is in kernel-%{flavour}-%{buildrel}-debuginfo.

%files -n kernel-uml-%{flavour}-%{buildrel}
%{_bindir}/linux-uml-%{kver_full}
#------------------------------------------------

%package -n kernel-uml-modules-%{flavour}-%{buildrel}
Version:	%{fakever}
Release:	%{fakerel}
Provides:	kernel-uml-modules = %{kverrel}
Provides:	kernel-uml-modules-%{flavour} = %{kverrel}
Summary:	User Mode Linux (UML) kernel modules
Group:		System/Kernel and hardware

%description -n kernel-uml-modules-%{flavour}-%{buildrel}
User Mode Linux (UML) kernel modules
- not compressed
- not stripped
- signed

%files -n kernel-uml-modules-%{flavour}-%{buildrel}
/lib/modules-uml/%{kver_full}
#------------------------------------------------

%package -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-uml-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-uml-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-uml-%{flavour} %{kernelversion}.%{patchlevel}.x
(User Mode Linux binary) installed.

%files -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files
#------------------------------------------------

%package -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Version:	%{kversion}
Release:	%{fullrpmrel}
Summary:	Meta package for the latest kernel-uml-modules-%{flavour} in %{kernelversion}.%{patchlevel} series
Group:		System/Kernel and hardware
Requires:	kernel-uml-modules-%{flavour}-%{buildrel}

%ifarch %{ix86}
Conflicts:	arch(x86_64)
%endif

%description -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
This meta package aims to make sure you always have the
latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
(User Mode Linux kernel modules) installed.

%files -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# no files
#------------------------------------------------

%endif #endif uml

############################################################################

%prep
%setup -q -n %top_dir_name -c
%if %{with uml}
cp -r %{src_dir} %{src_dir}.uml
%endif
cd %src_dir

%apply_patches

#
# Setup Begin
#

# Kernel configuration

echo "Creating the kernel configuration file."

# Configs
cp %{SOURCE110} .config

# Disable ASLR for 32-bit systems because it does not play well with
# hibernate.
%ifarch %{ix86}
sed -i	's/CONFIG_RANDOMIZE_BASE=y/# CONFIG_RANDOMIZE_BASE is not set/' .config
%endif

# Disable checking for W+X memory mappings for 32-bit systems. The warnings
# may confuse the users and noone is eager to fix the underlying problem,
# it seems.
%ifarch %{ix86}
sed -i	's/CONFIG_DEBUG_WX=y/# CONFIG_DEBUG_WX is not set/' .config
%endif

# GCC 5.5 may not support -fstack-protector-* on 32-bit systems.
# Let us disable the stack protector in the config explicitly.
%ifarch %{ix86}
sed -i	's/CONFIG_STACKPROTECTOR=y/# CONFIG_STACKPROTECTOR is not set/' .config
sed -i	's/CONFIG_STACKPROTECTOR_STRONG=y/# CONFIG_STACKPROTECTOR_STRONG is not set/' .config
%endif

touch %{build_dir}/.config.append

# Enable debug info if requested.
sed -i '/CONFIG_DEBUG_INFO/d' .config
%if %build_debug
echo 'CONFIG_DEBUG_INFO=y' >> %{build_dir}/.config.append
echo 'CONFIG_DEBUG_INFO_DWARF4=y' >> %{build_dir}/.config.append
echo 'CONFIG_GDB_SCRIPTS=y' >> %{build_dir}/.config.append
%else
echo 'CONFIG_DEBUG_INFO=n' >> %{build_dir}/.config.append
%endif

%if %{enhanced_security}
### SELinux enablement
# seems to be needed to boot system in enforcing selinux mode
# note: cpio fpormat of initramfs does not support xattrs without patches
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
echo CONFIG_SECURITY_SELINUX_DISABLE=y >> %{build_dir}/.config.append
# enable selinux in kernel by default if not disabled explicitly
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> %{build_dir}/.config.append

