Merge pull request #1152 from linux-surface/fedora-ark

Replace fedora package with kernel-ark

.github/workflows/fedora-37.yml

@@ -12,9 +12,7 @@ jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container:
-      image: registry.fedoraproject.org/fedora:37
-      options: --security-opt seccomp=unconfined
+    container: registry.fedoraproject.org/fedora:37
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
@@ -22,25 +20,33 @@ jobs:
     - name: Install build dependencies
       run: |
         dnf distro-sync -y
+        dnf install -y git make gcc flex bison bzip2 rpm-build
         dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
-        dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
+
+        # Install build dependencies
+        dnf builddep -y kernel
+
+        # Install additional build dependencies
+        dnf install -y sbsigntools
 
     - name: Setup secureboot certificate
       env:
         SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
       run: |
-        cd pkg
-
         # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
-        cp keys/surface.crt fedora/kernel-surface/surface.crt
+        echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
+        cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
 
     - name: Build packages
       run: |
         cd pkg/fedora/kernel-surface
 
+        # setup git
+        git config --global user.email "surfacebot@users.noreply.github.com"
+        git config --global user.name "surfacebot"
+
         # Build the .rpm packages
-        ../makerpm -- --with=signkernel -ba
+        python3 build-linux-surface.py
 
     - name: Sign packages
       env:
@@ -84,9 +90,7 @@ jobs:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container:
-      image: fedora:37
-      options: --security-opt seccomp=unconfined
+    container: registry.fedoraproject.org/fedora:37
     steps:
     - name: Install dependencies
       run: |

.github/workflows/fedora-38.yml

@@ -12,9 +12,7 @@ jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container:
-      image: registry.fedoraproject.org/fedora:38
-      options: --security-opt seccomp=unconfined
+    container: registry.fedoraproject.org/fedora:38
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
@@ -22,25 +20,33 @@ jobs:
     - name: Install build dependencies
       run: |
         dnf distro-sync -y
+        dnf install -y git make gcc flex bison bzip2 rpm-build
         dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
-        dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
+
+        # Install build dependencies
+        dnf builddep -y kernel
+
+        # Install additional build dependencies
+        dnf install -y sbsigntools
 
     - name: Setup secureboot certificate
       env:
         SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
       run: |
-        cd pkg
-
         # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
-        cp keys/surface.crt fedora/kernel-surface/surface.crt
+        echo "$SB_KEY" | base64 -d > pkg/fedora/kernel-surface/secureboot/MOK.key
+        cp pkg/keys/surface.crt pkg/fedora/kernel-surface/secureboot/MOK.crt
 
     - name: Build packages
       run: |
         cd pkg/fedora/kernel-surface
 
+        # setup git
+        git config --global user.email "surfacebot@users.noreply.github.com"
+        git config --global user.name "surfacebot"
+
         # Build the .rpm packages
-        ../makerpm -- --with=signkernel -ba
+        python3 build-linux-surface.py
 
     - name: Sign packages
       env:
@@ -84,9 +90,7 @@ jobs:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container:
-      image: fedora:38
-      options: --security-opt seccomp=unconfined
+    container: registry.fedoraproject.org/fedora:38
     steps:
     - name: Install dependencies
       run: |

pkg/fedora/kernel-surface/.gitignore

@@ -1,2 +1,4 @@
-surface.key
-surface.crt
+secureboot/MOK.key
+secureboot/MOK.crt
+kernel-ark
+out

pkg/fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch

@@ -1,87 +0,0 @@
-From 4d40b8001ac67866e49659211163ebcc0b17dd73 Mon Sep 17 00:00:00 2001
-From: Dorian Stoll <dorian.stoll@tmsp.io>
-Date: Sun, 22 Sep 2019 22:44:16 +0200
-Subject: [PATCH] Add secureboot pre-signing to the kernel
-
-If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
-the kernel Makefile will automatically sign the vmlinux / bzImage file that
-gets generated, and that is then used in packaging.
-
-By integrating it into the kernel build system directly, it is fully integrated
-with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
-and it gets added to every tree by the same mechanism that is used to apply the
-other surface patches anyways.
-
-Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
----
- .gitignore             |  3 +++
- arch/x86/Makefile      |  1 +
- scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
- 3 files changed, 34 insertions(+)
- create mode 100755 scripts/sign_kernel.sh
-
-diff --git a/.gitignore b/.gitignore
-index 2030c7a4d2f8..f0705ecd9340 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -132,6 +132,9 @@ signing_key.priv
- signing_key.x509
- x509.genkey
- 
-+# Secureboot certificate
-+/keys/
-+
- # Kconfig presets
- /all.config
- /alldef.config
-diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index 94df0868804b..2c7b7829f0c2 100644
---- a/arch/x86/Makefile
-+++ b/arch/x86/Makefile
-@@ -284,6 +284,7 @@ endif
- 	$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
- 	$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
- 	$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
-+	$(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
- 
- $(BOOT_TARGETS): vmlinux
- 	$(Q)$(MAKE) $(build)=$(boot) $@
-diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
-new file mode 100755
-index 000000000000..d2526a279254
---- /dev/null
-+++ b/scripts/sign_kernel.sh
-@@ -0,0 +1,30 @@
-+#!/bin/sh
-+# SPDX-License-Identifier: GPL-2.0
-+
-+# The path to the compiled kernel image is passed as the first argument
-+BUILDDIR=$(dirname $(dirname $0))
-+VMLINUX=$1
-+
-+# Keys are stored in a toplevel directory called keys
-+# The following files need to be there:
-+#     * MOK.priv  (private key)
-+#     * MOK.pem   (public key)
-+#
-+# If the files don't exist, this script will do nothing.
-+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
-+    exit 0
-+fi
-+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
-+    exit 0
-+fi
-+
-+# Both required certificates were found. Check if sbsign is installed.
-+echo "Keys for automatic secureboot signing found."
-+if [ ! -x "$(command -v sbsign)" ]; then
-+    echo "ERROR: sbsign not found!"
-+    exit -2
-+fi
-+
-+# Sign the kernel
-+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
-+    --output $VMLINUX $VMLINUX
--- 
-2.23.0
-

