mirror_zfs/rpm/redhat/zfs-kmod.spec.in
Benjamin Sherman 363368c670
fix: preserve linux kmod signature in zfs-kmod rpm spec
This change provides rpm spec macros to sign the zfs and spl kmods as
the final step after the %install scriptlet. This is needed since the
find-debuginfo.sh script strips out debug symbols plus signatures.

Kernel module signing only occurs when the required files are present
as typically required in the Linux source tree:
- certs/signing_key.pem
- certs/signing_key.x509

The method for overriding the default __spec_install_post macro is
inspired by (and largely copied from) the Fedora kernel.spec.

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Benjamin Sherman <benjamin@holyarmy.org>
Closes #15744
2024-01-12 12:33:41 -08:00

113 lines
3.1 KiB
RPMSpec

%bcond_with debug
%bcond_with debuginfo
Name: @PACKAGE@-kmod
Version: @VERSION@
Release: @RELEASE@%{?dist}
Summary: Kernel module(s)
Group: System Environment/Kernel
License: @ZFS_META_LICENSE@
URL: https://github.com/openzfs/zfs
BuildRequires: %kernel_module_package_buildreqs
Source0: @PACKAGE@-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# Additional dependency information for the kmod sub-package must be specified
# by generating a preamble text file which kmodtool can append to the spec file.
%(/bin/echo -e "\
Requires: @PACKAGE@ = %{version}\n\
Conflicts: @PACKAGE@-dkms)
# LDFLAGS are not sanitized by arch/*/Makefile for these architectures.
%ifarch ppc ppc64 ppc64le aarch64
%global __global_ldflags %{nil}
%endif
%description
This package contains the ZFS kernel modules.
%define kmod_name @PACKAGE@
%kernel_module_package -n %{kmod_name} -p %{_sourcedir}/kmod-preamble
%define ksrc %{_usrsrc}/kernels/%{kverrel}
%define kobj %{ksrc}
%package -n kmod-%{kmod_name}-devel
Summary: ZFS kernel module(s) devel common
Group: System Environment/Kernel
%description -n kmod-%{kmod_name}-devel
This package provides the header files and objects to build kernel modules.
%prep
if ! [ -d "%{ksrc}" ]; then
echo "Kernel build directory isn't set properly, cannot continue"
exit 1
fi
%if %{with debug}
%define debug --enable-debug
%else
%define debug --disable-debug
%endif
%if %{with debuginfo}
%define debuginfo --enable-debuginfo
%else
%define debuginfo --disable-debuginfo
%endif
%setup -n %{kmod_name}-%{version}
%build
%configure \
--with-config=kernel \
--with-linux=%{ksrc} \
--with-linux-obj=%{kobj} \
%{debug} \
%{debuginfo} \
%{?kernel_cc} \
%{?kernel_ld} \
%{?kernel_llvm}
make %{?_smp_mflags}
# Module signing (modsign)
#
# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
# the signature off of the modules.
# (Based on Fedora's kernel.spec workaround)
%define __modsign_install_post \
sign_pem="%{ksrc}/certs/signing_key.pem"; \
sign_x509="%{ksrc}/certs/signing_key.x509"; \
if [ -f "${sign_x509}" ]\
then \
echo "Signing kernel modules ..."; \
for kmod in $(find %{buildroot}/lib/modules/%{kverrel}/extra/ -name \*.ko); do \
%{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
done \
fi \
%{nil}
# hack to ensure signing happens after find-debuginfo.sh runs
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modsign_install_post}
%install
make install \
DESTDIR=${RPM_BUILD_ROOT} \
INSTALL_MOD_DIR=extra/%{kmod_name}
%{__rm} -f %{buildroot}/lib/modules/%{kverrel}/modules.*
# find-debuginfo.sh only considers executables
%{__chmod} u+x %{buildroot}/lib/modules/%{kverrel}/extra/*/*
%clean
rm -rf $RPM_BUILD_ROOT
%files -n kmod-%{kmod_name}-devel
%{_usrsrc}/%{kmod_name}-%{version}