FIPS mode requires modules to be signed.
rpmbuild strips modules on install including signature stripping.
This change resign modules back before compress them.
Change-Id: Id92852e117a31aa2ceaedbcca508cc88d53ecdb3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4428
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.66 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -158,7 +158,11 @@ make -C $bldroot M=`pwd` VERBOSE=1 modules %{?_smp_mflags} |
158 | 158 |
popd |
159 | 159 |
|
160 | 160 |
%define __modules_install_post \ |
161 |
- find %{buildroot}/lib/modules/%{uname_r} -name *.ko | xargs xz \ |
|
161 |
+for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ |
|
162 |
+ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ |
|
163 |
+ rm -f $MODULE.{sig,dig} \ |
|
164 |
+ xz $MODULE \ |
|
165 |
+ done \ |
|
162 | 166 |
%{nil} |
163 | 167 |
|
164 | 168 |
# We want to compress modules after stripping. Extra step is added to |
... | ... |
@@ -302,6 +306,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
302 | 302 |
/usr/share/doc/* |
303 | 303 |
|
304 | 304 |
%changelog |
305 |
+* Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-2 |
|
306 |
+- Sign and compress modules after stripping. fips=1 requires signed modules |
|
305 | 307 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |
306 | 308 |
- Version update |
307 | 309 |
* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1 |