### Signing kernel modules
# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
sed -i '/CONFIG_MODULE_SIG/d' .config
echo CONFIG_MODULE_SIG=y >> %{build_dir}/.config.append
%if %{with oblig_signed_modules}
# Disallow loading not signed modules
echo CONFIG_MODULE_SIG_FORCE=y >> %{build_dir}/.config.append
%else
echo CONFIG_MODULE_SIG_FORCE=n >> %{build_dir}/.config.append
%endif
# If %%build_debig is true, signatures will be stripped
# We sign modules manually in a tricky way bellow
echo CONFIG_MODULE_SIG_ALL=n >> %{build_dir}/.config.append
# Set path to the key that will be generated later by openssl/libressl
echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_priv_rnd}\" >> %{build_dir}/.config.append
# Set path to one PEM file with all keys that the kernel must trust
sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
echo CONFIG_SYSTEM_TRUSTED_KEYS=\"%{certs_public_keys}\" >> %{build_dir}/.config.append
# Reserve area for inserting a certificate without recompiling
sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config
echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> %{build_dir}/.config.append

# Memory wiping
# Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
# Estimated performance impact is described in the commit
# "Fill newly allocated pages and heap objects with zeroes."
# To enable, add to cmdline: init_on_alloc=1
sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=n >> %{build_dir}/.config.append
# "Fill freed pages and heap objects with zeroes"
# To disable, add to cmdline: init_on_free=0
sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_ON/d' .config
%if %{with nickel}
echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> %{build_dir}/.config.append
%else
echo CONFIG_INIT_ON_FREE_DEFAULT_ON=n >> %{build_dir}/.config.append
%endif
# Here enabling only either only init_on_free or only init_on_alloc
# makes sense; init_on_alloc is not about protecting information.

# To load kernel keyring in UML
for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
	sed -i "/CONFIG_CRYPTO_${i}/d" .config
	echo "CONFIG_CRYPTO_${i}=y" >> %{build_dir}/.config.append
done

sed -i '/CONFIG_LSM/d' .config
echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
sed -i '/CONFIG_SECURITY_ALTHA/d' .config
echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
%endif

cat %{build_dir}/.config.append >> .config

# Store the config file in the appropriate directory.
CONFIG_DIR=arch/x86/configs
mkdir -p "${CONFIG_DIR}"

cfg_file=arch/x86/configs/%{arch_suffix}_defconfig-%{flavour}
make ARCH=%{_arch} oldconfig && \
mv .config ${cfg_file}

# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
# reason. For now, let us restore it.
%ifarch %{ix86}
sed -i 's/CONFIG_64BIT=y//' ${cfg_file}
echo '# CONFIG_64BIT is not set' >> ${cfg_file}
%endif

echo "Created ${cfg_file}."

# make sure the kernel has the sublevel we know it has...
LC_ALL=C sed -ri "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile

# get rid of unwanted files
find . -name '*~' -o -name '*.orig' -o -name '*.append' | %kxargs rm -f
find . -name '.get_maintainer.ignore' | %kxargs rm -f

############################################################################

%build

# Ensure that build time generated private keys don't get published
# as e.g. "RPM build root" on ABF!
# Note that ABF sends SIGKILL to rpm-build.sh when the build is terminated;
# in this case trap will not work, but RPM build root also will not be
# saved because rpm-build.sh saves it, but it is SIGKILLed.
# For best security we could store private keys in RAM (not reachable from
# filesystem, so not in /tmp!) and override sth like fopen() by LD_PRELOAD
# to give the content of keys from RAM when a virtual address of a key file
# is accessed, but currently I don't know how to implement this (TODO: ).
_cleanup(){
	# Show resulting kernel public keys for debugging
	cat "%{src_dir}/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || :
	rm -fvr "%{src_dir}/%{certs_dir_rnd}"
%if %{with uml}
	cat "%{src_dir}.uml/%{certs_dir_rnd}/x509_certificate_list" | base64 -d || :
	rm -fvr "%{src_dir}.uml/%{certs_dir_rnd}"
%endif
}
# Make a trap to delete keys even if %%build fails in the middle
trap "_cleanup" EXIT

rm -rf %{temp_root}
install -d %{temp_root}

cd %src_dir

### Keys for signing kernel modules
# Keys can be generated both manually and automatically,
# let's generate them by ourselves to take full control of the process
# https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
# See also certs/Makefile in kernel source
%if %{enhanced_security}
mkdir -p "%{certs_dir_rnd}"

