diff --git a/kernel-binary.spec.in b/kernel-binary.spec.in index b3f3939b..11a24116 100644 --- a/kernel-binary.spec.in +++ b/kernel-binary.spec.in @@ -481,6 +481,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -497,6 +515,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -697,6 +727,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-cert-subpackage b/kernel-cert-subpackage new file mode 100644 index 00000000..8ab0e651 --- /dev/null +++ b/kernel-cert-subpackage @@ -0,0 +1,49 @@ +%package -n %{-n*}-ueficert +Summary: UEFI Secure Boot Certificate For Package %{-n*}-kmp +Group: System/Kernel +%description -n %{-n*}-ueficert +This package contains the UEFI Secure Boot certificate used to sign +modules in the %{-n*}-kmp packages. + +# The scriptlets are reused in kernel-binary.spec.in by a sed script that +# stops at the next line that starts with a percent sign +%post -n %{-n*}-ueficert +# Make the -cert subpackage scriptlets non-fatal and verbose in the +# Beta phase +set -x +e +if ! command -v mokutil >/dev/null; then + exit 0 +fi +# XXX: Only call mokutil if UEFI and shim are used +for cert in @CERTS@; do + mokutil --import "$cert" --root-pw +done +exit 0 + +%preun -n %{-n*}-ueficert +set -x +e +if ! command -v mokutil >/dev/null; then + exit 0 +fi +for cert in @CERTS@; do + ln "$cert" "$cert.delete" +done +exit 0 + +%postun -n %{-n*}-ueficert +set -x +e +if ! command -v mokutil >/dev/null; then + exit 0 +fi +for cert in @CERTS@; do + if ! test -e "$cert"; then + mokutil --delete "$cert.delete" --root-pw + fi + rm "$cert.delete" +done +exit 0 + +%files -n %{-n*}-ueficert +%defattr(-, root, root) +%dir /etc/uefi +/etc/uefi/certs diff --git a/kernel-cubox.changes b/kernel-cubox.changes index e65b1caa..173b875b 100644 --- a/kernel-cubox.changes +++ b/kernel-cubox.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-cubox.spec b/kernel-cubox.spec index bb7ea827..6f4faf80 100644 --- a/kernel-cubox.spec +++ b/kernel-cubox.spec @@ -178,6 +178,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -557,6 +558,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -573,6 +592,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -773,6 +804,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-debug.changes b/kernel-debug.changes index e65b1caa..173b875b 100644 --- a/kernel-debug.changes +++ b/kernel-debug.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-debug.spec b/kernel-debug.spec index 8631658c..7fab54db 100644 --- a/kernel-debug.spec +++ b/kernel-debug.spec @@ -181,6 +181,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -560,6 +561,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -576,6 +595,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -776,6 +807,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-default.changes b/kernel-default.changes index e65b1caa..173b875b 100644 --- a/kernel-default.changes +++ b/kernel-default.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-default.spec b/kernel-default.spec index 5fe523f5..3c7cd6f6 100644 --- a/kernel-default.spec +++ b/kernel-default.spec @@ -197,6 +197,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -575,6 +576,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -591,6 +610,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -791,6 +822,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-desktop.changes b/kernel-desktop.changes index e65b1caa..173b875b 100644 --- a/kernel-desktop.changes +++ b/kernel-desktop.