Browse code
linux: fips=1 support
FIPS mode requires modules to be signed.
rpmbuild strips modules on install including signature stripping.
This change resign modules back before compress them.
Change-Id: Id92852e117a31aa2ceaedbcca508cc88d53ecdb3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4428
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
Alexey Makhalov authored on 2017/12/05 08:19:23Showing 1 changed files
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.66 |
| 5 |
-Release: 1%{?dist}
|
|
| 5 |
+Release: 2%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -158,7 +158,11 @@ make -C $bldroot M=`pwd` VERBOSE=1 modules %{?_smp_mflags}
|
| 158 | 158 |
popd |
| 159 | 159 |
|
| 160 | 160 |
%define __modules_install_post \ |
| 161 |
- find %{buildroot}/lib/modules/%{uname_r} -name *.ko | xargs xz \
|
|
| 161 |
+for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
|
|
| 162 |
+ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ |
|
| 163 |
+ rm -f $MODULE.{sig,dig} \
|
|
| 164 |
+ xz $MODULE \ |
|
| 165 |
+ done \ |
|
| 162 | 166 |
%{nil}
|
| 163 | 167 |
|
| 164 | 168 |
# We want to compress modules after stripping. Extra step is added to |
| ... | ... |
@@ -302,6 +306,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 302 | 302 |
/usr/share/doc/* |
| 303 | 303 |
|
| 304 | 304 |
%changelog |
| 305 |
+* Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-2 |
|
| 306 |
+- Sign and compress modules after stripping. fips=1 requires signed modules |
|
| 305 | 307 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |
| 306 | 308 |
- Version update |
| 307 | 309 |
* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1 |