|
|
5a7695 |
commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
|
|
|
5a7695 |
Author: Michal Domonkos <mdomonko@redhat.com>
|
|
|
5a7695 |
Date: Sun Jul 11 18:08:26 2021 +0200
|
|
|
5a7695 |
|
|
|
5a7695 |
Don't brp-strip .ko files
|
|
|
5a7695 |
|
|
|
5a7695 |
Otherwise SecureBoot signatures may be stripped too.
|
|
|
5a7695 |
|
|
|
5a7695 |
We used to exclude shared libraries from this strip as they were
|
|
|
5a7695 |
supposed to be covered by another brp script (brp-strip-shared), however
|
|
|
5a7695 |
it turned out the latter was never really used, so we removed the
|
|
|
5a7695 |
exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
|
|
|
5a7695 |
|
|
|
5a7695 |
As it turns out, that was a little too ambitious, since we may now
|
|
|
5a7695 |
inadvertently strip SecureBoot signatures from kernel modules too,
|
|
|
5a7695 |
provided that they're made during the build, prior to the invocation of
|
|
|
5a7695 |
brp-strip.
|
|
|
5a7695 |
|
|
|
5a7695 |
Note that this regression currently does *not* affect the following two
|
|
|
5a7695 |
cases on Fedora/RHEL systems with redhat-rpm-config installed:
|
|
|
5a7695 |
|
|
|
5a7695 |
- in-tree kernel modules; these are built from kernel.spec which
|
|
|
5a7695 |
already contains a hack ensuring that module signing only happens
|
|
|
5a7695 |
*after* any stripping (see %__modsign_install_post in kernel.spec)
|
|
|
5a7695 |
|
|
|
5a7695 |
- out-of-tree kernel modules built with debuginfo enabled; this is
|
|
|
5a7695 |
because brp-strip is only called when %debug_package is set to
|
|
|
5a7695 |
%{nil}
|
|
|
5a7695 |
|
|
|
5a7695 |
Any other combinations may be affected, depending on the macros and
|
|
|
5a7695 |
.spec files used, so let's fix this by effectively "reverting" said
|
|
|
5a7695 |
commit for .ko files only.
|
|
|
5a7695 |
|
|
|
5a7695 |
Fixes: rhbz#1967291
|
|
|
5a7695 |
|
|
|
5a7695 |
Backported into 4.14.3
|
|
|
5a7695 |
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
|
|
|
5a7695 |
--- rpm-4.14.3/scripts/brp-strip.orig 2021-07-12 17:21:04.446396789 +0200
|
|
|
5a7695 |
+++ rpm-4.14.3/scripts/brp-strip 2021-07-12 17:21:20.673633783 +0200
|
|
|
5a7695 |
@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
|
|
|
5a7695 |
esac
|
|
|
5a7695 |
|
|
|
5a7695 |
# Strip ELF binaries
|
|
|
5a7695 |
-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
|
|
|
5a7695 |
+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
|
|
|
5a7695 |
grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \
|
|
|
5a7695 |
sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do
|
|
|
5a7695 |
$STRIP -g "$f" || :
|