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-desktop.spec b/kernel-desktop.spec index 4b9cf568..6c4f92b0 100644 --- a/kernel-desktop.spec +++ b/kernel-desktop.spec @@ -178,6 +178,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -569,6 +570,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -585,6 +604,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -785,6 +816,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-docs.changes b/kernel-docs.changes index e65b1caa..173b875b 100644 --- a/kernel-docs.changes +++ b/kernel-docs.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-exynos.changes b/kernel-exynos.changes index e65b1caa..173b875b 100644 --- a/kernel-exynos.changes +++ b/kernel-exynos.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-exynos.spec b/kernel-exynos.spec index d6d25fa2..9f26fb28 100644 --- a/kernel-exynos.spec +++ b/kernel-exynos.spec @@ -178,6 +178,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -556,6 +557,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -572,6 +591,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -772,6 +803,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-module-subpackage b/kernel-module-subpackage index 6b7cf79f..ebcaf5a6 100644 --- a/kernel-module-subpackage +++ b/kernel-module-subpackage @@ -1,4 +1,4 @@ -%package -n %{-n*}-%1 +%package -n %{-n*}-kmp-%1 %define _this_kmp_version %{-v*}_k%(echo %2 | sed -r 'y/-/_/; s/^(2\.6\.[0-9]+)_/\\1.0_/; # use 2.6.x.0 for mainline kernels') Version: %_this_kmp_version Release: %{-r*} @@ -20,14 +20,15 @@ END { print tags["summary"] print tags["group"] } ' $spec ) -Provides: %{-n*} = %_this_kmp_version -Provides: %{-n*} = %{-v*} +Provides: %{-n*}-kmp = %_this_kmp_version +Provides: %{-n*}-kmp = %{-v*} Provides: multiversion(kernel) Requires: coreutils grep +%{-c:Requires: %{-n*}-ueficert} Enhances: kernel-%1 AutoReqProv: on %{-p:%{expand:%(cd %_sourcedir; cat %{-p*})}} -%description -n %{-n*}-%1 +%description -n %{-n*}-kmp-%1 %( for spec in {%_sourcedir,%_specdir}/%name.spec /dev/null; do [ -e $spec ] && break @@ -49,17 +50,17 @@ in_desc { print; good = 1 } END { exit(! good) } ' $spec ) -%post -n %{-n*}-%1 -nvr=%{-n*}-%1-%_this_kmp_version-%{-r*} +%post -n %{-n*}-kmp-%1 +nvr=%{-n*}-kmp-%1-%_this_kmp_version-%{-r*} wm2=/usr/lib/module-init-tools/weak-modules2 if [ -x $wm2 ]; then %{-b:KMP_NEEDS_MKINITRD=1} /bin/bash -${-/e/} $wm2 --add-kmp $nvr fi -%preun -n %{-n*}-%1 -nvr=%{-n*}-%1-%_this_kmp_version-%{-r*} +%preun -n %{-n*}-kmp-%1 +nvr=%{-n*}-kmp-%1-%_this_kmp_version-%{-r*} rpm -ql $nvr | sed -n '/\.ko$/p' > /var/run/rpm-$nvr-modules -%postun -n %{-n*}-%1 -nvr=%{-n*}-%1-%_this_kmp_version-%{-r*} +%postun -n %{-n*}-kmp-%1 +nvr=%{-n*}-kmp-%1-%_this_kmp_version-%{-r*} modules=( $(cat /var/run/rpm-$nvr-modules) ) rm -f /var/run/rpm-$nvr-modules if [ ${#modules[*]} = 0 ]; then @@ -70,7 +71,7 @@ wm2=/usr/lib/module-init-tools/weak-modules2 if [ -x $wm2 ]; then printf '%s\n' "${modules[@]}" | /bin/bash -${-/e/} $wm2 --remove-kmp $nvr fi -%files -n %{-n*}-%1 +%files -n %{-n*}-kmp-%1 %{-f:%{expand:%(cd %_sourcedir; cat %{-f*})}} %{!-f:%defattr (-,root,root)} %{!-f:/lib/modules/%2-%1} diff --git a/kernel-pae.changes b/kernel-pae.changes index e65b1caa..173b875b 100644 --- a/kernel-pae.changes +++ b/kernel-pae.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-pae.spec b/kernel-pae.spec index 475ed378..77ace883 100644 --- a/kernel-pae.spec +++ b/kernel-pae.spec @@ -181,6 +181,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -566,6 +567,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -582,6 +601,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -782,6 +813,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-s390.changes b/kernel-s390.changes index e65b1caa..173b875b 100644 --- a/kernel-s390.changes +++ b/kernel-s390.