diff --git a/.github/actions/get-kernel-version/action.yml b/.github/actions/get-kernel-version/action.yml new file mode 100644 index 00000000..20dee511 --- /dev/null +++ b/.github/actions/get-kernel-version/action.yml @@ -0,0 +1,151 @@ +--- +name: Get Kernel Version +inputs: + fedora_version: + description: "The Fedora release version: 40, 41, etc" + required: true + type: string + kernel_flavor: + description: "The Kernel flavor: main, bazzite, coreos-stable, etc" + required: true + type: string +outputs: + kernel_build_tag: + description: "Optional (bazzite specific) tag" + value: ${{ steps.kernel.outputs.build_tag }} + kernel_major_minor_patch: + description: "Simple version eg, 6.12.9" + value: ${{ steps.kernel.outputs.major_minor_patch }} + kernel_release: + description: "Full kernel release eg, 6.12.9-200.fc41.x86_64" + value: ${{ steps.kernel.outputs.release }} +runs: + using: "composite" + steps: + - name: Get Kernel Version + id: kernel + shell: bash + run: | + if [[ ${{ inputs.kernel_flavor }} =~ asus|surface ]]; then + build_image="quay.io/fedora/fedora:${{ inputs.fedora_version }}" + podman pull "$build_image" + + container_name="fq-$(uuidgen)" + dnf="podman exec $container_name dnf" + + podman run --entrypoint /bin/bash --name "$container_name" -dt "$build_image" + $dnf install -y --setopt=install_weak_deps=False dnf-plugins-core + fi + + coreos_kernel () { + coreos_version=${1} + image_linux=$(skopeo inspect docker://quay.io/fedora/fedora-coreos:${coreos_version} | jq -r '.Labels["ostree.linux"]') + # Pin a kernel here, gross workaround TODO: Make this cleaner + # if [[ "${{ inputs.kernel_flavor }}" == "coreos-stable" ]]; then + # image_linux="6.11.3-300.fc41.x86_64" + # fi + major_minor_patch=$(echo $image_linux | grep -oP '^\d+\.\d+\.\d+') + kernel_rel_part=$(echo $image_linux | grep -oP '^\d+\.\d+\.\d+\-\K([123][0]{2})') + arch=$(echo $image_linux | grep -oP 'fc\d+\.\K.*$') + + kernel_rel="$kernel_rel_part.fc${{ inputs.fedora_version }}" + kernel_version="$major_minor_patch-$kernel_rel.$arch" + URL="https://kojipkgs.fedoraproject.org/packages/kernel/"$major_minor_patch"/"$kernel_rel"/"$arch"/kernel-"$kernel_version".rpm" + echo "Querying koji for ${coreos_version} kernel: $kernel_version" + echo "$URL" + HTTP_RESP=$(curl -sI "$URL" | grep ^HTTP) + linux="" + if grep -qv "200 OK" <<< "${HTTP_RESP}"; then + echo "Koji failed to find $coreos_version kernel: $kernel_version" + case "$kernel_rel_part" in + "300") + kernel_rel_part="200" + ;; + "200") + kernel_rel_part="100" + ;; + "100") + ;; + *) + echo "unexpected kernel_rel_part ${kernel_rel_part}" + ;; + esac + kernel_rel="$kernel_rel_part.fc${{ inputs.fedora_version }}" + kernel_version="$major_minor_patch-$kernel_rel.$arch" + URL="https://kojipkgs.fedoraproject.org/packages/kernel/"$major_minor_patch"/"$kernel_rel"/"$arch"/kernel-"$kernel_version".rpm" + echo "Re-querying koji for ${coreos_version} kernel: $kernel_version" + echo "$URL" + HTTP_RESP=$(curl -sI "$URL" | grep ^HTTP) + if grep -qv "200 OK" <<< "${HTTP_RESP}"; then + echo "Koji failed to find $coreos_version kernel: $kernel_version" + fi + fi + if grep -q "200 OK" <<< "${HTTP_RESP}"; then + linux=$kernel_version + fi + } + + case ${{ inputs.kernel_flavor }} in + "asus") + $dnf copr enable -y lukenukem/asus-kernel + linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:lukenukem:asus-kernel --whatprovides kernel | sort -V | tail -n1 | sed 's/.*://') + ;; + "fsync") + $dnf copr enable -y sentry/kernel-fsync + linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:sentry:kernel-fsync --whatprovides kernel | sort -V | tail -n1 | sed 's/.*://') + ;; + "fsync-ba") + $dnf copr enable -y sentry/kernel-ba + linux=$($dnf repoquery --repoid copr:copr.fedorainfracloud.org:sentry:kernel-ba --whatprovides kernel | sort -V | tail -n1 | sed 's/.*://') + ;; + "bazzite") + latest="$(curl "https://api.github.com/repos/hhd-dev/kernel-bazzite/releases/latest" )" + linux=$(echo -E "$latest" | jq -r '.assets[].name' | grep -E 'kernel-.