pkg/fedora/kernel-surface/build-ark.py

@@ -0,0 +1,171 @@
+#!/usr/bin/env python3
+
+import argparse
+import functools
+import operator
+import os
+import shutil
+import subprocess
+import time
+
+
+def system(cmd: str) -> None:
+    subprocess.run(cmd, shell=True, check=True)
+
+
+parser = argparse.ArgumentParser(usage="Build a patched Fedora kernel")
+
+parser.add_argument(
+    "--package-name",
+    help="The name of the patched package (e.g. foo -> kernel-foo).",
+    required=True,
+)
+
+parser.add_argument(
+    "--package-tag",
+    help="The upstream tag to build.",
+    required=True,
+)
+
+parser.add_argument(
+    "--package-release",
+    help="The release suffix of the modified package.",
+    required=True,
+)
+
+parser.add_argument(
+    "--ark-dir",
+    help="The local path to the kernel-ark repository.",
+    default="kernel-ark",
+)
+
+parser.add_argument(
+    "--ark-url",
+    help="The remote path to the kernel-ark repository.",
+    default="https://gitlab.com/cki-project/kernel-ark",
+)
+
+parser.add_argument(
+    "--patch",
+    help="Applies a patch to the kernel source.",
+    action="append",
+    nargs="+",
+)
+
+parser.add_argument(
+    "--config",
+    help="Applies a KConfig fragment to the kernel source.",
+    action="append",
+    nargs="+",
+)
+
+parser.add_argument(
+    "--file",
+    help="Copy a file into the RPM buildroot.",
+    action="append",
+    nargs="+",
+)
+
+parser.add_argument(
+    "--buildopts",
+    help="Enable or disable options of the kernel spec file.",
+    action="append",
+    nargs="+",
+)
+
+parser.add_argument(
+    "--outdir",
+    help="The directory where the built RPM files will be saved.",
+    default="out",
+)
+
+args = parser.parse_args()
+
+patches = [] if not args.patch else functools.reduce(operator.add, args.patch)
+configs = [] if not args.config else functools.reduce(operator.add, args.config)
+files = [] if not args.file else functools.reduce(operator.add, args.file)
+buildopts = [] if not args.buildopts else functools.reduce(operator.add, args.buildopts)
+
+# Make paths absolute.
+patches = [os.path.realpath(x) for x in patches]
+configs = [os.path.realpath(x) for x in configs]
+files = [os.path.realpath(x) for x in files]
+outdir = os.path.realpath(args.outdir)
+
+# Clone the kernel-ark repository if it doesn't exist.
+if not os.path.exists(args.ark_dir):
+    system("git clone '%s' '%s'" % (args.ark_url, args.ark_dir))
+
+os.chdir(args.ark_dir)
+
+# Check out the requested tag.
+system("git fetch --tags")
+system("git clean -dfx")
+system("git checkout -b 'build/%s'" % time.time())
+system("git reset --hard '%s'" % args.package_tag)
+
+# Apply patches
+for patch in patches:
+    system("git am '%s'" % patch)
+
+# Copy files
+for file in files:
+    shutil.copy(file, "redhat/fedora_files/")
+
+# Apply config options
+#
+# The format that the kernel-ark tree expects is a bit different from
+# a standard kernel config. Every option is split into a single file
+# named after that config.
+#
+# Example:
+#   $ cat redhat/configs/common/generic/CONFIG_PCI
+#   CONFIG_PCI=y
+#
+# This supposedly makes things easier for Red Hat developers,
+# but it also ends up being really annoying for us.
+for config in configs:
+    with open(config) as f:
+        lines = f.readlines()
+
+    # Filter out comments, this means only selecting lines that look like:
+    #   - CONFIG_FOO=b
+    #   - # CONFIG_FOO is not set
+    for line in lines:
+        enable = line.startswith("CONFIG_")
+        disable = line.startswith("# CONFIG_")
+
+        if not enable and not disable:
+            continue
+
+        NAME = ""
+
+        if enable:
+            NAME = line.split("=")[0]
+        elif disable:
+            NAME = line[2:].split(" ")[0]
+
+        print("Applying %s" % line.rstrip("\n"))
+
+        with open("redhat/configs/custom-overrides/generic/%s" % NAME, "w") as f:
+            f.write(line)
+
+system("git add redhat/configs/custom-overrides/generic")
+system("git commit -m 'Merge %s config'" % args.package_name)
+
+cmd = []
+cmd.append("make")
+cmd.append("dist-rpms")
+cmd.append("SPECPACKAGE_NAME='kernel-%s'" % args.package_name)
+cmd.append("DISTLOCALVERSION='.%s'" % args.package_name)
+cmd.append("BUILD='%s'" % args.package_release)
+
+if len(buildopts) > 0:
+    cmd.append("BUILDOPTS='%s'" % " ".join(buildopts))
+
+# Build RPMS
+system(" ".join(cmd))
+
+# Copy built RPMS to output directory
+os.makedirs(outdir, exist_ok=True)
+system("cp -r redhat/rpm/RPMS/* '%s'" % outdir)