# On ABF, %%packager == $username <$email>
# Try to extract email from %%packager if it is set
_get_email(){
	# Check that macro %%packager was set and is not empty
	if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ]
		# If was not set or is empty, use default email
		then echo 'rpmbuild@rosa.unknown' && return
		# Otherwise try to extract email from 'name <email>' or sth else
		else temp="$(echo '%{packager}' | tr '[:upper:]' '[:lower:]' | tr ' ' '\n' | tr -d '<>' | grep -E '@.*\..*' | head -n 1)"
	fi
	# Validate that what we have now is a valid email
	# https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733
	# Note that we set %%_buildshell to /bin/bash to guarantee the work of this bashism
	regex_email="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$"
	if [[ "$temp" =~ ${regex_email} ]]
		# If it is, use it
		then echo "$temp" && return
		# Otherwise use default email
		else echo 'rpmbuild@rosa.unknown' && return
	fi
	# If script above has not return'ed for any reason,
	# e.g. because of non-bash shell being not able to
	# process regexp, use default email
	echo 'rpmbuild@rosa.unknown'
}
email="$(_get_email)"

cat <<EOF > "%{certs_key_config_rnd}"
[ req ]
prompt = no
string_mask = utf8only
#default_keyfile = %{certs_signing_key_priv_rnd}
distinguished_name = req_distinguished_name
x509_extensions = myexts
[ req_distinguished_name ]
organizationName = %{vendor} rpmbuild
commonName = Build time autogenerated @ALGO@ kernel key
emailAddress = ${email}
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
cat "%{certs_key_config_rnd}"
sed -e 's,@ALGO@,RSA,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.RSA"
sed -e 's,@ALGO@,GOST R 34.10-2012,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.GOST"
# avoid using the template
rm -f "%{certs_key_config_rnd}"

_libressl_gen_key(){
	if [ "$GOST_KEY" = 1 ]
	then
		lssl_req_gost_args="\
			-newkey gost2001 \
			-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
			-streebog512"
		OUT="%{certs_signing_key_priv_rnd}.GOST"
		CONFIG="%{certs_key_config_rnd}.GOST"
	else
		lssl_req_gost_args=""
		OUT="%{certs_signing_key_priv_rnd}.RSA"
		CONFIG="%{certs_key_config_rnd}.RSA"
	fi
		libressl req -new -nodes -utf8 -batch \
			$lssl_req_gost_args \
			-days 109500 \
			-x509 -config "$CONFIG" \
			-out "$OUT" \
			-keyout "$OUT"

	# Verify
	if [ "$GOST_KEY" = 1 ]; then
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
			| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
	fi
}

GOST_KEY=0 _libressl_gen_key
GOST_KEY=1 _libressl_gen_key
# Fake CONFIG_MODULE_SIG_KEY to make build scripts happy
cp -v "%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}"

# Strip public parts from the generated PEMs
sed -n \
	'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' \
	"%{certs_signing_key_priv_rnd}.GOST" \
	"%{certs_signing_key_priv_rnd}.RSA" \
	> "%{certs_public_keys}"

# link sign-file and extract-cert with LibreSSL instead of OpenSSL
libressl_cflags="$(pkg-config --cflags --libs libressl-libcrypto)"
if [ $? != 0 ] ; then exit $? ; fi
sed -i %{src_dir}/scripts/Makefile \
%if %{with uml}
    %{src_dir}.uml/scripts/Makefile \
%endif
	-e "s,-lcrypto,${libressl_cflags},g"

%if %{with additional_keys}
# Add additional public RSA keys to the list of trusted keys for kernel modules
# Build kernel --without additional_keys if you do not want to trust them
cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
	>> "%{certs_public_keys}"
%endif #endif additional_keys
cat %{certs_public_keys}
%endif #endif enhanced_security

# .config
%smake -s mrproper
cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config

# make sure EXTRAVERSION says what we want it to say
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{flavour}-%{buildrpmrel}/" Makefile