*.rpm' | grep "fc${{ inputs.fedora_version }}.x86_64" | head -1 | sed "s/kernel-//g" | sed "s/.rpm//g" ) + build_tag=$(echo -E $latest | jq -r '.tag_name') + ;; + "surface") + if [[ "${{ inputs.fedora_version }}" < 41 ]]; then + $dnf config-manager --add-repo=https://pkg.surfacelinux.com/fedora/linux-surface.repo + else + $dnf config-manager addrepo --from-repofile=https://pkg.surfacelinux.com/fedora/linux-surface.repo + fi + linux=$($dnf repoquery --repoid linux-surface --whatprovides kernel-surface | sort -V | tail -n1 | sed 's/.*://') + + ;; + "main") + base_image_name="base" + if [[ ${{ inputs.fedora_version }} > 40 ]]; then + base_image_name+="-atomic" + fi + linux=$(skopeo inspect docker://quay.io/fedora-ostree-desktops/$base_image_name:${{ inputs.fedora_version }} | jq -r '.Labels["ostree.linux"]' ) + ;; + "coreos-stable") + coreos_kernel stable + ;; + "coreos-testing") + coreos_kernel testing + ;; + *) + echo "unexpected kernel_flavor '${{ inputs.kernel_flavor }}' for query" + ;; + esac + if [ -z "$linux" ] || [ "null" = "$linux" ]; then + echo "inspected image linux version must not be empty or null" + exit 1 + fi + major=$(echo "$linux" | cut -d '.' -f 1) + minor=$(echo "$linux" | cut -d '.' -f 2) + patch=$(echo "$linux" | cut -d '.' -f 3) + kernel_major_minor_patch="${major}.${minor}.${patch}" + + # Debug Output + echo "kernel_build_tag: ${build_tag}" + echo "kernel_flavor: ${{ inputs.kernel_flavor }}" + echo "kernel_major_minor_patch: ${kernel_major_minor_patch}" + echo "kernel_release: ${linux}" + + # Action Output + echo "build_tag=${build_tag}" >> $GITHUB_OUTPUT + echo "major_minor_patch=${kernel_major_minor_patch}" >> $GITHUB_OUTPUT + echo "release=${linux}" >> $GITHUB_OUTPUT + diff --git a/.github/workflows/build-39.yml b/.github/workflows/build-39.yml deleted file mode 100644 index 27758e5b..00000000 --- a/.github/workflows/build-39.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: ublue akmods 39 -on: - merge_group: - pull_request: - branches: - - main - paths-ignore: - - '**.md' - schedule: - - cron: '0 2 * * *' # 2am-ish UTC everyday (timed against official fedora container pushes, and after 'config') - workflow_dispatch: - -jobs: - build: - name: build - uses: ./.github/workflows/reusable-build.yml - secrets: inherit - with: - fedora_version: 39 \ No newline at end of file diff --git a/.github/workflows/build-40.yml b/.github/workflows/build-40.yml index 4de8df3d..c389f5fc 100644 --- a/.github/workflows/build-40.yml +++ b/.github/workflows/build-40.yml @@ -7,13 +7,24 @@ on: paths-ignore: - '**.md' schedule: - - cron: '15 0 * * *' # 10 minutes after kernel-cache + - cron: '25 0 * * *' # 0025 UTC everyday (20 minutes after 41) workflow_dispatch: + jobs: - build: - name: build + kernel-akmods: uses: ./.github/workflows/reusable-build.yml secrets: inherit + strategy: + fail-fast: false + matrix: + fedora_version: + - 40 + kernel_flavor: + - surface + - main + - coreos-stable + - coreos-testing with: - fedora_version: 40 \ No newline at end of file + fedora_version: ${{ matrix.fedora_version }} + kernel_flavor: ${{ matrix.kernel_flavor }} \ No newline at end of file diff --git a/.github/workflows/build-41.yml b/.github/workflows/build-41.yml index 1044943e..fc3536b9 100644 --- a/.github/workflows/build-41.yml +++ b/.github/workflows/build-41.yml @@ -7,13 +7,25 @@ on: paths-ignore: - '**.md' schedule: - - cron: '15 0 * * *' # 10 minutes after kernel-cache + - cron: '5 0 * * *' # 0005 UTC everyday workflow_dispatch: jobs: - build: - name: build + kernel-akmods: uses: ./.github/workflows/reusable-build.yml secrets: inherit + strategy: + fail-fast: false + matrix: + fedora_version: + - 41 + kernel_flavor: + - asus + - bazzite + - surface + - main + - coreos-stable + - coreos-testing with: - fedora_version: 41 + fedora_version: ${{ matrix.fedora_version }} + kernel_flavor: ${{ matrix.kernel_flavor }} diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 193ebb09..7213037b 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -3,7 +3,11 @@ on: workflow_call: inputs: fedora_version: - description: "The Fedora release version: 39, 40, etc" + description: "The Fedora release version: 40, 41, etc" + required: true + type: string + kernel_flavor: + description: "The Kernel flavor: main, bazzite, coreos-stable, etc" required: true type: string env: @@ -11,13 +15,134 @@ env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} concurrency: - group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }} + group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }}-${{ inputs.kernel_flavor }} cancel-in-progress: true jobs: - build_ublue: - name: akmods + cache-kernel: + name: Kernel ${{ inputs.fedora_version }}-${{ inputs.kernel_flavor }} + runs-on: ubuntu-24.04 + env: + KCWD: /tmp/kernel-cache + KCPATH: kernel_cache + outputs: + KCKEY: ${{ inputs.kernel_flavor }}-${{ steps.kernel-version.outputs.kernel_release }} + KCWD: ${{ env.KCWD }} + KCPATH: ${{ env.KCPATH }} + kernel_build_tag: ${{ steps.kernel-version.outputs.kernel_build_tag }} + kernel_major_minor_patch: ${{ steps.kernel-version.outputs.kernel_major_minor_patch }} + KERNEL_VERSION: ${{ steps.kernel-version.outputs.kernel_release }} + + steps: + - name: Checkout Repo + uses: actions/checkout@v4 + + - name: Get Kernel Version + id: kernel-version + uses: ./.github/actions/get-kernel-version + with: + fedora_version: ${{ inputs.fedora_version }} + kernel_flavor: ${{ inputs.kernel_flavor }} + + - name: Cache Kernel RPMs + id: cache-kernel + uses: actions/cache@v4 + with: + path: ${{ env.KCPATH }} + key: ${{ inputs.kernel_flavor }}-${{ steps.kernel-version.outputs.kernel_release }} # job outputs KCKEY + + - name: Retrieve Signing Key + if: steps.cache-kernel.outputs.cache-hit != 'true' && github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group' + shell: bash + run: | + mkdir -p certs + if [[ "${{ github.event_name }}" == 'pull_request' ]]; then + echo "This should not have run... exiting..." + exit 1 + else + echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv + echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv + # DEBUG: get character count of key + wc -c certs/private_key.priv + wc -c certs/private_key_2.priv + fi + + - name: Fetch and Sign Kernel Packages + if: steps.cache-kernel.outputs.cache-hit != 'true' + shell: bash + run: | + build_image="quay.io/fedora/fedora:${{ inputs.fedora_version }}" + podman pull "$build_image" + + mkdir -p ${{ env.KCWD }} + cp -a fetch-kernel.sh certs ${{ env.KCWD }} + + echo "${{toJSON(steps.kernel-version.outputs)}}" + + container_name="fq-$(uuidgen)" + podman run \ + --entrypoint /bin/bash \ + --env FEDORA_VERSION=${{ inputs.fedora_version }} \ + --env KERNEL_BUILD_TAG=${{ steps.kernel-version.outputs.kernel_build_tag }} \ + --env KERNEL_VERSION=${{ steps.kernel-version.outputs.kernel_release }} \ + --env KERNEL_FLAVOR=${{ inputs.kernel_flavor }} \ + --env DUAL_SIGN=true \ + --name "$container_name" \ + -v ${{ env.KCWD }}:${{ env.KCWD }}:rw \ + -dt "$build_image" + + podman exec "$container_name" bash -x ${{ env.KCWD }}/fetch-kernel.sh ${{ env.KCWD }} + + find ${{ env.KCWD }} + + - name: Check Secureboot Signatures + if: steps.cache-kernel.outputs.cache-hit != 'true' + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) || ! $(command -v rpm2cpio) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl rpm2cpio + fi + + cd ${{ env.KCWD }}/rpms + if [[ "${{ inputs.kernel_flavor }}" == "surface" ]]; then + rpm2cpio kernel-surface-core-"${{ steps.kernel-version.outputs.kernel_release }}".rpm | cpio -idmv + else + rpm2cpio kernel-core-"${{ steps.kernel-version.outputs.kernel_release }}".rpm | cpio -idmv + fi + cd ./lib/modules/"${{ steps.kernel-version.outputs.kernel_release }}"/ + sbverify --list vmlinuz + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + curl --retry 3 -#fLo kernel-sign.der https://github.com/ublue-os/akmods/raw/main/certs/public_key.der.test + curl --retry 3 -#fLo akmods.der https://github.com/ublue-os/akmods/raw/main/certs/public_key_2.der.test + else + curl --retry 3 -#fLo kernel-sign.der https://github.com/ublue-os/akmods/raw/main/certs/public_key.der + curl --retry 3 -#fLo akmods.der https://github.com/ublue-os/akmods/raw/main/certs/public_key_2.der + fi + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + + - name: Finalize Cache Files + if: steps.cache-kernel.outputs.cache-hit != 'true' + shell: bash + run: | + # this should be in runner user's home dir + mkdir -p ${{ env.KCPATH }} + cp -a ${{ env.KCWD }}/rpms/*.rpm ${{ env.KCPATH }}/ + echo "$(date '+%Y%m%d.0')" > ${{ env.KCPATH }}/kernel-cache-date + + - name: List Cached Kernel RPMs + shell: bash + run: | + find ${{ env.KCPATH }} + + build-akmods: + name: Akmods ${{ inputs.fedora_version }}-${{ inputs.kernel_flavor }}-${{ matrix.cfile_suffix }} runs-on: ubuntu-24.04 # Work Around Tar Bug + needs: [cache-kernel] permissions: contents: read packages: write @@ -25,15 +150,8 @@ jobs: strategy: fail-fast: false matrix: - fedora_version: - - ${{ inputs.fedora_version }} - kernel_flavor: - - main - - asus - - bazzite - - surface - - coreos-stable - - coreos-testing + kernel_flavor: # this must be in matrix for excludes, but reference inputs.kernel_flavor in workflow + - ${{ inputs.kernel_flavor }} cfile_suffix: - common - extra @@ -41,22 +159,6 @@ jobs: - nvidia-open - zfs exclude: - - fedora_version: 39 - kernel_flavor: coreos-stable - - fedora_version: 40 - kernel_flavor: coreos-testing - - fedora_version: 40 - kernel_flavor: asus - - fedora_version: 40 - kernel_flavor: bazzite - - fedora_version: 39 - kernel_flavor: fsync - - fedora_version: 39 - kernel_flavor: bazzite - - fedora_version: 39 - kernel_flavor: asus - - fedora_version: 39 - kernel_flavor: coreos-testing - kernel_flavor: main cfile_suffix: zfs - kernel_flavor: asus @@ -65,12 +167,50 @@ jobs: cfile_suffix: zfs - kernel_flavor: surface cfile_suffix: zfs + env: + KCWD: ${{ needs.cache-kernel.outputs.KCWD }} + KCPATH: ${{ needs.cache-kernel.outputs.KCPATH }} + kernel_build_tag: ${{ needs.cache-kernel.outputs.kernel_build_tag }} + KERNEL_VERSION: ${{ needs.cache-kernel.outputs.KERNEL_VERSION }} steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action + - name: Checkout Repo uses: actions/checkout@v4 + - name: Create cache parent dir + shell: bash + run: | + mkdir -p ${{ env.KCWD }} + + - name: Cache Kernel RPMs + id: cache-kernel + uses: actions/cache@v4 + with: + path: ${{ env.KCPATH }} + key: ${{ needs.cache-kernel.outputs.KCKEY }} + + - name: Fail Absent Kernel Cache + if: steps.cache-kernel.outputs.cache-hit != 'true' + run: | + echo "Kernel Cache not found for key: ${{ needs.cache-kernel.outputs.KCKEY }}" + exit 1 + + - name: Get Cached Kernel Date/Version + shell: bash + run: | + set -exo pipefail + + find ${{ env.KCPATH }} + KCDATE=$(cat ${{ env.KCPATH }}/kernel-cache-date) + if [ -z "${KCDATE}" ]; then + echo "kernel-cache-date must not be empty" + fi + if [ -z "${{ env.KERNEL_VERSION }}" ]; then + echo "KERNEL_VERSION must not be empty" + fi + KERNEL_IMAGE_VERSION=${{ env.KERNEL_VERSION }}-${KCDATE} + echo "KERNEL_IMAGE_VERSION=$KERNEL_IMAGE_VERSION" >> $GITHUB_ENV + - name: Matrix Variables shell: bash run: | @@ -81,10 +221,10 @@ jobs: fi export BUILDER_IMAGE=quay.io/fedora/fedora echo "BUILDER_IMAGE=${BUILDER_IMAGE}" >> $GITHUB_ENV - echo "FQ_BUILDER_IMAGE=${BUILDER_IMAGE}:${{ matrix.fedora_version }}" >> $GITHUB_ENV - export KERNEL_IMAGE=${{ matrix.kernel_flavor }}-kernel - echo "KERNEL_IMAGE=${KERNEL_IMAGE}" >> $GITHUB_ENV - echo "FQ_KERNEL_IMAGE=${{ env.IMAGE_REGISTRY }}/${KERNEL_IMAGE}:${{ matrix.fedora_version }}" >> $GITHUB_ENV + + - name: Pull build image + shell: bash + run: podman pull ${{ env.BUILDER_IMAGE }}:${{ inputs.fedora_version }} - name: AppArmor Disable run: | @@ -93,50 +233,13 @@ jobs: sudo systemctl stop apparmor systemctl status apparmor || true - - name: Pull build images - uses: Wandalen/wretry.action@v3.8.0 - with: - attempt_limit: 3 - attempt_delay: 15000 - command: | - # pull the base image used for FROM in containerfile so - # we can retry on that unfortunately common failure case - podman pull ${{ env.FQ_BUILDER_IMAGE }} - podman pull ${{ env.FQ_KERNEL_IMAGE }} - - - name: Get current version - shell: bash - run: | - set -eo pipefail - - #skopeo inspect containers-storage:${{ env.FQ_KERNEL_IMAGE }} > kernel.json - # We SHOULD be able to use container-storage to inspect already pulled image here - # BUT... ubuntu-24.04 builders prevent with this error: - # Error during unshare(...): Operation not permitted - # I intend to investigate/fix later, but need to move forward - skopeo inspect docker://${{ env.FQ_KERNEL_IMAGE }} > kernel.json - - linux=$(jq -r '.