pkg/fedora/kernel-surface/build-linux-surface.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+
+import subprocess
+import sys
+from pathlib import Path
+
+#####################################################################
+
+##
+## The name of the modified kernel package.
+##
+PACKAGE_NAME = "surface"
+
+##
+## https://gitlab.com/cki-project/kernel-ark/-/tags
+##
+## Fedora tags: kernel-X.Y.Z
+## Upstream tags: vX.Y.Z
+##
+PACKAGE_TAG = "kernel-6.3.6-0"
+
+##
+## The release number of the modified kernel package.
+## e.g. 300 for kernel-6.3.1-300.fc38.foo
+##
+PACKAGE_RELEASE = "1"
+
+##
+## Build options for configuring which parts of the kernel package are enabled.
+##
+## We disable all userspace components because we only want the kernel + modules.
+## We also don't care too much about debug info or UKI.
+##
+## To list the available options, run make dist-full-help in the kernel-ark tree.
+##
+KERNEL_BUILDOPTS = "+up +baseonly -debuginfo -doc -headers -efiuki"
+
+#####################################################################
+
+# The directory where this script is saved.
+script = Path(sys.argv[0]).resolve().parent
+
+# The root of the linux-surface repository.
+linux_surface = script / ".." / ".." / ".."
+
+# Determine the major version of the kernel.
+kernel_version = PACKAGE_TAG.split("-")[1]
+kernel_major = ".".join(kernel_version.split(".")[:2])
+
+# Determine the patches directory and config file.
+patches = linux_surface / "patches" / kernel_major
+config = linux_surface / "configs" / ("surface-%s.config" % kernel_major)
+
+sb_cert = script / "secureboot" / "MOK.crt"
+sb_key = script / "secureboot" / "MOK.key"
+
+# Check if the major version is supported.
+if not patches.exists() or not config.exists():
+    print("ERROR: Could not find patches / configs for kernel %s!" % kernel_major)
+    sys.exit(1)
+
+# Check if Secure Boot keys are available.
+sb_avail = sb_cert.exists() and sb_key.exists()
+
+# If we are building without secureboot, require user input to continue.
+if not sb_avail:
+    print("")
+    print("Secure Boot keys were not configured! Using Red Hat testkeys.")
+    print("The compiled kernel will not boot with Secure Boot enabled!")
+    print("")
+
+    input("Press any key to continue")
+
+# Expand globs
+surface_patches = sorted(patches.glob("*.patch"))
+
+cmd = []
+cmd += [script / "build-ark.py"]
+cmd += ["--package-name", PACKAGE_NAME]
+cmd += ["--package-tag", PACKAGE_TAG]
+cmd += ["--package-release", PACKAGE_RELEASE]
+cmd += ["--patch"] + surface_patches
+cmd += ["--config", config]
+cmd += ["--buildopts", KERNEL_BUILDOPTS]
+
+local_patches = sorted((script / "patches").glob("*.patch"))
+local_configs = sorted((script / "configs").glob("*.config"))
+local_files = sorted((script / "files").glob("*"))
+
+if len(local_patches) > 0:
+    cmd += ["--patch"] + local_patches
+
+if len(local_configs) > 0:
+    cmd += ["--config"] + local_configs
+
+if len(local_files) > 0:
+    cmd += ["--file"] + local_files
+
+if sb_avail:
+    sb_patches = sorted((script / "secureboot").glob("*.patch"))
+    sb_configs = sorted((script / "secureboot").glob("*.config"))
+
+    if len(sb_patches) > 0:
+        cmd += ["--patch"] + sb_patches
+
+    if len(sb_configs) > 0:
+        cmd += ["--config"] + sb_configs
+
+    cmd += ["--file", sb_cert, sb_key]
+
+subprocess.run(cmd, check=True)

pkg/fedora/kernel-surface/configs/fedora.config

@@ -0,0 +1,7 @@
+##
+## Config options specific to Fedora
+##
+
+# The build fails because this is not enabled in the config set for RHEL,
+# but enabled automatically by one of our patches.
+CONFIG_VIDEO_V4L2_SUBDEV_API=y

pkg/fedora/kernel-surface/fedora.config

@@ -1,10 +0,0 @@
-##
-## Forcefully disable debug symbols
-##
-
-CONFIG_DEBUG_INFO_NONE=y
-# CONFIG_DEBUG_INFO is not set
-# CONFIG_DEBUG_INFO_BTF is not set
-# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set
-# CONFIG_DEBUG_INFO_DWARF4 is not set
-# CONFIG_DEBUG_INFO_DWARF5 is not set

pkg/fedora/kernel-surface/files/linux-surface-default-kernel.path

@@ -0,0 +1,8 @@
+[Unit]
+Description=linux-surface default kernel watchdog
+
+[Path]
+PathChanged=/boot
+
+[Install]
+WantedBy=default.target

pkg/fedora/kernel-surface/files/linux-surface-default-kernel.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=linux-surface default kernel watchdog
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/linux-surface-default-kernel.sh

pkg/fedora/kernel-surface/files/linux-surface-default-kernel.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -euo pipefail
+
+# get list of surface kernels with timestamp
+kernels=$(find /boot -maxdepth 1 -name "vmlinuz-*.surface.*" -printf '%T@\t%p\n')
+
+# sort by timestamp
+kernels=$(echo "${kernels}" | sort -n)
+
+# get latest kernel (last line) and extract path
+kernel=$(echo "${kernels}" | tail -n1 | cut -f2)
+
+echo $kernel
+
+# update GRUB config
+grubby --set-default "${kernel}"
+
+# update timestamp for rEFInd (ensure it's marked as latest across all kernels,
+# not just surface ones)
+touch "${kernel}"

