From 9a7b43d1fb7c595cf042a824ed3cd18aa1ea9804 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Wed, 3 Apr 2024 17:05:36 +0800
Subject: [PATCH] kernel.spec: Remove PGP certificates and optimize kernel
 signing process

1.Delete PGP Certificate, the PGP certificate isn't longer needed
  because IMA digest list files are signed by the specific certifcate
  and there isn't need to reuse RPM certificate.
2.Use the open-source signature when the EBS permission is insufficient.
  Now only the admin user in EBS can sendthe signature request. But the
  user triggering the acces controlbuild task and the personal build
  task is non-admin. Inorder to avoid build failures caused by failed
  signing, use the open-source signature.

Signed-off-by: Jin Lun <jinlun@huawei.com>
---
 kernel.spec | 88 ++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 56 insertions(+), 32 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index c46eab1..aa8a75f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -16,6 +16,23 @@
 
 %define modsign_cmd %{SOURCE10}
 
+%if 0%{?openEuler_sign_rsa}
+# Use the open-source signature when the EBS permission is insufficient.
+# Now only the admin user in EBS can send the signature request. But the
+# user triggering the acces control build task and the personal build
+# task is non-admin. Inorder to avoid build failures caused by failed
+# signing, use the open-source signature.
+# The flag_openEuler_has_sign_perm used in the rpm execution phase
+# The openEuler_has_sign_perm used in the rpm execution phase
+
+%define openEuler_check_EBS_perm openEuler_has_sign_perm=0 \
+echo "" >> test_openEuler_sign.ko \
+sh /usr/lib/rpm/brp-ebs-sign --module test_openEuler_sign.ko || \
+[ $? -ne 2 ] && openEuler_has_sign_perm=1 \
+%global flag_openEuler_has_sign_perm $openEuler_has_sign_perm \
+rm -f test_openEuler_sign.ko test_openEuler_sign.ko.sig
+%endif
+
 %global Arch $(echo %{_host_cpu} | sed -e s/i.86/x86/ -e s/x86_64/x86/ -e s/aarch64.*/arm64/ -e s/riscv.*/riscv/ -e s/powerpc64le/powerpc/)
 
 %global KernelVer %{version}-%{release}.%{_target_cpu}
@@ -25,7 +42,7 @@
 %global upstream_sublevel   0
 %global devel_release       19
 %global maintenance_release .0.0
-%global pkg_release         .19
+%global pkg_release         .20
 
 %define with_debuginfo 1
 # Do not recompute the build-id of vmlinux in find-debuginfo.sh
@@ -64,10 +81,6 @@ Source0: kernel.tar.gz
 Source10: sign-modules
 Source11: x509.genkey
 Source12: extra_certificates
-# openEuler RPM PGP certificates:
-# 1. openeuler <openeuler@compass-ci.com>
-Source13: RPM-GPG-KEY-openEuler-compass-ci
-Source14: process_pgp_certs.sh
 
 %if 0%{?openEuler_sign_rsa}
 Source15: openeuler_kernel_cert.cer
@@ -288,7 +301,6 @@ package or when debugging this package.\
 %endif
 
 %prep
-
 %setup -q -n kernel-%{version} -c
 
 %if 0%{?with_patch}
@@ -298,12 +310,6 @@ tar -xjf %{SOURCE9998}
 mv kernel linux-%{KernelVer}
 cd linux-%{KernelVer}
 
-# process PGP certs
-cp %{SOURCE13} .
-cp %{SOURCE14} .
-sh %{SOURCE14}
-cp pubring.gpg certs
-
 %if 0%{?with_patch}
 cp %{SOURCE9000} .
 cp %{SOURCE9001} .
@@ -396,11 +402,14 @@ sed -i 's/CONFIG_LTO_NONE=y/# CONFIG_LTO_NONE is not set/' .config
 %endif
 
 %if 0%{?openEuler_sign_rsa}
-    cp %{SOURCE15} ./certs/openeuler-cert.pem
+    %{openEuler_check_EBS_perm}
+    if [ $openEuler_has_sign_perm -eq 1 ]; then
+        cp %{SOURCE15} ./certs/openeuler-cert.pem
     # close kernel native signature
-    sed -i 's/CONFIG_MODULE_SIG_KEY=.*$/CONFIG_MODULE_SIG_KEY=""/g' .config
-    sed -i 's/CONFIG_SYSTEM_TRUSTED_KEYS=.*$/CONFIG_SYSTEM_TRUSTED_KEYS="certs\/openeuler-cert.pem"/g' .config
-    sed -i 's/CONFIG_MODULE_SIG_ALL=y$/CONFIG_MODULE_SIG_ALL=n/g' .config
+        sed -i 's/CONFIG_MODULE_SIG_KEY=.*$/CONFIG_MODULE_SIG_KEY=""/g' .config
+        sed -i 's/CONFIG_SYSTEM_TRUSTED_KEYS=.*$/CONFIG_SYSTEM_TRUSTED_KEYS="certs\/openeuler-cert.pem"/g' .config
+        sed -i 's/CONFIG_MODULE_SIG_ALL=y$/CONFIG_MODULE_SIG_ALL=n/g' .config
+    fi
 %endif
 
 TargetImage=$(basename $(make -s image_name))
@@ -528,21 +537,24 @@ dd if=/dev/zero of=$RPM_BUILD_ROOT/boot/initramfs-%{KernelVer}.img bs=1M count=2
 install -m 755 $(make -s image_name) $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
 
 %if 0%{?openEuler_sign_rsa}
-    echo "start sign"
-    %ifarch %arm aarch64
-	gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
-	sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
-	mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
-	mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
-	gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
-	rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
-    %endif
-    %ifarch x86_64
-	mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
-	sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
-	mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
-	mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
-    %endif
+    %{openEuler_check_EBS_perm}
+    if [ $openEuler_has_sign_perm -eq 1 ]; then
+        echo "start sign"
+        %ifarch %arm aarch64
+	    gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
+	    sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
+	    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
+	    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
+	    gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
+	    rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
+        %endif
+        %ifarch x86_64
+	    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
+	    sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
+	    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
+	    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
+        %endif
+    fi
 %endif
 
 pushd $RPM_BUILD_ROOT/boot
@@ -628,7 +640,14 @@ popd
 %if 0%{?openEuler_sign_rsa}
 %define __modsign_install_post \
     if [ "%{with_signmodules}" -eq "1" ];then \
-sh %{SOURCE16} $RPM_BUILD_ROOT/lib/modules/%{KernelVer} || exit 1 \
+        if [ %flag_openEuler_has_sign_perm -eq 1 ]; then \
+            sh %{SOURCE16} $RPM_BUILD_ROOT/lib/modules/%{KernelVer} || exit 1 \
+        else \
+            cp certs/signing_key.pem . \
+            cp certs/signing_key.x509 . \
+            chmod 0755 %{modsign_cmd} \
+            %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KernelVer} || exit 1 \
+        fi \
     fi \
     find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \
 %{nil}
@@ -1000,6 +1019,11 @@ fi
 %endif
 
 %changelog
+* Fri Apr 12 2024 Jin Lun <jinlun@huawei.com> - 6.6.0-19.0.0.20
+- Remove PGP certificates.
+- Optimize the signing process, if the project has no permission
+  to send sign request, use the kernel native signing.
+
 * Wed Apr 10 2024 ZhangPeng <zhangpeng362@huawei.com> - 6.6.0-19.0.0.19
 - !5877  optimize eevdf scheduler
 - sched/eevdf: Skip eligibility check for current entity during wakeup preemption