From 31481802501d088718740adb77ff15a04abea56d Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Wed, 18 Mar 2020 22:20:03 +0300
Subject: [PATCH] Prepare to have the same kernel in Fresh/RED and certified
 distros:

- rename nrj-desktop to generic because nowadays there are no nrjQL patches
- keep nickel flavour for certified distros
- add uml and uml-modules subpackages
- fix description of uml package - it is stripped
- always enable enhanced_security
- disable CONFIG_INIT_ON_FREE_DEFAULT_ON on non-certified distros for best performance
- in scriptlets, check that dkms is installed and make actions if it is installed
- do not depend from the dkms package to avoid pulling it even if someone wants to completely remove it
---
 kernel.spec | 111 ++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 78 insertions(+), 33 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index cf4076d..b17286e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	25
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		8
+%define rpmrel		9
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -38,14 +38,14 @@
 %define buildrel     	%{kversion}-%{buildrpmrel}
 
 # %%build_selinux may be defined in branding-configs
-%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
-%if %{with selinux}
+#%%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
+#%%if %{with selinux}
 %global enhanced_security 1
-%else
-%global enhanced_security 0
-%endif
-# Allow "rpmbuild --with enhanced_security <...>"
-%{?_with_enhanced_security:%global enhanced_security 1}
+#%%else
+#%%global enhanced_security 0
+#%%endif
+# Allow "rpmbuild --without enhanced_security <...>"
+%{?_without_enhanced_security:%global enhanced_security 0}
 
 %if %{enhanced_security}
 %bcond_without additional_keys
@@ -55,11 +55,18 @@
 %bcond_without uml
 %bcond_with gost_keys
 
+# "Nickel" is a special brand for certified distros
+%if %{mdvver} == 201900 || %{mdvver} == 201905
+%bcond_without nickel
+%else
+%bcond_with nickel
+%endif
+
 # Kernel flavour
-%if %{enhanced_security}
+%if %{with nickel}
 %define flavour		nickel
 %else
-%define flavour		nrj-desktop
+%define flavour		generic
 %endif
 
 # The full kernel version
@@ -400,20 +407,11 @@ Version:	%{fakever}
 Release:	%{fakerel}
 Summary:	Development files for kernel-%{flavour}-%{buildrel}
 Group:		Development/Kernel
-
 Requires:	glibc-devel
 Requires:	ncurses-devel
 Requires:	make
 Requires:	gcc
 Requires:	perl
-
-# Loading kernel modules without valid signature is prohobibited
-# when building with enhanced_security
-%if ! %{enhanced_security}
-Requires(post):		dkms
-Requires(preun):	dkms
-%endif
-
 Provides:	kernel-devel = %{kverrel}
 Provides:	kernel-%{flavour}-devel = %{kverrel}
 %if %{enhanced_security}
@@ -430,21 +428,12 @@ This package contains the kernel files (headers and build tools)
 that should be enough to build additional drivers for
 use with kernel-%{flavour}-%{buildrel}.
 
-%if ! %{enhanced_security}
 %post -n kernel-%{flavour}-devel-%{buildrel}
+if ! command -v dkms >/dev/null 2>&1; then exit 0; fi
 /usr/sbin/dkms_autoinstaller start %{kver_full}
-%endif
 
 %preun -n kernel-%{flavour}-devel-%{buildrel}
 
-%if ! %{enhanced_security}
-for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do
-	mod=$(echo $ii | awk -v FS=',' '{ print $1; }')
-	ver=$(echo $ii | awk -v FS=',' '{ print $2; }')
-	/usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || true
-done
-%endif
-
 # If any DKMS modules with REMAKE_INITRD=yes in their configs have been
 # uninstalled, initrd has been regenerated for the given kernel. However,
 # the kernel itself might have been uninstalled before, so that (defunct)
@@ -456,6 +445,14 @@ if ! test -f /boot/vmlinuz-%{kver_full}; then
 	rm -f /boot/initrd-%{kver_full}_old.img
 fi
 
