michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 5 months ago
Clone

Blame SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch

517f18
commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
517f18
Author: Michal Domonkos <mdomonko@redhat.com>
517f18
Date:   Sun Jul 11 18:08:26 2021 +0200
517f18
517f18
    Don't brp-strip .ko files
517f18
    
517f18
    Otherwise SecureBoot signatures may be stripped too.
517f18
    
517f18
    We used to exclude shared libraries from this strip as they were
517f18
    supposed to be covered by another brp script (brp-strip-shared), however
517f18
    it turned out the latter was never really used, so we removed the
517f18
    exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
517f18
    
517f18
    As it turns out, that was a little too ambitious, since we may now
517f18
    inadvertently strip SecureBoot signatures from kernel modules too,
517f18
    provided that they're made during the build, prior to the invocation of
517f18
    brp-strip.
517f18
    
517f18
    Note that this regression currently does *not* affect the following two
517f18
    cases on Fedora/RHEL systems with redhat-rpm-config installed:
517f18
    
517f18
      - in-tree kernel modules; these are built from kernel.spec which
517f18
        already contains a hack ensuring that module signing only happens
517f18
        *after* any stripping (see %__modsign_install_post in kernel.spec)
517f18
    
517f18
      - out-of-tree kernel modules built with debuginfo enabled; this is
517f18
        because brp-strip is only called when %debug_package is set to
517f18
        %{nil}
517f18
    
517f18
    Any other combinations may be affected, depending on the macros and
517f18
    .spec files used, so let's fix this by effectively "reverting" said
517f18
    commit for .ko files only.
517f18
    
517f18
    Fixes: rhbz#1967291
517f18
517f18
    Backported into 4.14.3
517f18
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
517f18
--- rpm-4.14.3/scripts/brp-strip.orig	2021-07-12 17:21:04.446396789 +0200
517f18
+++ rpm-4.14.3/scripts/brp-strip	2021-07-12 17:21:20.673633783 +0200
517f18
@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
517f18
 esac
517f18
 
517f18
 # Strip ELF binaries
517f18
-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
517f18
+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
517f18
         grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug"  | \
517f18
 	sed -n -e 's/^\(.*\):[ 	]*ELF.*, not stripped.*/\1/p'`; do
517f18
 	$STRIP -g "$f" || :