michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone

Blame SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch

5a7695
commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
5a7695
Author: Michal Domonkos <mdomonko@redhat.com>
5a7695
Date:   Sun Jul 11 18:08:26 2021 +0200
5a7695
5a7695
    Don't brp-strip .ko files
5a7695
    
5a7695
    Otherwise SecureBoot signatures may be stripped too.
5a7695
    
5a7695
    We used to exclude shared libraries from this strip as they were
5a7695
    supposed to be covered by another brp script (brp-strip-shared), however
5a7695
    it turned out the latter was never really used, so we removed the
5a7695
    exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
5a7695
    
5a7695
    As it turns out, that was a little too ambitious, since we may now
5a7695
    inadvertently strip SecureBoot signatures from kernel modules too,
5a7695
    provided that they're made during the build, prior to the invocation of
5a7695
    brp-strip.
5a7695
    
5a7695
    Note that this regression currently does *not* affect the following two
5a7695
    cases on Fedora/RHEL systems with redhat-rpm-config installed:
5a7695
    
5a7695
      - in-tree kernel modules; these are built from kernel.spec which
5a7695
        already contains a hack ensuring that module signing only happens
5a7695
        *after* any stripping (see %__modsign_install_post in kernel.spec)
5a7695
    
5a7695
      - out-of-tree kernel modules built with debuginfo enabled; this is
5a7695
        because brp-strip is only called when %debug_package is set to
5a7695
        %{nil}
5a7695
    
5a7695
    Any other combinations may be affected, depending on the macros and
5a7695
    .spec files used, so let's fix this by effectively "reverting" said
5a7695
    commit for .ko files only.
5a7695
    
5a7695
    Fixes: rhbz#1967291
5a7695
5a7695
    Backported into 4.14.3
5a7695
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
5a7695
--- rpm-4.14.3/scripts/brp-strip.orig	2021-07-12 17:21:04.446396789 +0200
5a7695
+++ rpm-4.14.3/scripts/brp-strip	2021-07-12 17:21:20.673633783 +0200
5a7695
@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
5a7695
 esac
5a7695
 
5a7695
 # Strip ELF binaries
5a7695
-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
5a7695
+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
5a7695
         grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug"  | \
5a7695
 	sed -n -e 's/^\(.*\):[ 	]*ELF.*, not stripped.*/\1/p'`; do
5a7695
 	$STRIP -g "$f" || :