["Labels"]["ostree.linux"]' kernel.json) - if [ -z "$linux" ] || [ "null" = "$linux" ]; then - echo "inspected linux version must not be empty or null" - exit 1 - fi - echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV - - img_version=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' kernel.json) - if [ -z "$img_version" ] || [ "null" = "$img_version" ]; then - echo "inspected image version must not be empty or null" - exit 1 - fi - echo "KERNEL_IMAGE_VERSION=$img_version" >> $GITHUB_ENV - - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" - VARIANT="${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }}" + VARIANT="${{ inputs.kernel_flavor }}-${{ inputs.fedora_version }}" COMMIT_TAGS=() BUILD_TAGS=() @@ -211,9 +314,8 @@ jobs: ${{ steps.generate-tags.outputs.alias_tags }} build-args: | BUILDER_IMAGE=${{ env.BUILDER_IMAGE }} - KERNEL_ORG=${{ github.repository_owner }} - KERNEL_FLAVOR=${{ matrix.kernel_flavor }} - FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }} + KERNEL_FLAVOR=${{ inputs.kernel_flavor }} + FEDORA_MAJOR_VERSION=${{ inputs.fedora_version }} RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }} DUAL_SIGN=true labels: ${{ steps.meta.outputs.labels }} @@ -228,9 +330,8 @@ jobs: tags: latest build-args: | BUILDER_IMAGE=${{ env.BUILDER_IMAGE }} - KERNEL_ORG=${{ github.repository_owner }} - KERNEL_FLAVOR=${{ matrix.kernel_flavor }} - FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }} + KERNEL_FLAVOR=${{ inputs.kernel_flavor }} + FEDORA_MAJOR_VERSION=${{ inputs.fedora_version }} INPUT_AKMODS=${{ env.IMAGE_NAME }} INPUT_TAG=${{ env.default_tag }} DUAL_SIGN=true @@ -300,12 +401,12 @@ jobs: echo "${{ toJSON(steps.push.outputs) }}" check: - name: Check all ${{ inputs.fedora_version }} builds successful + name: Check all ${{ inputs.fedora_version }}-${{ inputs.kernel_flavor}} builds successful runs-on: ubuntu-latest - needs: [build_ublue] + needs: [build-akmods] steps: - name: Exit on failure - if: ${{ needs.build_ublue.result == 'failure' }} + if: ${{ needs.build-akmods.result == 'failure' }} shell: bash run: exit 1 - name: Exit diff --git a/Containerfile.common b/Containerfile.common index 69ddefef..5f939e77 100644 --- a/Containerfile.common +++ b/Containerfile.common @@ -3,13 +3,8 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${BUILDER_BASE} AS builder ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -20,16 +15,15 @@ ARG DUAL_SIGN="true" COPY build_files/common build_files/shared /tmp/ COPY certs /tmp/certs -# cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache - # files for akmods ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \ /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo ADD https://negativo17.org/repos/fedora-multimedia.repo \ /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo -RUN --mount=type=cache,dst=/var/cache/dnf \ +RUN --mount=type=bind,src=kernel_cache,dst=/tmp/kernel_cache,ro \ + --mount=type=cache,dst=/var/cache/dnf \ + ls -sh /tmp/kernel_cache; \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ ; else \ @@ -56,4 +50,5 @@ RUN --mount=type=cache,dst=/var/cache/dnf \ FROM scratch +COPY --from=builder /var/cache/kernel-rpms /kernel-rpms COPY --from=builder /var/cache/rpms /rpms diff --git a/Containerfile.extra b/Containerfile.extra index df74f05c..33f1e12f 100644 --- a/Containerfile.extra +++ b/Containerfile.extra @@ -3,13 +3,8 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${BUILDER_BASE} AS builder ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -20,16 +15,15 @@ ARG DUAL_SIGN="true" COPY build_files/extra build_files/shared /tmp/ COPY certs /tmp/certs -# cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache - # files for akmods ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \ /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo ADD https://negativo17.org/repos/fedora-multimedia.repo \ /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo -RUN --mount=type=cache,dst=/var/cache/dnf \ +RUN --mount=type=bind,src=kernel_cache,dst=/tmp/kernel_cache,ro \ + --mount=type=cache,dst=/var/cache/dnf \ + ls -sh /tmp/kernel_cache; \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ ; else \ @@ -61,4 +55,5 @@ RUN --mount=type=cache,dst=/var/cache/dnf \ FROM scratch +COPY --from=builder /var/cache/kernel-rpms /kernel-rpms COPY --from=builder /var/cache/rpms /rpms diff --git a/Containerfile.nvidia b/Containerfile.nvidia index 74594a6e..78bde363 