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-s390.spec b/kernel-s390.spec index 61c3f266..c177b8db 100644 --- a/kernel-s390.spec +++ b/kernel-s390.spec @@ -181,6 +181,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -559,6 +560,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -575,6 +594,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -775,6 +806,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-source.changes b/kernel-source.changes index e65b1caa..173b875b 100644 --- a/kernel-source.changes +++ b/kernel-source.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-source.spec b/kernel-source.spec index bdd08a00..70ac08d8 100644 --- a/kernel-source.spec +++ b/kernel-source.spec @@ -74,6 +74,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -203,7 +204,7 @@ ln -s /usr/share/doc/packages/%name/README.SUSE %buildroot/%src_install_dir/ install -m 755 -d $RPM_BUILD_ROOT/etc/rpm install -m 644 %_sourcedir/macros.kernel-source $RPM_BUILD_ROOT/etc/rpm/ install -m 755 -d $RPM_BUILD_ROOT/usr/lib/rpm -install -m 644 %_sourcedir/kernel-module-subpackage \ +install -m 644 %_sourcedir/kernel-{module,cert}-subpackage \ $RPM_BUILD_ROOT/usr/lib/rpm/ for script in post; do @@ -239,7 +240,7 @@ find %buildroot/usr/src/linux* ! -type l | xargs touch -d "$ts" %ghost /usr/src/linux%variant /usr/share/doc/packages/%name /etc/rpm/macros.kernel-source -/usr/lib/rpm/kernel-module-subpackage +/usr/lib/rpm/kernel-*-subpackage %endif %if %do_vanilla diff --git a/kernel-source.spec.in b/kernel-source.spec.in index 19c651d6..9254f183 100644 --- a/kernel-source.spec.in +++ b/kernel-source.spec.in @@ -74,6 +74,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -203,7 +204,7 @@ ln -s /usr/share/doc/packages/%name/README.SUSE %buildroot/%src_install_dir/ install -m 755 -d $RPM_BUILD_ROOT/etc/rpm install -m 644 %_sourcedir/macros.kernel-source $RPM_BUILD_ROOT/etc/rpm/ install -m 755 -d $RPM_BUILD_ROOT/usr/lib/rpm -install -m 644 %_sourcedir/kernel-module-subpackage \ +install -m 644 %_sourcedir/kernel-{module,cert}-subpackage \ $RPM_BUILD_ROOT/usr/lib/rpm/ for script in post; do @@ -239,7 +240,7 @@ find %buildroot/usr/src/linux* ! -type l | xargs touch -d "$ts" %ghost /usr/src/linux%variant /usr/share/doc/packages/%name /etc/rpm/macros.kernel-source -/usr/lib/rpm/kernel-module-subpackage +/usr/lib/rpm/kernel-*-subpackage %endif %if %do_vanilla diff --git a/kernel-syms.changes b/kernel-syms.changes index e65b1caa..173b875b 100644 --- a/kernel-syms.changes +++ b/kernel-syms.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-trace.changes b/kernel-trace.changes index e65b1caa..173b875b 100644 --- a/kernel-trace.changes +++ b/kernel-trace.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-trace.spec b/kernel-trace.spec index 6ca31bac..7af21215 100644 --- a/kernel-trace.spec +++ b/kernel-trace.spec @@ -189,6 +189,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -567,6 +568,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -583,6 +602,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -783,6 +814,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-vanilla.changes b/kernel-vanilla.changes index e65b1caa..173b875b 100644 --- a/kernel-vanilla.changes +++ b/kernel-vanilla.