diff --git a/kernel.spec b/kernel.spec index 25c8820..935f119 100644 --- a/kernel.spec +++ b/kernel.spec @@ -556,7 +556,8 @@ Source11: x509.genkey Source15: merge.pl Source16: mod-extra.list Source17: mod-extra.sh -Source18: mod-extra-sign.sh +Source18: mod-sign.sh +%define modsign_cmd %{SOURCE18} Source19: Makefile.release Source20: Makefile.config @@ -1866,8 +1867,7 @@ find Documentation -type d | xargs chmod u+w # could be because of that. 2) We restore the .tmp_versions/ directory from # the one we saved off in BuildKernel above. This is to make sure we're # signing the modules we actually built/installed in that flavour. 3) We -# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh -# commands to actually sign the modules. +# grab the arch and invoke mod-sign.sh command to actually sign the modules. # # We have to do all of those things _after_ find-debuginfo runs, otherwise # that will strip the signature off of the modules. @@ -1880,8 +1880,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.PAE .tmp_versions \ mv signing_key.priv.sign.PAE signing_key.priv \ mv signing_key.x509.sign.PAE signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/ \ fi \ if [ "%{with_debug}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \ @@ -1889,8 +1888,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.debug .tmp_versions \ mv signing_key.priv.sign.debug signing_key.priv \ mv signing_key.x509.sign.debug signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \ fi \ if [ "%{with_pae_debug}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \ @@ -1898,8 +1896,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign.PAEdebug .tmp_versions \ mv signing_key.priv.sign.PAEdebug signing_key.priv \ mv signing_key.x509.sign.PAEdebug signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/ \ fi \ if [ "%{with_up}" != "0" ]; then \ Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \ @@ -1907,8 +1904,7 @@ find Documentation -type d | xargs chmod u+w mv .tmp_versions.sign .tmp_versions \ mv signing_key.priv.sign signing_key.priv \ mv signing_key.x509.sign signing_key.x509 \ - make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \ - %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ fi \ fi \ %{nil} @@ -2313,6 +2309,10 @@ fi # ||----w | # || || %changelog +* Fri Jan 25 2013 Kyle McMartin +- Sign all modules with the mod-extra-sign.sh script, ensures nothing gets + missed because of .config differences between invocations of BuildKernel. + * Fri Jan 25 2013 Justin M. Forbes - Turn off THP for 32bit diff --git a/mod-extra-sign.sh b/mod-extra-sign.sh deleted file mode 100755 index 9b24a40..0000000 --- a/mod-extra-sign.sh +++ /dev/null @@ -1,28 +0,0 @@ -#! /bin/bash - -# We need to sign modules we've moved from /kernel/ to /extra/ -# during mod-extra processing by hand. The 'modules_sign' Kbuild target can -# "handle" out-of-tree modules, but it does that by not signing them. Plus, -# the modules we've moved aren't actually out-of-tree. We've just shifted -# them to a different location behind Kbuild's back because we are mean. - -# This essentially duplicates the 'modules_sign' Kbuild target and runs the -# same commands for those modules. - -moddir=$1 - -modules=`find $moddir -name *.ko` - -MODSECKEY="./signing_key.priv" -MODPUBKEY="./signing_key.x509" - -for mod in $modules -do - dir=`dirname $mod` - file=`basename $mod` - - ./scripts/sign-file ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \ - ${dir}/${file}.signed - mv ${dir}/${file}.signed ${dir}/${file} - rm -f ${dir}/${file}.{sig,dig} -done diff --git a/mod-sign.sh b/mod-sign.sh new file mode 100755 index 0000000..cae2592 --- /dev/null +++ b/mod-sign.sh @@ -0,0 +1,28 @@ +#! /bin/bash + +# The modules_sign target checks for corresponding .o files for every .ko that +# is signed. This doesn't work for package builds which re-use the same build +# directory for every flavour, and the .config may change between flavours. +# So instead of using this script to just sign lib/modules/$KernelVer/extra, +# sign all .ko in the buildroot. + +# This essentially duplicates the 'modules_sign' Kbuild target and runs the +# same commands for those modules. + +moddir=$1 + +modules=`find $moddir -name *.ko` + +MODSECKEY="./signing_key.priv" +MODPUBKEY="./signing_key.x509" + +for mod in $modules +do + dir=`dirname $mod` + file=`basename $mod` + + ./scripts/sign-file ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \ + ${dir}/${file}.signed + mv ${dir}/${file}.signed ${dir}/${file} + rm -f ${dir}/${file}.{sig,dig} +done