pkg/fedora/kernel-surface/kernel-surface.spec

@@ -1,363 +0,0 @@
-#
-# Definitions to configure the kernel we want to build
-#
-
-%global kernel_tag_fc38 kernel-6.3.5-200.fc38
-%global kernel_tag_fc37 kernel-6.3.5-100.fc37
-
-%global kernel_release_fc38 1
-%global kernel_release_fc37 1
-
-# This is what is printed in the GRUB menu. These cannot be fetched from the
-# buildhost, because in a container this will also say container. To get the
-# same text as the default kernels, just hardcode it. Hey, this is important!
-%global fedora_title_fc37 38 (Thirty Eight)
-%global fedora_title_fc37 37 (Thirty Seven)
-
-%global ls_patches_commit f6d9315b8a3ecaee9f1575d8860a46cf44e79607
-
-%global sb_crt surface.crt
-%global sb_key surface.key
-
-#
-# Definitions that get automatically generated from the ones above
-#
-
-%global kernel_tag %{kernel_tag_fc%{fedora}}
-%global kernel_release %{kernel_release_fc%{fedora}}
-%global fedora_title %{fedora_title_fc%{fedora}}
-
-%global kernel_version %(echo %{kernel_tag} | cut -d'-' -f2)
-%global kernel_majorver %(echo %{kernel_version} | cut -d'.' -f1-2)
-%global kernel_patches patches/%{kernel_majorver}
-
-%global kernel_localversion %{kernel_release}.surface%{?dist}.%{_target_cpu}
-%global kernel_config kernel-%{kernel_version}-%{_target_cpu}.config
-%global kernel_name %{kernel_version}-%{kernel_localversion}
-
-%global fedora_source https://github.com/StollD/linux-fedora
-%global surface_source https://raw.githubusercontent.com/linux-surface/linux-surface/%{ls_patches_commit}
-
-%global kernel_modpath %{buildroot}/lib/modules/%{kernel_name}
-
-#
-# Actual specfile starts here
-#
-
-%bcond_with signkernel
-
-Name:       kernel-surface
-Summary:    The Linux Kernel with patches for Microsoft Surface
-Version:    %{kernel_version}
-Release:    %{kernel_release}%{?dist}
-License:    GPLv2
-URL:        https://github.com/linux-surface/linux-surface
-
-Provides: installonlypkg(kernel-surface)
-Provides: kernel-uname-r = %{kernel_name}
-Provides: kernel-core-uname-r = %{kernel_name}
-Provides: kernel-modules-uname-r = %{kernel_name}
-
-Recommends: iptsd
-
-Requires(pre): coreutils, systemd >= 203-2, /usr/bin/kernel-install
-Requires(pre): dracut >= 027
-Requires(pre): linux-firmware >= 20150904-56.git6ebf5d57
-Requires(preun): systemd >= 200
-
-BuildRequires: openssl openssl-devel
-BuildRequires: kmod, patch, bash, tar, git-core, sbsigntools
-BuildRequires: bzip2, xz, findutils, gzip, m4, perl-interpreter,
-BuildRequires: perl-Carp, perl-devel, perl-generators, make, diffutils,
-BuildRequires: gawk, gcc, binutils, redhat-rpm-config, hmaccalc, bison
-BuildRequires: flex, net-tools, hostname, bc, elfutils-devel
-BuildRequires: gcc-plugin-devel dwarves
-
-# Used to mangle unversioned shebangs to be Python 3
-BuildRequires: python3-devel
-
-Conflicts: xfsprogs < 4.3.0-1
-Conflicts: xorg-x11-drv-vmmouse < 13.0.99
-BuildConflicts: rhbuildsys(DiskFree) < 500Mb
-BuildConflicts: rpm < 4.13.0.1-19
-BuildConflicts: dwarves < 1.13
-
-Source0:    %{fedora_source}/archive/%{kernel_tag}.tar.gz
-Source1:    %{surface_source}/configs/surface-%{kernel_majorver}.config
-Source2:    fedora.config
-
-%if %{with signkernel}
-Source20:   %{sb_crt}
-Source21:   %{sb_key}
-%endif
-
-Source100:  mod-sign.sh
-Source101:  parallel_xz.sh
-
-Patch0:     %{surface_source}/%{kernel_patches}/0001-surface3-oemb.patch
-Patch1:     %{surface_source}/%{kernel_patches}/0002-mwifiex.patch
-Patch2:     %{surface_source}/%{kernel_patches}/0003-ath10k.patch
-Patch3:     %{surface_source}/%{kernel_patches}/0004-ipts.patch
-Patch4:     %{surface_source}/%{kernel_patches}/0005-ithc.patch
-Patch5:     %{surface_source}/%{kernel_patches}/0006-surface-sam.patch
-Patch6:     %{surface_source}/%{kernel_patches}/0007-surface-sam-over-hid.patch
-Patch7:     %{surface_source}/%{kernel_patches}/0008-surface-button.patch
-Patch8:     %{surface_source}/%{kernel_patches}/0009-surface-typecover.patch
-Patch9:     %{surface_source}/%{kernel_patches}/0010-surface-shutdown.patch
-Patch10:    %{surface_source}/%{kernel_patches}/0011-surface-gpe.patch
-Patch11:    %{surface_source}/%{kernel_patches}/0012-cameras.patch
-Patch12:    %{surface_source}/%{kernel_patches}/0013-amd-gpio.patch
-Patch13:    %{surface_source}/%{kernel_patches}/0014-rtc.patch
-
-Patch100:   0001-Add-secureboot-pre-signing-to-the-kernel.patch
-
-ExclusiveArch: x86_64
-
-%global debug_package %{nil}
-%global _build_id_links alldebug
-
-%description
-The Linux Kernel, the operating system core itself, with support for
-Microsoft Surface.
-
-%package devel
-Summary: Development package for building kernel modules for kernel-surface
-AutoReqProv: no
-Provides: installonlypkg(kernel-surface)
-Provides: kernel-devel-uname-r = %{kernel_name}
-
-%description devel
-This package provides kernel headers and makefiles sufficient to build modules
-against the kernel-surface package.
-
-%prep
-%autosetup -S git -n linux-fedora-%{kernel_tag}
-
-# Fix missing Makefile.rhelver
-touch Makefile.rhelver
-
-scripts/kconfig/merge_config.sh         \
-	fedora/configs/%{kernel_config} \
-	%{SOURCE1}                      \
-	%{SOURCE2}
-
-echo $((%{kernel_release} - 1)) > .version
-
-# Copy secureboot certificates if they are available
-%if %{with signkernel}
-mkdir -p keys
-cp %{SOURCE20} keys/MOK.crt
-cp %{SOURCE21} keys/MOK.key
-%endif
-
-# This Prevents scripts/setlocalversion from mucking with our version numbers.
-touch .scmversion
-
-# Mangle /usr/bin/python shebangs to /usr/bin/python3
-# Mangle all Python shebangs to be Python 3 explicitly
-# -p preserves timestamps
-# -n prevents creating ~backup files
-# -i specifies the interpreter for the shebang
-# This fixes errors such as
-# *** ERROR: ambiguous python shebang in /usr/bin/kvm_stat: #!/usr/bin/python. Change it to python3 (or python2) explicitly.
-# We patch all sources below for which we got a report/error.
-pathfix.py -i "%{__python3} %{py3_shbang_opts}" -p -n \
-	tools/kvm/kvm_stat/kvm_stat \
-	scripts/show_delta \
-	scripts/diffconfig \
-	scripts/bloat-o-meter \
-	scripts/jobserver-exec \
-	tools \
-	Documentation \
-	scripts/clang-tools
-
-%build
-
-# This ensures build-ids are unique to allow parallel debuginfo
-perl -p -i -e "s/^CONFIG_BUILD_SALT.*/CONFIG_BUILD_SALT=\"%{kernel_name}\"/" .config
-
-make %{?_smp_mflags} all LOCALVERSION=-%{kernel_localversion} ARCH=%{_target_cpu}
-
-%define __modsign_install_post \
-  %{SOURCE100} certs/signing_key.pem certs/signing_key.x509 %{kernel_modpath} \
-  find %{kernel_modpath} -type f -name '*.ko' | %{SOURCE101} %{?_smp_mflags}; \
-%{nil}
-
-#