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-vanilla.spec b/kernel-vanilla.spec index 3ffd583a..137d7731 100644 --- a/kernel-vanilla.spec +++ b/kernel-vanilla.spec @@ -185,6 +185,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -563,6 +564,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -579,6 +598,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -779,6 +810,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/kernel-versatile.changes b/kernel-versatile.changes index e65b1caa..173b875b 100644 --- a/kernel-versatile.changes +++ b/kernel-versatile.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 27 22:11:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Fix description and summary. +- commit a4cd5e1 + ------------------------------------------------------------------- Tue Mar 26 12:35:11 CET 2013 - agraf@suse.de @@ -39,6 +45,26 @@ Mon Mar 18 16:38:35 CET 2013 - jeffm@suse.com that. DMRAID45 and Rich ACLs also needed updating. - commit 228c5dd +------------------------------------------------------------------- +Mon Mar 18 10:14:30 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Fix sed command with multiple certificates +- commit 59405a2 + +------------------------------------------------------------------- +Fri Mar 15 16:10:07 CET 2013 - mmarek@suse.cz + +- rpm/kernel-binary.spec.in: Install the used certificates below + /etc/uefi/certs (fate#314507). +- commit 19b4300 + +------------------------------------------------------------------- +Fri Mar 15 15:34:11 CET 2013 - mmarek@suse.cz + +- rpm/kernel-cert-subpackage: Make the template work with multiple + certificates. +- commit 3bf5898 + ------------------------------------------------------------------- Thu Mar 14 17:22:32 CET 2013 - jeffm@suse.com @@ -108,6 +134,20 @@ Mon Mar 11 11:57:40 CET 2013 - rw@suse.de (fate#314095, bnc#807237) - commit 09836cb +------------------------------------------------------------------- +Sun Mar 10 22:47:15 CET 2013 - mmarek@suse.cz + +- KMP: Add -c option to the %kernel_module_package macro + This produces an -ueficert subpackage that imports the certificate into + the MokList when installed (fate#314511) +- commit d8f177c + +------------------------------------------------------------------- +Fri Mar 8 11:16:27 CET 2013 - mmarek@suse.cz + +- KMP: Add the -kmp suffix inside the subpackage definition +- commit 7c6395d + ------------------------------------------------------------------- Tue Mar 5 21:44:13 CET 2013 - mmarek@suse.cz diff --git a/kernel-versatile.spec b/kernel-versatile.spec index 7e93a7d3..e78ec1f7 100644 --- a/kernel-versatile.spec +++ b/kernel-versatile.spec @@ -178,6 +178,7 @@ Source53: kernel-source.spec.in Source54: kernel-binary.spec.in Source55: kernel-syms.spec.in Source56: kernel-docs.spec.in +Source57: kernel-cert-subpackage Source60: config.sh Source61: compute-PATCHVERSION.sh Source62: old-packages.conf @@ -556,6 +557,24 @@ add_vmlinux() # end of build_kdump %endif +# Package the compiled-in certificates as DER files in /etc/uefi/certs +# and have mokutil enroll them when the kernel is installed +certs=() +if test %CONFIG_MODULE_SIG = "y"; then + for f in *.x509; do + if ! test -s "$f"; then + continue + fi + h=$(openssl x509 -inform DER -fingerprint -noout -in "$f") + test -n "$h" + cert=/etc/uefi/certs/$(echo "$h" | \ + sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt + mkdir -p %buildroot/etc/uefi/certs + cp "$f" %buildroot/"$cert" + certs=("${certs[@]}" "$cert") + done +fi + for sub in '-base' '' '-extra'; do case "$sub" in '-base' | '') base_package=1 ;; @@ -572,6 +591,18 @@ for sub in '-base' '' '-extra'; do -e "s:@CPU_ARCH_FLAVOR@:%cpu_arch_flavor:g" \ -e "s:@SRCVARIANT@:%variant:g" \ %_sourcedir/$script.sh > %my_builddir/$script$sub.sh + if test "$base_package" -eq 0 -o "${#certs[@]}" -eq 0; then + continue + fi + case "$script" in + preun | postun | post) + ;; + *) + continue + esac + # Copy the respective scriptlet from kernel-cert-subpackage + sed "1,/^%%$script / d; /^%%[^%%]/,\$ d; s:@CERTS@:${certs[*]}:g" \ + %_sourcedir/kernel-cert-subpackage >>"%my_builddir/$script$sub.sh" done done @@ -772,6 +803,9 @@ done -o -name '*.ko' -prune -o -printf '/%%p\n' cat %my_builddir/base-modules fi + if test %CONFIG_MODULE_SIG = "y"; then + find etc/uefi/certs -type f -printf '/%%p\n' + fi test -d lib/firmware/%kernelrelease-%build_flavor && \ find lib/firmware/%kernelrelease-%build_flavor \ -type d -o \ diff --git a/macros.kernel-source b/macros.kernel-source index fcc1fe4c..02a51004 100644 --- a/macros.kernel-source +++ b/macros.kernel-source @@ -3,10 +3,10 @@ %kernel_module_package_buildreqs module-init-tools kernel-syms # Defines %flavors_to_build and %kernel_source() as a side effect. -%_kernel_module_package(n:v:r:t:f:Xp:b) \ -%{expand:%( \ +%_kernel_module_package(n:v:r:t:f:Xp:bc:) \ +%{expand:%( set -x \ subpkg=%{-t*}%{!-t:/usr/lib/rpm/kernel-module-subpackage} \ - echo "%%define _suse_kernel_module_subpackage(n:v:r:f:p:b) %%{expand:%%(cd %_sourcedir; cat $subpkg; echo %%%%nil)}" \ + echo "%%define _suse_kernel_module_subpackage(n:v:r:f:p:bc) %%{expand:%%(cd %_sourcedir; cat $subpkg; echo %%%%nil)}" \ flavors_to_build= \ flavors="%*" \ for flavor in $(ls /usr/src/linux-obj/%_target_cpu 2>/dev/null); do \ @@ -19,7 +19,7 @@ krel=$(make -s -C /usr/src/linux-obj/%_target_cpu/$flavor kernelrelease) \ kver=${krel%%-*} \ flavors_to_build="$flavors_to_build $flavor" \ - echo "%%_suse_kernel_module_subpackage -n %{-n*}%{!-n:%name}-kmp -v %{-v*}%{!-v:%version} -r %{-r*}%{!-r:%release} %{-p} %{-b} $flavor $kver" \ + echo "%%_suse_kernel_module_subpackage -n %{-n*}%{!-n:%name} -v %{-v*}%{!-v:%version} -r %{-r*}%{!-r:%release} %{-p} %{-b} %{-c:-c} $flavor $kver" \ done \ echo "%%global flavors_to_build${flavors_to_build:-%%nil}" \ echo "%%{expand:%%(test -z '%flavors_to_build' && echo %%%%internal_kmp_error)}" \ @@ -31,13 +31,18 @@ echo "Summary: %summary" \ echo "Group: %group" \ echo "%description -n %{-n*}%{!-n:%name}-kmp-_dummy_" \ + %{-c: + for fmt in DER PEM; do h=$(openssl x509 -inform $fmt -fingerprint -noout -in %{-c*}); if test -n "$h"; then break; fi; done \ + cert=/etc/uefi/certs/$(echo "$h" | sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\\1/p').crt + sed "s:@CERTS@:$cert:g" /usr/lib/rpm/kernel-cert-subpackage \ + echo "%%global __spec_build_pre %%__spec_build_pre mkdir -p %%buildroot/etc/uefi/certs; openssl x509 -in %{-c*} -inform $fmt -out %%buildroot/$cert -outform DER" } \ )} # kernel_module_package: simply pass on all options and arguments. -%kernel_module_package(n:v:r:t:f:xp:b) \ +%kernel_module_package(n:v:r:t:f:xp:bc:) \ %{expand:%%_kernel_module_package %{-x:-X} %{-n} %{-v} %{-r} %{-t} %{-f} %{-p} %*} # suse_kernel_module_package: invert the meaning of the -x flag. (You are not # supposed to understand why a simple %{-x:}%{!-x:-x} won't work.) -%suse_kernel_module_package(n:v:r:s:f:xp:b) \ +%suse_kernel_module_package(n:v:r:s:f:xp:bc:) \ %{expand:%%_kernel_module_package %{-x: }%{!-x:-X} %{-n} %{-v} %{-r} %{-s:-t %{-s*}} %{-f} %{-p} %*} diff --git a/source-timestamp b/source-timestamp index 1cf26015..a0d81542 100644 --- a/source-timestamp +++ b/source-timestamp @@ -1,3 +1,3 @@ -2013-03-26 12:35:11 +0100 -GIT Revision: 801a982f0b2d10eddfce094248d17ac6cad65bea +2013-03-28 10:01:13 +0100 +GIT Revision: 31c3eb05148afc6a33f31fea09ea99e1f9cd9bd6 GIT Branch: master