100644 --- a/Containerfile.nvidia +++ b/Containerfile.nvidia @@ -3,13 +3,8 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${BUILDER_BASE} AS builder ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -20,9 +15,6 @@ ARG DUAL_SIGN="true" COPY build_files/nvidia build_files/shared /tmp/ COPY certs /tmp/certs -# cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache - # files for nvidia COPY files/etc/sway/environment /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/environment COPY files/usr/lib/systemd/system/ublue-nvctk-cdi.service /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/ublue-nvctk-cdi.service @@ -31,7 +23,9 @@ COPY files/usr/lib/systemd/system-preset/70-ublue-nvctk-cdi.preset /tmp/ublue-os COPY files/usr/lib/systemd/system-preset/70-ublue-nvctk-cdi.preset /tmp/ublue-os-ucore-nvidia/rpmbuild/SOURCES/70-ublue-nvctk-cdi.preset COPY files/etc/udev/rules.d/60-nvidia-extra-devices-pm.rules /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/60-nvidia-extra-devices-pm.rules -RUN --mount=type=cache,dst=/var/cache/dnf \ +RUN --mount=type=bind,src=kernel_cache,dst=/tmp/kernel_cache,ro \ + --mount=type=cache,dst=/var/cache/dnf \ + ls -sh /tmp/kernel_cache; \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ ; else \ @@ -52,4 +46,5 @@ RUN --mount=type=cache,dst=/var/cache/dnf \ FROM scratch +COPY --from=builder /var/cache/kernel-rpms /kernel-rpms COPY --from=builder /var/cache/rpms /rpms diff --git a/Containerfile.nvidia-open b/Containerfile.nvidia-open index eb921f36..f2c011f7 100644 --- a/Containerfile.nvidia-open +++ b/Containerfile.nvidia-open @@ -3,13 +3,8 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${BUILDER_BASE} AS builder ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -20,9 +15,6 @@ ARG DUAL_SIGN="true" COPY build_files/nvidia build_files/shared /tmp/ COPY certs /tmp/certs -# cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache - # files for nvidia COPY files/etc/sway/environment /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/environment COPY files/usr/lib/systemd/system/ublue-nvctk-cdi.service /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/ublue-nvctk-cdi.service @@ -31,7 +23,9 @@ COPY files/usr/lib/systemd/system-preset/70-ublue-nvctk-cdi.preset /tmp/ublue-os COPY files/usr/lib/systemd/system-preset/70-ublue-nvctk-cdi.preset /tmp/ublue-os-ucore-nvidia/rpmbuild/SOURCES/70-ublue-nvctk-cdi.preset COPY files/etc/udev/rules.d/60-nvidia-extra-devices-pm.rules /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/60-nvidia-extra-devices-pm.rules -RUN --mount=type=cache,dst=/var/cache/dnf \ +RUN --mount=type=bind,src=kernel_cache,dst=/tmp/kernel_cache,ro \ + --mount=type=cache,dst=/var/cache/dnf \ + ls -sh /tmp/kernel_cache; \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ ; else \ @@ -52,4 +46,5 @@ RUN --mount=type=cache,dst=/var/cache/dnf \ FROM scratch +COPY --from=builder /var/cache/kernel-rpms /kernel-rpms COPY --from=builder /var/cache/rpms /rpms diff --git a/Containerfile.test b/Containerfile.test index 3936df13..1de46c87 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -3,16 +3,11 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG INPUT_AKMODS="${INPUT_AKMODS:-akmods}" ARG INPUT_TAG="${INPUT_TAG:-${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}}" ARG INPUT_BASE="${INPUT_AKMODS}:${INPUT_TAG}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${INPUT_BASE} AS akmods_cache FROM ${BUILDER_BASE} AS tester @@ -25,7 +20,7 @@ COPY build_files/shared /tmp/ COPY certs /tmp/certs # cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache +COPY --from=akmods_cache /kernel-rpms /tmp/kernel_cache COPY --from=akmods_cache /rpms /tmp/akmods-rpms RUN --mount=type=cache,dst=/var/cache/dnf \ diff --git a/Containerfile.zfs b/Containerfile.zfs index 9229cd56..52c52857 100644 --- a/Containerfile.zfs +++ b/Containerfile.zfs @@ -3,13 +3,8 @@ ### ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" -ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}" -ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" -ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" -ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -FROM ${KERNEL_BASE} AS kernel_cache FROM ${BUILDER_BASE} AS