-# Disgusting hack alert! We need to ensure we sign modules *after* all
-# invocations of strip occur.
-#
-%define __spec_install_post \
-  %{?__debug_package:%{__debug_install_post}}\
-  %{__arch_install_post}\
-  %{__os_install_post}\
-  %{__modsign_install_post}
-
-%install
-mkdir -p %{buildroot}/boot
-
-# Install modules
-make %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install KERNELRELEASE=%{kernel_name}
-
-# Install vmlinuz
-image_name=$(make -s image_name)
-install -m 755 $image_name %{buildroot}/boot/vmlinuz-%{kernel_name}
-install -m 755 $image_name %{kernel_modpath}/vmlinuz
-
-# Install System.map and .config
-install -m 644 System.map %{kernel_modpath}/System.map
-install -m 644 System.map %{buildroot}/boot/System.map-%{kernel_name}
-install -m 644 .config %{kernel_modpath}/config
-install -m 644 .config %{buildroot}/boot/config-%{kernel_name}
-
-# hmac sign the kernel for FIPS
-sha512hmac %{buildroot}/boot/vmlinuz-%{kernel_name} | sed -e "s,%{buildroot},," > %{kernel_modpath}/.vmlinuz.hmac
-cp %{kernel_modpath}/.vmlinuz.hmac %{buildroot}/boot/.vmlinuz-%{kernel_name}.hmac
-
-# mark modules executable so that strip-to-file can strip them
-find %{kernel_modpath} -name "*.ko" -type f | xargs --no-run-if-empty chmod u+x
-
-# Setup directories for -devel files
-rm -f %{kernel_modpath}/build
-rm -f %{kernel_modpath}/source
-mkdir -p %{kernel_modpath}/build
-pushd %{kernel_modpath}
-	ln -s build source
-popd
-
-# first copy everything
-cp --parents $(find  -type f -name "Makefile*" -o -name "Kconfig*") %{kernel_modpath}/build
-cp Module.symvers %{kernel_modpath}/build
-cp System.map %{kernel_modpath}/build
-if [ -s Module.markers ]; then
-	cp Module.markers %{kernel_modpath}/build
-fi
-
-# then drop all but the needed Makefiles/Kconfig files
-rm -rf %{kernel_modpath}/build/scripts
-rm -rf %{kernel_modpath}/build/include
-cp .config %{kernel_modpath}/build
-cp -a scripts %{kernel_modpath}/build
-rm -rf %{kernel_modpath}/build/scripts/tracing
-rm -f %{kernel_modpath}/build/scripts/spdxcheck.py
-
-if [ -f tools/objtool/objtool ]; then
-	cp -a tools/objtool/objtool %{kernel_modpath}/build/tools/objtool/ || :
-
-	# these are a few files associated with objtool
-	cp -a --parents tools/build/Build.include %{kernel_modpath}/build/
-	cp -a --parents tools/build/Build %{kernel_modpath}/build/
-	cp -a --parents tools/build/fixdep.c %{kernel_modpath}/build/
-	cp -a --parents tools/scripts/utilities.mak %{kernel_modpath}/build/
-
-	# also more than necessary but it's not that many more files
-	cp -a --parents tools/objtool/* %{kernel_modpath}/build/
-	cp -a --parents tools/lib/str_error_r.c %{kernel_modpath}/build/
-	cp -a --parents tools/lib/string.c %{kernel_modpath}/build/
-	cp -a --parents tools/lib/subcmd/* %{kernel_modpath}/build/
-fi
-
-if [ -d arch/x86/scripts ]; then
-	cp -a arch/x86/scripts %{kernel_modpath}/build/arch/x86/ || :
-fi
-
-if [ -f arch/x86/*lds ]; then
-	cp -a arch/x86/*lds %{kernel_modpath}/build/arch/x86/ || :
-fi
-
-if [ -f arch/x86/kernel/module.lds ]; then
-	cp -a --parents arch/x86/kernel/module.lds %{kernel_modpath}/build/
-fi
-
-rm -f %{kernel_modpath}/build/scripts/*.o
-rm -f %{kernel_modpath}/build/scripts/*/*.o
-
-if [ -d arch/x86/include ]; then
-	cp -a --parents arch/x86/include %{kernel_modpath}/build/
-fi
-
-cp -a include %{kernel_modpath}/build/include
-
-# files for 'make prepare' to succeed with kernel-devel
-cp -a --parents arch/x86/entry/syscalls/syscall_32.tbl %{kernel_modpath}/build/
-cp -a --parents arch/x86/entry/syscalls/syscall_64.tbl %{kernel_modpath}/build/
-cp -a --parents arch/x86/tools/relocs_32.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/tools/relocs_64.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/tools/relocs.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/tools/relocs_common.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/tools/relocs.h %{kernel_modpath}/build/
-
-cp -a --parents scripts/syscalltbl.sh %{kernel_modpath}/build/
-cp -a --parents scripts/syscallhdr.sh %{kernel_modpath}/build/
-
-# Yes this is more includes than we probably need. Feel free to sort out
-# dependencies if you so choose.
-cp -a --parents tools/include/* %{kernel_modpath}/build/
-cp -a --parents arch/x86/purgatory/purgatory.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/purgatory/stack.S %{kernel_modpath}/build/
-cp -a --parents arch/x86/purgatory/setup-x86_64.S %{kernel_modpath}/build/
-cp -a --parents arch/x86/purgatory/entry64.S %{kernel_modpath}/build/
-cp -a --parents arch/x86/boot/string.h %{kernel_modpath}/build/
-cp -a --parents arch/x86/boot/string.c %{kernel_modpath}/build/
-cp -a --parents arch/x86/boot/ctype.h %{kernel_modpath}/build/
-
-# Make sure the Makefile, version.h, and auto.conf have a matching
-# timestamp so that external modules can be built
-
-touch -r %{kernel_modpath}/build/Makefile \
-	%{kernel_modpath}/build/include/generated/uapi/linux/version.h \
-	%{kernel_modpath}/build/include/config/auto.conf
-
-mkdir -p %{buildroot}/usr/src/kernels
-mv %{kernel_modpath}/build %{buildroot}/usr/src/kernels/%{kernel_name}
-
-# This is going to create a broken link during the build, but we don't use
-# it after this point.  We need the link to actually point to something
-# when kernel-devel is installed, and a relative link doesn't work across
-# the F17 UsrMove feature.
-ln -sf /usr/src/kernels/%{kernel_name} %{kernel_modpath}/build
-
-# prune junk from kernel-devel
-find %{buildroot}/usr/src/kernels -name ".*.cmd" -delete
-
-# remove files that will be auto generated by depmod at rpm -i time
-pushd %{kernel_modpath}
-	rm -f modules.{alias*,builtin.bin,dep*,*map,symbols*,devname,softdep}
-popd
-
-# build a BLS config for this kernel
-cat >%{kernel_modpath}/bls.conf <<EOF
-title Fedora (%{kernel_name}) %{fedora_title}
-version %{kernel_name}
-linux /vmlinuz-%{kernel_name}
-initrd /initramfs-%{kernel_name}.img
-options \$kernelopts
-grub_users \$grub_users
-grub_arg --unrestricted
-grub_class kernel
-EOF
-
-%clean
-rm -rf %{buildroot}
-
-%posttrans
-/bin/kernel-install add %{kernel_name} /lib/modules/%{kernel_name}/vmlinuz || exit $?
-
-%preun
-/bin/kernel-install remove %{kernel_name} /lib/modules/%{kernel_name}/vmlinuz || exit $?
-
-%files
-%defattr (-, root, root)
-/lib/modules/%{kernel_name}
-%ghost /boot/vmlinuz-%{kernel_name}
-%ghost /boot/config-%{kernel_name}
-%ghost /boot/System.map-%{kernel_name}
-%ghost /boot/.vmlinuz-%{kernel_name}.hmac
-
-%files devel
-%defattr (-, root, root)
-/usr/src/kernels/%{kernel_name}
-
-%changelog
-* Thu Jan 09 2020 Dorian Stoll <dorian.stoll@tmsp.io>
-- Initial version