# Print debug messages when loglevel=7 in cmdline.
# Those messages can be caught by debugfs without -DDEBUG.
# but sometimes it is required to see them via a serial port when booting the kernel.
# '#ifdef DEBUG' is used in different places for different purposes,
# so change DEBUG to PRINTK_DEBUG in one specific place.
#%if %build_debug
#sed -i %{src_dir}/include/linux/printk.h \
#	-e 's,^#ifdef DEBUG$,#if defined(DEBUG) || defined(PRINTK_DEBUG),g'
#export KCPPFLAGS="-DPRINTK_DEBUG"
#%endif

# build the kernel
echo "Building kernel %{kver_full}"

%kmake V=1 -s all

%if %{with uml}
cp -rv %{certs_dir_rnd} %{src_dir}.uml/
pushd %{src_dir}.uml
%kmake ARCH=um defconfig
cp .config .config.default
cat %{build_dir}/.config.append >> .config
%kmake oldconfig ARCH=um
diff -u .config.default .config || :
# Looks like 'make oldconfig' removes '# CONFIG_64BIT is not set' for some
# reason. For now, let us restore it.
%ifarch %{ix86}
sed -i 's/CONFIG_64BIT=y//' .config
echo '# CONFIG_64BIT is not set' >> .config
%endif
%kmake ARCH=um linux
install -Dm0755 linux %{temp_root}%{_bindir}/linux-uml-%{kver_full}
#rm -fv linux
%kmake V=1 ARCH=um modules
mkdir -p %{temp_root}/lib/modules-uml/%{kver_full}/
%kmake ARCH=um INSTALL_MOD_PATH=%{temp_root}/lib/modules-uml/%{kver_full}/ modules_install
popd
%endif

# Start installing stuff
install -d %{temp_boot}
install -m 644 System.map %{temp_boot}/System.map-%{kver_full}
install -m 644 .config %{temp_boot}/config-%{kver_full}
xz -c Module.symvers > %{temp_boot}/symvers-%{kver_full}.xz

cp -f arch/x86/boot/bzImage %{temp_boot}/vmlinuz-%{kver_full}

# modules
install -d %{temp_modules}/%{kver_full}
%smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install

# headers
%if %{build_headers}
%make INSTALL_HDR_PATH=%{temp_root}%{_prefix} KERNELRELEASE=%{kver_full} headers_install
find %{temp_root}%{_prefix} -name .install -or -name ..install.cmd | %kxargs rm -f
%endif

# remove /lib/firmware, we use a separate linux-firmware package
rm -rf %{temp_root}/lib/firmware

# Prepare the files for kernel*-devel
%if %build_devel

mkdir -p %{temp_devel_root}
for i in $(find . -name 'Makefile*'); do cp -R --parents $i %{temp_devel_root}; done
for i in $(find . -name 'Kconfig*' -o -name 'Kbuild*'); do cp -R --parents $i %{temp_devel_root}; done

cp -fR include %{temp_devel_root}

cp -fR scripts %{temp_devel_root}
cp -fR kernel/bounds.c %{temp_devel_root}/kernel
cp -fR kernel/time/timeconst.bc %{temp_devel_root}/kernel/time
cp -fR tools %{temp_devel_root}/
cp -fR arch/x86/kernel/asm-offsets.{c,s} %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/kernel/asm-offsets_{32,64}.c %{temp_devel_root}/arch/x86/kernel/
cp -fR arch/x86/purgatory/* %{temp_devel_root}/arch/x86/purgatory/
cp -fR arch/x86/entry/syscalls/syscall* %{temp_devel_root}/arch/x86/entry/syscalls/
cp -fR arch/x86/include %{temp_devel_root}/arch/x86/
cp -fR arch/x86/tools %{temp_devel_root}/arch/x86/
cp -fR .config Module.symvers %{temp_devel_root}

# Needed for truecrypt build (Danny)
cp -fR drivers/md/dm.h %{temp_devel_root}/drivers/md/

# Needed for lirc_gpio (#39004)
cp -fR drivers/media/pci/bt8xx/bttv{,p}.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/pci/bt8xx/bt848.h %{temp_devel_root}/drivers/media/pci/bt8xx/
cp -fR drivers/media/common/btcx-risc.h %{temp_devel_root}/drivers/media/common/