builder ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -21,11 +16,10 @@ ARG ZFS_MINOR_VERSION="${ZFS_MINOR_VERSION:-2.2}" COPY build_files/zfs build_files/shared /tmp/ COPY certs /tmp/certs -# cached kernel rpms -COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache - # Set kernel name -RUN --mount=type=cache,dst=/var/cache/dnf \ +RUN --mount=type=bind,src=kernel_cache,dst=/tmp/kernel_cache,ro \ + --mount=type=cache,dst=/var/cache/dnf \ + ls -sh /tmp/kernel_cache; \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ ; else \ @@ -38,4 +32,5 @@ RUN --mount=type=cache,dst=/var/cache/dnf \ FROM scratch +COPY --from=builder /var/cache/kernel-rpms /kernel-rpms COPY --from=builder /var/cache/rpms /rpms diff --git a/build_files/shared/build-post.sh b/build_files/shared/build-post.sh index cd6d2676..bd50e73c 100755 --- a/build_files/shared/build-post.sh +++ b/build_files/shared/build-post.sh @@ -29,4 +29,8 @@ for rpm in $(find /var/cache/rpms/kmods -type f -name \*.rpm); do fi done +# ensure kernel cache RPMS are copied +mkdir -p /var/cache/kernel-rpms +cp -a /tmp/kernel_cache/*.rpm /var/cache/kernel-rpms + find /var/cache/rpms diff --git a/fetch-kernel.sh b/fetch-kernel.sh new file mode 100755 index 00000000..f1a05a7c --- /dev/null +++ b/fetch-kernel.sh @@ -0,0 +1,209 @@ +#!/usr/bin/bash + +set -eoux pipefail + +# ensures we pass a known dir for volume mount of output rpm files +KCWD=${1} +find "${KCWD}" + +kernel_version="${KERNEL_VERSION}" +kernel_flavor="${KERNEL_FLAVOR}" +build_tag="${KERNEL_BUILD_TAG:-latest}" + +dnf install -y --setopt=install_weak_deps=False dnf-plugins-core rpmrebuild sbsigntools openssl + +case "$kernel_flavor" in + "asus") + dnf copr enable -y lukenukem/asus-kernel + ;; + "surface") + if [[ "$(rpm -E %fedora)" -lt 41 ]]; then + dnf config-manager --add-repo=https://pkg.surfacelinux.com/fedora/linux-surface.repo + else + dnf config-manager addrepo --from-repofile=https://pkg.surfacelinux.com/fedora/linux-surface.repo + fi + ;; + "coreos-stable") + ;; + "coreos-testing") + ;; + "bazzite") + ;; + "main") + ;; + *) + echo "unexpected kernel_flavor ${kernel_flavor} for query" + ;; +esac + +if [[ "${kernel_flavor}" =~ asus ]]; then + dnf download -y \ + kernel-"${kernel_version}" \ + kernel-modules-"${kernel_version}" \ + kernel-modules-core-"${kernel_version}" \ + kernel-modules-extra-"${kernel_version}" \ + kernel-devel-"${kernel_version}" \ + kernel-devel-matched-"${kernel_version}" \ + kernel-uki-virt-"${kernel_version}" + +elif [[ "${kernel_flavor}" == "surface" ]]; then + dnf download -y \ + kernel-surface-"${kernel_version}" \ + kernel-surface-modules-"${kernel_version}" \ + kernel-surface-modules-core-"${kernel_version}" \ + kernel-surface-modules-extra-"${kernel_version}" \ + kernel-surface-devel-"${kernel_version}" \ + kernel-surface-devel-matched-"${kernel_version}" \ + kernel-surface-default-watchdog-"${kernel_version}" \ + iptsd \ + libwacom-surface \ + libwacom-surface-data +elif [[ "${kernel_flavor}" == "bazzite" ]]; then + # Using curl for bazzite release + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-core-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-modules-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-modules-core-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-modules-extra-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-devel-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-devel-matched-"$kernel_version".rpm + curl -#fLO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-uki-virt-"$kernel_version".rpm + # curl -LO https://github.com/hhd-dev/kernel-bazzite/releases/download/"$build_tag"/kernel-uki-virt-addons-"$kernel_version".rpm +else + KERNEL_MAJOR_MINOR_PATCH=$(echo "$kernel_version" | cut -d '-' -f 1) + KERNEL_RELEASE="$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 1).