pkg/fedora/kernel-surface/mod-sign.sh

@@ -1,36 +0,0 @@
-#! /bin/bash
-
-# The modules_sign target checks for corresponding .o files for every .ko that
-# is signed. This doesn't work for package builds which re-use the same build
-# directory for every flavour, and the .config may change between flavours.
-# So instead of using this script to just sign lib/modules/$KernelVer/extra,
-# sign all .ko in the buildroot.
-
-# This essentially duplicates the 'modules_sign' Kbuild target and runs the
-# same commands for those modules.
-
-MODSECKEY=$1
-MODPUBKEY=$2
-
-moddir=$3
-
-modules=`find $moddir -name *.ko`
-
-for mod in $modules
-do
-    dir=`dirname $mod`
-    file=`basename $mod`
-
-    ./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file}
-    rm -f ${dir}/${file}.{sig,dig}
-done
-
-RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1)
-if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
-    echo "*****************************"
-    echo "*** Modules are unsigned! ***"
-    echo "*****************************"
-    exit 1
-fi
-
-exit 0

pkg/fedora/kernel-surface/parallel_xz.sh

@@ -1,26 +0,0 @@
-#!/bin/sh
-# Reads filenames on stdin, xz-compresses each in place.
-# Not optimal for "compress relatively few, large files" scenario!
-
-# How many xz's to run in parallel:
-procgroup=""
-while test "$#" != 0; do
-	# Get it from -jNUM
-	N="${1#-j}"
-	if test "$N" = "$1"; then
-		# Not -j<something> - warn and ignore
-		echo "parallel_xz: warning: unrecognized argument: '$1'"
-	else
-		procgroup="$N"
-	fi
-	shift
-done
-
-# If told to use only one cpu:
-test "$procgroup" || exec xargs -r xz
-test "$procgroup" = 1 && exec xargs -r xz
-
-# xz has some startup cost. If files are really small,
-# this cost might be significant. To combat this,
-# process several files (in sequence) by each xz process via -n 16:
-exec xargs -r -n 16 -P $procgroup xz

pkg/fedora/kernel-surface/patches/0001-iptsd.patch

@@ -0,0 +1,25 @@
+From 5fc0582727cb64230d1c2ac02001263f92a9b82c Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sun, 14 May 2023 09:21:43 +0200
+Subject: [PATCH] Pull in iptsd as a weak dependency
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ redhat/kernel.spec.template | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
+index 51f43b21b018..d61276b49d95 100644
+--- a/redhat/kernel.spec.template
++++ b/redhat/kernel.spec.template
+@@ -938,6 +938,7 @@ Requires(pre): %{kernel_prereq}\
+ Requires(pre): %{initrd_prereq}\
+ Requires(pre): ((linux-firmware >= 20150904-56.git6ebf5d57) if linux-firmware)\
+ Recommends: linux-firmware\
++Recommends: iptsd\
+ Requires(preun): systemd >= 200\
+ Conflicts: xfsprogs < 4.3.0-1\
+ Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
+-- 
+2.40.1
+