+if ! command -v dkms >/dev/null 2>&1; then exit 0; fi
+
+for ii in $(/usr/sbin/dkms status -k %{kver_full} | awk '{ print $1 $2; }'); do
+	mod=$(echo $ii | awk -v FS=',' '{ print $1; }')
+	ver=$(echo $ii | awk -v FS=',' '{ print $2; }')
+	/usr/sbin/dkms --rpm_safe_upgrade uninstall -m $mod -v $ver -k %{kver_full} || :
+done
+
 %postun -n kernel-%{flavour}-devel-%{buildrel}
 rm -rf /usr/src/linux-%{kver_full} >/dev/null
 # depmod (called when removing DKMS modules) might have created files in
@@ -741,6 +738,7 @@ should use the 'kernel-devel' package instead.
 ############################################################################
 
 %if %{with uml}
+
 %package -n kernel-uml-%{flavour}-%{buildrel}
 Version:	%{fakever}
 Release:	%{fakerel}
@@ -750,7 +748,8 @@ Summary:	User Mode Linux binary
 Group:		System/Kernel and hardware
 
 %description -n kernel-uml-%{flavour}-%{buildrel}
-User Mode Linux binary, not stripped
+User Mode Linux binary.
+Stripped, debug is in kernel-%{flavour}-%{buildrel}-debuginfo.
 
 %files -n kernel-uml-%{flavour}-%{buildrel}
 %{_bindir}/linux-uml-%{kver_full}
@@ -772,8 +771,50 @@ User Mode Linux (UML) kernel modules
 
 %files -n kernel-uml-modules-%{flavour}-%{buildrel}
 /lib/modules-uml/%{kver_full}
+#------------------------------------------------
+
+%package -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Version:	%{kversion}
+Release:	%{fullrpmrel}
+Summary:	Meta package for the latest kernel-uml-%{flavour} in %{kernelversion}.%{patchlevel} series
+Group:		System/Kernel and hardware
+Requires:	kernel-uml-%{flavour}-%{buildrel}
+
+%ifarch %{ix86}
+Conflicts:	arch(x86_64)
 %endif
 
+%description -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+This meta package aims to make sure you always have the
+latest kernel-uml-%{flavour} %{kernelversion}.%{patchlevel}.x
+(User Mode Linux binary) installed.
+
+%files -n kernel-uml-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+# no files
+#------------------------------------------------
+
+%package -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Version:	%{kversion}
+Release:	%{fullrpmrel}
+Summary:	Meta package for the latest kernel-uml-modules-%{flavour} in %{kernelversion}.%{patchlevel} series
+Group:		System/Kernel and hardware
+Requires:	kernel-uml-modules-%{flavour}-%{buildrel}
+
+%ifarch %{ix86}
+Conflicts:	arch(x86_64)
+%endif
+
+%description -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+This meta package aims to make sure you always have the
+latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
+(User Mode Linux kernel modules) installed.
+
+%files -n kernel-uml-modules-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+# no files
+#------------------------------------------------
+
+%endif #endif uml
+
 ############################################################################
 
 %prep
@@ -868,12 +909,16 @@ echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> %{build_dir}/.config.append
 # Estimated performance impact is described in the commit
 # "Fill newly allocated pages and heap objects with zeroes."
 # To enable, add to cmdline: init_on_alloc=1
-#sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
-#echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y >> %{build_dir}/.config.append
+sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
+echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=n >> %{build_dir}/.config.append
 # "Fill freed pages and heap objects with zeroes"
 # To disable, add to cmdline: init_on_free=0
-sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_O/d' .config
+sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_ON/d' .config
+%if %{with nickel}
 echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> %{build_dir}/.config.append
+%else
+echo CONFIG_INIT_ON_FREE_DEFAULT_ON=n >> %{build_dir}/.config.append
+%endif
 # Here enabling only either only init_on_free or only init_on_alloc
 # makes sense; init_on_alloc is not about protecting information.