$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 2)" + ARCH=$(uname -m) + + # Using curl instead of dnf download for https links + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-core-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-extra-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-matched-"$kernel_version".rpm + curl -#fLO https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-uki-virt-"$kernel_version".rpm +fi + +if [[ ! -s "${KCWD}"/certs/private_key.priv ]]; then + echo "WARNING: Using test signing key." + cp "${KCWD}"/certs/private_key.priv{.test,} + cp "${KCWD}"/certs/public_key.der{.test,} +fi + +PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key.crt" +PRIVATE_KEY_PATH="/etc/pki/kernel/private/private_key.priv" + +openssl x509 -in "${KCWD}"/certs/public_key.der -out "${KCWD}"/certs/public_key.crt + +install -Dm644 "${KCWD}"/certs/public_key.crt "$PUBLIC_KEY_PATH" +install -Dm644 "${KCWD}"/certs/private_key.priv "$PRIVATE_KEY_PATH" + +ls -la / +if [[ "${kernel_flavor}" =~ asus ]]; then + dnf install -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + kernel-core-"${kernel_version}" +elif [[ "${kernel_flavor}" =~ surface ]]; then + dnf install -y \ + /kernel-surface-"$kernel_version".rpm \ + /kernel-surface-modules-"$kernel_version".rpm \ + /kernel-surface-modules-core-"$kernel_version".rpm \ + /kernel-surface-modules-extra-"$kernel_version".rpm \ + kernel-surface-core-"${kernel_version}" +elif [[ "${kernel_flavor}" == "bazzite" ]]; then + dnf install -y \ + /kernel-"$kernel_version".rpm \ + /kernel-core-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm +else + dnf install -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm +fi + +# Strip Signatures from non-fedora Kernels +if [[ ${kernel_flavor} =~ main|coreos ]]; then + echo "Will not strip Fedora signature(s) from ${kernel_flavor} kernel." +else + EXISTING_SIGNATURES="$(sbverify --list /usr/lib/modules/"$kernel_version"/vmlinuz | grep '^signature \([0-9]\+\)$' | sed 's/^signature \([0-9]\+\)$/\1/')" || true + if [[ -n "$EXISTING_SIGNATURES" ]]; then + for SIGNUM in $EXISTING_SIGNATURES; do + echo "Found existing signature at signum $SIGNUM, removing..." + sbattach --remove /usr/lib/modules/"${kernel_version}"/vmlinuz + done + fi +fi + +# Sign Kernel with Key +sbsign --cert "$PUBLIC_KEY_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz + +# Verify Signatures +sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + +rm -f "$PRIVATE_KEY_PATH" "$PUBLIC_KEY_PATH" + +if [[ ${DUAL_SIGN:-} == "true" ]]; then + SECOND_PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key_2.crt" + SECOND_PRIVATE_KEY_PATH="/etc/pki/kernel/private/public_key_2.priv" + if [[ ! -s "${KCWD}"/certs/private_key_2.priv ]]; then + echo "WARNING: Using test signing key." + cp "${KCWD}"/certs/private_key_2.priv{.test,} + cp "${KCWD}"/certs/public_key_2.der{.test,} + find "${KCWD}"/certs/ + fi + openssl x509 -in "${KCWD}"/certs/public_key_2.der -out "${KCWD}"/certs/public_key_2.crt + install -Dm644 "${KCWD}"/certs/public_key_2.crt "$SECOND_PUBLIC_KEY_PATH" + install -Dm644 "${KCWD}"/certs/private_key_2.priv "$SECOND_PRIVATE_KEY_PATH" + sbsign --cert "$SECOND_PUBLIC_KEY_PATH" --key "$SECOND_PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz + sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + rm -f "$SECOND_PRIVATE_KEY_PATH" "$SECOND_PUBLIC_KEY_PATH" +fi + +ln -s / /tmp/buildroot + +# Rebuild RPMs and Verify +if [[ "${kernel_flavor}" =~ surface ]]; then + rpmrebuild --additional=--buildroot=/tmp/buildroot --batch kernel-surface-core-"${kernel_version}" + rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz + dnf reinstall -y \ + /kernel-surface-"$kernel_version".rpm \ + /kernel-surface-modules-"$kernel_version".rpm \ + /kernel-surface-modules-core-"$kernel_version".rpm \ + /kernel-surface-modules-extra-"$kernel_version".rpm \ + /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm +else + rpmrebuild --additional=--buildroot=/tmp/buildroot --batch kernel-core-"${kernel_version}" + rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz + find /tmp + find /root + dnf reinstall -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm +fi + +sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + +# Make Temp Dir +mkdir -p "${KCWD}"/rpms + +# Move RPMs over +mv /kernel-*.rpm "${KCWD}"/rpms +mv /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm "${KCWD}"/rpms + +if [[ "${kernel_flavor}" =~ surface ]]; then + cp iptsd-*.rpm libwacom-*.rpm "${KCWD}"/rpms +fi + +# Delete keys in /tmp if we decide to publish this later +rm -rf "${KCWD}"/certs