[CLK] Embed dist-git in source branch#959
Conversation
|
I think I'll need to pull in this new kernel-pkg change as well: |
|
Updated:
|
|
First glance, it looks ok. There is a small typo in the first commit "Import dist-git from 6.12.64 SRPM" title should use 6.12.74. Happy to see you asked about the ciq directory. I think they should be in their own directory. and ciq is a good candidate for that. |
|
At an initial glance, this looks fine to me, but I won't be able to fully review it until sometime next week. |
This kernel does not guarantee a stable kabi
This aligns module packaging with Rocky 9
The configs are already in ciq/configs, so no need to have another copy in SOURCES
We should be attributing CIQ as the signer of the kernel modules being built and signed during the kernel build and packaging process. This patch adds a 'x509.genkey.rocky' file which will be used when creating the ephemeral cert that is used for signing the kernel modules at build time. Signed-off-by: Michael L. Young <myoung@ciq.com> AUTODEL-1213
bmastbergen
force-pushed
the
{bmastbergen}_ciq-6.12.y
branch
from
8b27245 to
5fa3033
Compare
Thanks. Fixed the commit subject for that initial commit. ciq feels like a good place for SOURCES and SPECS. I'll wait to pull the trigger on the move until I see if anyone has other thoughts on that. |
I agree we should keep our dist-git stuff isolated from the original code as much as possible ... one container directory seems ideal at the moment, the configs at this point couple probably just move into SOURCES/ as well |
SOURCES/generate_all_configs.sh
Outdated
There was a problem hiding this comment.
We don't use this we keep a fully expanded generic build of the CONFIGS (so we can detect when GKH chagnes something)
There was a problem hiding this comment.
Correct. It just came with the initial srpm dump. Can remove.
SOURCES/kernel.changelog
Outdated
There was a problem hiding this comment.
We probably want to replace this or remove it, starting in RHEL10 they're just keepting a small change log in the SPEC file and yeeting the hug log from FEDORA -> CENTOS -> RHEL in this file.
There was a problem hiding this comment.
With our spec changelog plan, I think removing it is probably best.
SOURCES/Makefile.rhelver
Outdated
There was a problem hiding this comment.
Do when know where or how this is used?
There was a problem hiding this comment.
I believe it is used in the kernel-ark infrastructure somehow. I'm not really sure why it is included in the srpm. We do not need it. Will remove.
There was a problem hiding this comment.
Yeah this is a part of the make build which we're not explicitly doing.
Ok, thats two votes for moving into ciq, and I think its a good idea. I'll do this in the next push. Thanks! |
Another thought I had the other day was a directory called |
SOURCES/ciq_sbsign.macros
Outdated
There was a problem hiding this comment.
We did make a change on the SB side which removed the need for this file. We should consider removing this file and making any necessary changes to the SPEC file.
There was a problem hiding this comment.
Excellent, will do!
SOURCES/generate_tarball.sh
Outdated
| fi | ||
|
|
||
| echo "Creating $(basename "$TARBALL")..." | ||
| trap 'rm -vf "$TARBALL"' INT |
There was a problem hiding this comment.
1. Trap only catches INT (line 72)
trap 'rm -vf "$TARBALL"' INT
If the pipeline fails (e.g., zstd OOMs, disk full, git archive errors), you get a corrupt/partial tarball left on disk. Should also trap ERR, TERM, and handle the pipeline exit code:
trap 'rm -vf "$TARBALL"' INT TERM ERR
Or better, use set -e (see below) and trap EXIT with a guard:
trap '[ $? -ne 0 ] && rm -vf "$TARBALL"' EXIT
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
Everything I think that must be addressed before merging this in is addressed, for those I have tagged I would like to hear from them.
But i'm fine with this moving forward
This got left behind because of .gitignore
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
But I'd like the following addressed by the people I've tagged
@jason-rodri & @elguero & @jallisonciq #959 (comment)
|
Still looking for approvals here. Really I'm just looking for a quick spot check of the tweaks on top of the 6.12.74 import since that is what we have already used to ship CLK 6.12 kernels. I'm sure there is more stuff for us to tweak and improve going forward, but today I really just want to make sure we can do a secure boot build using this branch and ship the rpms. |
SPECS/kernel.spec
Outdated
| %if 0%{?rhel} | ||
| %{log_msg "Adjust FIPS module name for RHEL"} | ||
| for i in *.config; do | ||
| sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i |
There was a problem hiding this comment.
This is a debranding exercise, we are not certified for 6.12 so it doesn't really matter. there is no security policy to reference. If you want to update the name you can.
There was a problem hiding this comment.
Thank you, Its probably worth setting this to rock or just commenting it out then.
We'll be taking this to 6.18 is expected to have some sort of FIPS certification the mechanism is yet to be locked down yet though.
There was a problem hiding this comment.
this is wrapped in an rhel conditional so it will never be true. Also, if/when we ever FIPS certify a CLK kernel we can just set this in the flat configs. We'll never need to patch it in like this.
I'll just remove this. Thanks @jason-rodri
|
Noticed a diff in |
Not a problem now. If/when we FIPS certify a CLK we'll have to add it. |
| openssl x509 -inform der -in %{ima_ca_cert} -out imaca.pem | ||
| cat imaca.pem >> ../certs/rhel.pem |
There was a problem hiding this comment.
When we start working with 10, we will need to handle IMA signing.
Hopefully I have addressed all the requested comments. I looked through the SPEC file and everything looked sane to me. |
Thanks @elguero I THINK all of the comments you've made have to do with things to look into for the future and/or minor cleanup things. If thats true, and you think we could build, sign, and ship rpms using what we've got here, then I'll go ahead and merge this. If I misinterpreted and there is something you think we need to fix before we can build, sign and ship just let me know what that is. Thanks for looking! |
Yes, correct. I think we are good. Maybe we could do the uki_addons change to add the two addons. Other than that, I think we are in a good spot for secure boot related items. |
Great @elguero I've added those lines to uki_addons. If that looks good, give me an approval, and I'll get this merged. Thanks! |
6 participants
This is a first pass at embedding the CLK dist-git in kernel-src-tree. I've started with the 6.12.74 srpm contents and then tweaked them a bit in the subsequent commits:
And then I added a utility script to generate the source tarball for the srpm.
When we rebase, I have lt_rebase.sh updating the spec to match the kernel we are rebasing onto. See that PR here:
ctrliq/kernel-src-tree-tools#60
And an example of what a rebase on top of this looks like in this branch:
https://github.com/ctrliq/kernel-src-tree/tree/%7Bbmastbergen%7D_ciq-6.12.y-next
Some things I'd like input on:
Once we get this nailed down for 6.12, I'd apply a similar set of commits to ciq-6.18.y as well.