# add acpica header files, needed for fglrx build
cp -fR drivers/acpi/acpica/*.h %{temp_devel_root}/drivers/acpi/acpica/

# aufs2 has a special file needed
cp -fR fs/aufs/magic.mk %{temp_devel_root}/fs/aufs

# SELinux needs security/selinux/include
cp -fR security/selinux/include %{temp_devel_root}/security/selinux

# needed for kexec
cp -fR arch/x86/boot/*.h %{temp_devel_root}/arch/x86/boot/
cp -fR arch/x86/boot/*.c %{temp_devel_root}/arch/x86/boot/

# needed for arch/x86/purgatory
cp -fR lib/*.h lib/*.c %{temp_devel_root}/lib/

for i in alpha arc avr32 blackfin c6x cris csky frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \
	mips mn10300 nds32 nios2 openrisc parisc powerpc riscv s390 score sh sparc tile unicore32 xtensa; do
	rm -rf %{temp_devel_root}/arch/$i
done

rm -rf %{temp_devel_root}/arch/arm*
rm -rf %{temp_devel_root}/include/kvm/arm*
rm -rf %{temp_devel_root}/include/soc

# Clean the scripts tree, and make sure everything is ok (sanity check)
# running prepare+scripts (tree was already "prepared" in build)
pushd %{temp_devel_root}
	%smake V=1 -s prepare
	%smake V=1 -s scripts
	%smake V=1 -s clean
popd
rm -f %{temp_devel_root}/.config.old

# fix permissions
chmod -R a+rX %{temp_devel_root}

# disable mrproper in -devel rpms
patch -p1 --fuzz=0 -d %{temp_devel_root} -i %{SOURCE2}

# Create the symlinks needed by DKMS
mkdir -p %{temp_modules}/%{kver_full}

# endif build_devel
%endif

# Manage the files with debug info, provide the debug links in the
# kernel modules.
%if %build_debug
install -m 644 vmlinux %{temp_boot}/vmlinux-%{kver_full}
kernel_debug_files=../kernel_debug_files.%{flavour}
echo "%{_bootdir}/vmlinux-%{kver_full}" >> $kernel_debug_files

find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | \
	%kxargs -I '{}' objcopy --only-keep-debug '{}' '{}'.debug
find %{temp_modules}/%{kver_full}/kernel \
	-name "*.ko" | %kxargs -I '{}' \
	sh -c 'cd `dirname {}`; \
		objcopy --add-gnu-debuglink=`basename {}`.debug \
		--strip-debug `basename {}`'

pushd %{temp_modules}
find %{kver_full}/kernel -name "*.ko.debug" > debug_module_list
popd
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%{_modulesdir}/\1|' >> $kernel_debug_files
cat %{temp_modules}/debug_module_list | \
	sed 's|\(.*\)|%exclude %{_modulesdir}/\1|' \
	>> ../kernel_exclude_debug_files.%{flavour}
rm -f %{temp_modules}/debug_module_list

# endif build_debug
%endif

%if %{enhanced_security}
# scripts/sign-file.c fails to sign modules:
# "CMS routines:func(4095):not supported for this key type"
# So make a dettached signature via libressl and attach it
# as a raw signature via sign-file.
# TODO: fix scripts/sign-file.c
_libressl_sign(){
	if [ ! -f "$1" ]; then
	  echo "No file $1"
	  return 0
	fi
	f="$1"
%if %{with gost_sign}
	%{src_dir}/scripts/sign-file streebog512 \
		"%{certs_signing_key_priv_rnd}.GOST" "%{certs_signing_key_priv_rnd}.GOST" "$f"
%else
	%{src_dir}/scripts/sign-file sha512 \
		"%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}.RSA" "$f"
%endif
	unset f
}
export -f _libressl_sign
find %{temp_modules}/%{kver_full}/kernel \
%if %{with uml}
     %{temp_root}/lib/modules-uml/%{kver_full} \
%endif
-name '*.ko' -print0 | sort -u | \
	xargs --null -P "$(nproc)" -I {} "$SHELL" -e -x -c 'if ! _libressl_sign "{}"; \
		then echo Failed _libressl_sign on "{}" && exit 1; fi'
%endif