pkg/fedora/kernel-surface/patches/0002-provides.patch

@@ -0,0 +1,57 @@
+From 4f7a333fc3dbacc4b3fa25ea117cb59f865878af Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sun, 14 May 2023 15:04:22 +0200
+Subject: [PATCH] Let kernel-surface provide the standard package names
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ redhat/kernel.spec.template | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
+index 51f43b21b018..2d91719b7d93 100644
+--- a/redhat/kernel.spec.template
++++ b/redhat/kernel.spec.template
+@@ -598,6 +598,7 @@ Requires: kernel-core-uname-r = %{KVERREL}
+ Requires: kernel-modules-uname-r = %{KVERREL}
+ Requires: kernel-modules-core-uname-r = %{KVERREL}
+ Provides: installonlypkg(kernel)
++Provides: kernel = %{KVERREL}
+ %endif
+ 
+ 
+@@ -1226,6 +1227,7 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
+ Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{specrpmversion}-%{release}\
+ Provides: kernel-devel-%{_target_cpu} = %{specrpmversion}-%{release}%{?1:+%{1}}\
+ Provides: kernel-devel-uname-r = %{KVERREL}%{?1:+%{1}}\
++Provides: kernel-devel = %{KVERREL}%{?1:+%{1}}\
+ Provides: installonlypkg(kernel)\
+ AutoReqProv: no\
+ Requires(pre): findutils\
+@@ -1255,6 +1257,7 @@ against the %{?2:%{2} }kernel package.\
+ Summary: Meta package to install matching core and devel packages for a given %{?2:%{2} }kernel\
+ Requires: %{package_name}%{?1:-%{1}}-devel = %{specrpmversion}-%{release}\
+ Requires: %{package_name}%{?1:-%{1}}-core = %{specrpmversion}-%{release}\
++Provides: kernel-devel-matched = %{specrpmversion}-%{release}\
+ %description %{?1:%{1}-}devel-matched\
+ This meta package is used to install matching core and devel packages for a given %{?2:%{2} }kernel.\
+ %{nil}
+@@ -1373,6 +1376,7 @@ Requires: kernel-%{1}-core-uname-r = %{KVERREL}+%{1}\
+ Requires: kernel-%{1}-modules-uname-r = %{KVERREL}+%{1}\
+ Requires: kernel-%{1}-modules-core-uname-r = %{KVERREL}+%{1}\
+ Provides: installonlypkg(kernel)\
++Provides: kernel = %{KVERREL}+%{1}\
+ %description %{1}\
+ The meta-package for the %{1} kernel\
+ %{nil}
+@@ -1387,6 +1391,7 @@ The meta-package for the %{1} kernel\
+ Summary: %{variant_summary}\
+ Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?1:+%{1}}\
+ Provides: installonlypkg(kernel)\
++Provides: kernel-%{?1:%{1}-}core = %{KVERREL}%{?1:+%{1}}\
+ %if %{-m:1}%{!-m:0}\
+ Requires: kernel-core-uname-r = %{KVERREL}\
+ Requires: kernel-%{?1:%{1}-}-modules-core-uname-r = %{KVERREL}%{?1:+%{1}}\
+-- 
+2.40.1
+

pkg/fedora/kernel-surface/patches/0003-obsoletes.patch

@@ -0,0 +1,29 @@
+From 084f48d80c730162805d654325934843cd12db94 Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sun, 14 May 2023 18:16:38 +0200
+Subject: [PATCH] Let kernel-surface conflict with older versions of the
+ package
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ redhat/kernel.spec.template | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
+index 2d91719b7d93..9ad0c720d467 100644
+--- a/redhat/kernel.spec.template
++++ b/redhat/kernel.spec.template
+@@ -599,6 +599,10 @@ Requires: kernel-modules-uname-r = %{KVERREL}
+ Requires: kernel-modules-core-uname-r = %{KVERREL}
+ Provides: installonlypkg(kernel)
+ Provides: kernel = %{KVERREL}
++
++Conflicts: kernel-surface < 6.3.6-1
++Obsoletes: kernel-surface < 6.3.6-1
++
+ %endif
+ 
+ 
+-- 
+2.40.1
+

pkg/fedora/kernel-surface/patches/0004-default-kernel.patch

@@ -0,0 +1,50 @@
+From 5d16b0aca7c07c1e3df5c47c61f5b6f402dd987b Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sat, 3 Jun 2023 11:47:02 +0200
+Subject: [PATCH] Install scripts and service files for keeping the surface
+ kernel the default
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ redhat/kernel.spec.template | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
+index 9ad0c720d467..5a367c936e05 100644
+--- a/redhat/kernel.spec.template
++++ b/redhat/kernel.spec.template
+@@ -911,6 +911,10 @@ Source4000: README.rst
+ Source4001: rpminspect.yaml
+ Source4002: gating.yaml
+ 
++Source4100: linux-surface-default-kernel.path
++Source4101: linux-surface-default-kernel.service
++Source4102: linux-surface-default-kernel.sh
++
+ ## Patches needed for building this package
+ 
+ %if !%{nopatches}
+@@ -2674,6 +2678,10 @@ find Documentation -type d | xargs chmod u+w
+ 
+ cd linux-%{KVERREL}
+ 
++install -D -m644 "%{SOURCE4100}" -t "%{buildroot}%{_unitdir}"
++install -D -m644 "%{SOURCE4101}" -t "%{buildroot}%{_unitdir}"
++install -D -m755 "%{SOURCE4102}" -t "%{buildroot}%{_bindir}"
++
+ %if %{with_doc}
+ docdir=$RPM_BUILD_ROOT%{_datadir}/doc/kernel-doc-%{specversion}-%{pkgrelease}
+ 
+@@ -3331,6 +3339,9 @@ fi
+ %ghost %attr(0600, root, root) /boot/symvers-%{KVERREL}%{?3:+%{3}}.gz\
+ %ghost %attr(0600, root, root) /boot/initramfs-%{KVERREL}%{?3:+%{3}}.img\
+ %ghost %attr(0644, root, root) /boot/config-%{KVERREL}%{?3:+%{3}}\
++%{_bindir}/linux-surface-default-kernel.sh\
++%{_unitdir}/linux-surface-default-kernel.path\
++%{_unitdir}/linux-surface-default-kernel.service\
+ %{expand:%%files -f kernel-%{?3:%{3}-}modules-core.list %{?3:%{3}-}modules-core}\
+ %dir /lib/modules\
+ %dir /lib/modules/%{KVERREL}%{?3:+%{3}}\
+-- 
+2.40.1
+

pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch

@@ -0,0 +1,60 @@
+From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001
+From: Dorian Stoll <dorian.stoll@tmsp.io>
+Date: Sat, 13 May 2023 16:39:50 +0200
+Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
+
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
+---
+ redhat/kernel.spec.template | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
+index 51f43b21b018..76d1ad8e2818 100644
+--- a/redhat/kernel.spec.template
++++ b/redhat/kernel.spec.template
+@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs
+ %ifarch x86_64 aarch64
+ BuildRequires: nss-tools
+ BuildRequires: pesign >= 0.10-4
++BuildRequires: sbsigntools
+ %endif
+ %endif
+ %endif
+@@ -762,6 +763,13 @@ Source1: Makefile.rhelver
+ %define signing_key_filename kernel-signing-s390.cer
+ %endif
+ 
++%ifarch x86_64 aarch64
++
++Source7001: MOK.key
++Source7002: MOK.crt
++
++%endif
++
+ %if %{?released_kernel}
+ 
+ Source10: redhatsecurebootca5.cer
+@@ -1860,9 +1868,7 @@ BuildKernel() {
+     fi
+ 
+     %ifarch x86_64 aarch64
+-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+-    rm vmlinuz.tmp
++    sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage
+     %endif
+     %ifarch s390x ppc64le
+     if [ -x /usr/bin/rpm-sign ]; then
+@@ -2393,9 +2399,6 @@ BuildKernel() {
+     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
+     %ifarch x86_64 aarch64
+-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+-       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+-       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+     %else
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+     %endif
+-- 
+2.40.1
+

pkg/fedora/makerpm

@@ -1,117 +0,0 @@
-#!/bin/sh
-
-# Default to using the first specfile in the current directory
-SPEC="*.spec"
-OPTS="-ba"
-
-SIGN=0
-KEY=""
-
-BUILD=".build"
-RPMS="out"
-
-usage() {
-	echo "Usage: $0 [OPTION]..."
-	echo "Wrapper for rpmbuild that is easier to use."
-	echo
-	echo "Options:"
-	echo "    -h    This help message"
-	echo "    -f    The specfile to build from"
-	echo "    -c    Clean the build artifacts"
-	echo "    -s    Sign the produced RPM packages"
-	echo "    -k    The GPG key to use for signing"
-	exit
-}
-
-clean() {
-	rm -rf $BUILD
-	rm -rf $RPMS
-	exit
-}
-
-while getopts ":hcsf:k:" args; do
-	case "$args" in
-	f)
-		SPEC=$OPTARG
-		;;
-	s)
-		SIGN=1
-		;;
-	k)
-		KEY=$OPTARG
-		;;
-	c)
-		clean
-		;;
-	h)
-		usage
-		;;
-	esac
-done
-shift $((OPTIND-1))
-
-if [ ! "$*" = "" ]; then
-	OPTS="$*"
-fi
-
-# Check if the specfile exists
-if [ "$(ls -f $SPEC | wc -l)" = "0" ]; then
-	echo "ERROR: No specfile found. Specify it with the -s option."
-	exit -2
-fi
-
-# Check if there are too many specfiles
-if [ ! "$(ls -f $SPEC | wc -l)" = "1" ]; then
-	echo "ERROR: Ambiguous matches for specfile. Please specify a single" \
-		"file through the -s option."
-	exit -7
-fi
-
-# Get the directory of the specfile
-SPEC=$(ls -f $SPEC)
-DIR=$(readlink -f $(dirname $SPEC))
-
-if [ ! -d "$DIR/$BUILD" ]; then
-	mkdir "$DIR/$BUILD"
-fi
-
-FILES=$(find $DIR -maxdepth 1);
-for file in $FILES; do
-	[ "$file" = "$DIR" ] && continue
-	[ "$file" = "$DIR/$BUILD" ] && continue
-	[ "$file" = "$DIR/$RPMS" ] && continue
-
-	cp -r "$file" "$DIR/$BUILD"
-done
-
-spectool                                   \
-	--define "_sourcedir $DIR/$BUILD"  \
-	--define "_builddir $DIR/$BUILD"   \
-	--define "_srcrpmdir $DIR/$RPMS"   \
-	--define "_rpmdir $DIR/$RPMS"      \
-	--define "_specdir $DIR"           \
-	--get-files --all                  \
-	--directory $DIR/$BUILD $SPEC
-
-echo
-
-rpmbuild                                   \
-	--define "_sourcedir $DIR/$BUILD"  \
-	--define "_builddir $DIR/$BUILD"   \
-	--define "_srcrpmdir $DIR/$RPMS"   \
-	--define "_rpmdir $DIR/$RPMS"      \
-	--define "_specdir $DIR"           \
-	$OPTS $SPEC
-
-if [ ! "$SIGN" = "1" ]; then
-	exit
-fi
-
-for file in $(find out/ -name '*.rpm'); do
-	echo "Signing $file"
-	if [ "$KEY" = "" ]; then
-		rpm --resign $file 2>&1 > /dev/null
-	else
-		rpm --resign $file --define "_gpg_name $KEY" 2>&1 > /dev/null
-	fi
-done