# Create the list of files for the kernel.
kernel_files=../kernel_files.%{flavour}

cat > $kernel_files <<EOF
%{_bootdir}/System.map-%{kver_full}
%{_bootdir}/symvers-%{kver_full}.xz
%{_bootdir}/config-%{kver_full}
%{_bootdir}/vmlinuz-%{kver_full}
%{_modulesdir}/%{kver_full}/kernel
%{_modulesdir}/%{kver_full}/modules.*
EOF

%if %build_debug
cat ../kernel_exclude_debug_files.%{flavour} >> $kernel_files
%endif

# set extraversion to match srpm to get nice version reported by the tools
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile

%if %{build_perf}
%ifarch x86_64
%define perf_is_x64	1
%else
%define perf_is_x64	0
%endif

%smake -C tools/perf -s IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} NO_GTK2=1 all
%smake -C tools/perf -s prefix=%{_prefix} NO_GTK2=1 man
%endif

%if %{build_cpupower}
# make sure version-gen.sh is executable.
chmod +x tools/power/cpupower/utils/version-gen.sh
%make -C tools/power/cpupower CPUFREQ_BENCH=false
%endif

_cleanup
############################################################################

%install
cd %src_dir

# We want to be able to test several times the install part
rm -rf %{buildroot}
cp -a %{temp_root} %{buildroot}

%if %{enhanced_security}
# Multithreaded verification that every kernel module
# has a signature attached to it
mkdir -p "%{certs_dir_rnd}"
touch %{certs_verify_tmp}
_verify_signature(){
	if [ -z "$1" ] || [ ! -f "$1" ]; then return; fi
	if hexdump -C "$1" | rev | cut -f 2 -d '|' | rev | tr -d '\n' | \
	   grep -q '~Module signature appended~'
		then
			if [ -f %{certs_verify_tmp} ]; then
				rm -f %{certs_verify_tmp}
			fi
		else
			echo "ERROR: Module $1 has no signature attached to it!"
			exit 1
	fi
}
export -f _verify_signature
find %{target_modules} \
%if %{with uml}
     %{buildroot}/lib/modules-uml/%{kver_full} \
%endif
-name '*.ko' -print0 | sort -u | \
	xargs --null -P "$(nproc)" -I {} "$SHELL" -c '_verify_signature "{}"'
if [ -f %{certs_verify_tmp} ]; then
	echo "ERROR: seems that signatures of none modules were verified!"
	exit 1
fi
rm -f %{certs_verify_tmp}
%endif

# compressing modules
%if %{build_modxz}
find %{target_modules} -name "*.ko" | %kxargs xz -6e
%else
find %{target_modules} -name "*.ko" | %kxargs gzip -9
%endif

pushd %{target_modules}
for i in *; do
	rm -f $i/build $i/source
	ln -sf /usr/src/linux-$i $i/build
	ln -sf /usr/src/linux-$i $i/source
done

# sniff, if we compressed all the modules, we change the stamp :(
# we really need the depmod -ae here
for i in *; do
	/sbin/depmod -ae -b %{buildroot} -F %{target_boot}/System.map-$i $i
	echo $?
done

# We used to create modules.description files which contained the
# description strings for the modules as shown by modinfo. These files
# are unlikely to be used right now, so create them (in case some old tool
# checks for their existence) but keep them empty.
for i in *; do
	touch $i/modules.description
done
popd

# need to set extraversion to match srpm again to avoid rebuild
LC_ALL=C sed -ri "s/^EXTRAVERSION.*/EXTRAVERSION = -%{fullrpmrel}/" Makefile
%if %{build_perf}

# perf tool binary and supporting scripts/binaries
make -C tools/perf -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install

# perf man pages (note: implicit rpm magic compresses them later)
make -C tools/perf  -s V=1 DESTDIR=%{buildroot} IS_X86_64=%{perf_is_x64} HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} install-man
%endif

%if %{build_cpupower}
make -C tools/power/cpupower DESTDIR=%{buildroot} libdir=%{_libdir} mandir=%{_mandir} CPUFREQ_BENCH=false install
rm -f %{buildroot}%{_libdir}/*.{a,la}
%find_lang cpupower
mv cpupower.lang ../
chmod 0755 %{buildroot}%{_libdir}/libcpupower.so*
mkdir -p %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -m644 %{SOURCE50} %{buildroot}%{_unitdir}/cpupower.service
install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
%endif