diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 8b23979..4a984aa 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -18,7 +18,7 @@ concurrency: jobs: build: name: kernel-cache - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read packages: write @@ -166,6 +166,21 @@ jobs: io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4 + - name: Retrieve Signing Key + if: (github.event_name == 'scheduled' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group') && github.event_name != 'pull_request' + run: | + mkdir -p certs + if [[ ${{ env.alias_tags }} =~ pr ]]; then + echo "This should not have run... exiting..." + exit 1 + else + echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv + echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv + # DEBUG: get character count of key + wc -c certs/private_key.priv + wc -c certs/private_key_2.priv + fi + - name: Build Image id: build_image uses: redhat-actions/buildah-build@v2 @@ -178,6 +193,7 @@ jobs: FEDORA_VERSION=${{ matrix.fedora_version }} KERNEL_VERSION=${{ env.kernel_release }} KERNEL_FLAVOR=${{ matrix.kernel_flavor }} + DUAL_SIGN=true labels: ${{ steps.meta.outputs.labels }} oci: false diff --git a/Containerfile b/Containerfile index 44d9c93..22608c6 100644 --- a/Containerfile +++ b/Containerfile @@ -2,14 +2,16 @@ ARG BASE_IMAGE=quay.io/fedora/fedora ARG FEDORA_VERSION=${FEDORA_VERSION:-40} # Build from base-main since its our smallest image and we control the tags -FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder -ARG KERNEL_VERSION=${:-} -ARG FEDORA_VERSION=${FEDORA_VERSION:-} -ARG KERNEL_FLAVOR=${:-} +FROM ${BASE_IMAGE}:${FEDORA_VERSION} AS builder +ARG KERNEL_VERSION="${:-6.8.11-300.fc40.x86_64}" +ARG FEDORA_VERSION="${FEDORA_VERSION:-40}" +ARG KERNEL_FLAVOR="${:-coreos-stable}" +ARG DUAL_SIGN="${:-true}" -COPY fetch.sh / +COPY fetch.sh /tmp +COPY certs /tmp/certs -RUN /fetch.sh +RUN /tmp/fetch.sh -FROM scratch as rpms +FROM scratch AS rpms COPY --from=builder /tmp/rpms /tmp/rpms diff --git a/certs/private_key.priv b/certs/private_key.priv new file mode 100644 index 0000000..e69de29 diff --git a/certs/private_key.priv.test b/certs/private_key.priv.test new file mode 100644 index 0000000..5e2efda --- /dev/null +++ b/certs/private_key.priv.test @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO +N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn +WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz +Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB +zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os +wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq +tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc +GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR +9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR +IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0 +rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm +zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V +CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW +u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD +GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL ++7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z +HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m +wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns +380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP +FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36 ++gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB +LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s +mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK +PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR +Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh +OevJKeniH2GYy+ME5XxXb14= +-----END PRIVATE KEY----- diff --git a/certs/private_key_2.priv b/certs/private_key_2.priv new file mode 100644 index 0000000..e69de29 diff --git a/certs/private_key_2.priv.test b/certs/private_key_2.priv.test new file mode 100644 index 0000000..31f9196 --- /dev/null +++ b/certs/private_key_2.priv.test @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnVfa8014cwVhH +8SKJFg94/krdWYAAbEG+BVMWfJf84v19bqEUWO9GKYUHTXIOYTzOcdyyYkBDm8hL +DpUGHWtgAut4l4cDpDCkL9sJzAhKS6lOW0pCqaZzqJoq8AUyK84j/l3vEBwuucZo +HypEyK+GeaWFc5fo3P/UQmYML78YgS2Lbb/MDwH+Zfrmt9IoKv75oIdmOVC/dpzS +MiJZB1trjKyS+31o6gXCI43kpMsRGSHHqW6k5zhNNEAN/0uiGI28C2WDrB4v2igg +bpF6QOMyrCqKs+oHUWndadUzG6Dwz+f4oZ1F7M/J5Xn8N2F1VEDqvvMBU2ZquRyX +NLzbJvcnAgMBAAECggEAQ9LI7iHxvE/1eztWVx/054KST4NOKV23i9BWq/+WDu7l +9agYa8ncOaDshVgziXaKEdb+r+K4z25d0WY4qsDT25dzX25zT9uFx5aJ/j+PgKWI +GvVPdROUHr7QteSRBpPQurAH3LS354xuyZcQJ877rdKybxO6F60zmBHNkNTtbH2P +M5eN88lF398v8Pu3fDce6CWSP9SGqLp43FJMbFMYrWkppzX28Ru0JqDOT3LSWeQy +JAmrC/Oh5S2mLu6AhlqrMJEJ5ErIVpk9n3QZsa5knXsB56dP/kzWyQgirMWotF+O +K4jGo6iHSfFGmYJhopJjVYsuMrJtgpZN8u1VRbMIEQKBgQDakV86A7k7s5ORfI22 +lwB5QukkiA/XT7lP/kcGEem12hW/Gi7vfuwJLMA1i2JP0pmKANMxQG5YweaHSUhX +/09H7BGlqPvwpWBJ5qqW7hkSh0N6VMwEmnYvHfNZh9PiQx2q9zL8+SOoUXCF2je3 +etKZToutMD47gRfeAtDiPQEyjwKBgQDD/m86tBMu1o4Qjj2l3/6mwg4XNbh18f0Q +x1v3t4Wu5HROPPHF1HSwVp6iqSS0HhoDgIYVjgqpH4q2urRQ92urHAq56hUV8dn/ +6VprCcAJOTLvu//bu9FXMu4Ys+v915Z6J4oIkEGLwOL4QAUC6dzCM1luEGAirpyf +ePWIMC5d6QKBgQCkHDMcJF+Y7CUJQDRHvOmmIw9bVq5ORJYn8gzyCdEpsi5R5x8G +xI4F9Yv8qEORG9gdPrFUccRo8G5fdi7To+erYR1+/XruHb5GvuOnn+9DcjzARZtK +eY/zoNFvkAUQBsTn8eRe/dJAN6X9WvQq2BX49nj5+RdBJpT9JbAhrxyPEQKBgDvB +Pg5KyrJ0Dbo0c8033r7e2UbwRP4Iulw8O+jpliN9WYxk/l2Pacg9kH4NTbhwmQPK +UpcNyGhJypPtln49ASGZGhgWqzkWlJ12eu+5eEgXnVUEH3zR5YBNcdQsPt4Utbcm +iOoVeTZvp4OCmUSLIpg+6Zwp9/V7ARuJ2GoeLnTJAoGBANOjf4lQBz1/U0aeog/H +OCscSv+pbfHLo778FDJYcEBL0twofifnMLoED2E28F3ptbwUoE89KUrBvvDTgiXj +4Gd5eMU64iKo2utA9crzcxXEhvEyl04fQyZtaqOIfmUHiV5CHV1oCgoa8Rq1Zxc/ +5bzd1lBjif4fuc6RXjooHX+3 +-----END PRIVATE KEY----- diff --git a/certs/public_key.der b/certs/public_key.der new file mode 100644 index 0000000..cc56e52 Binary files /dev/null and b/certs/public_key.der differ diff --git a/certs/public_key.der.test b/certs/public_key.der.test new file mode 100644 index 0000000..eb5a0f9 Binary files /dev/null and b/certs/public_key.der.test differ diff --git a/certs/public_key_2.der b/certs/public_key_2.der new file mode 100644 index 0000000..98507ab Binary files /dev/null and b/certs/public_key_2.der differ diff --git a/certs/public_key_2.der.test b/certs/public_key_2.der.test new file mode 100644 index 0000000..a1c2d61 Binary files /dev/null and b/certs/public_key_2.der.test differ diff --git a/fetch.sh b/fetch.sh index a42a8ec..7ca3d61 100755 --- a/fetch.sh +++ b/fetch.sh @@ -5,7 +5,11 @@ set -eoux pipefail kernel_version="${KERNEL_VERSION}" kernel_flavor="${KERNEL_FLAVOR}" -dnf install -y dnf-plugins-core +#CoreOS pool repo +# curl -LsSf -o /etc/yum.repos.d/fedora-coreos-pool.repo \ +# https://raw.githubusercontent.com/coreos/fedora-coreos-config/testing-devel/fedora-coreos-pool.repo + +dnf install -y dnf-plugins-core rpmrebuild sbsigntools openssl case "$kernel_flavor" in "asus") @@ -31,37 +35,40 @@ esac if [[ "${kernel_flavor}" =~ asus|fsync ]]; then dnf download -y \ kernel-"${kernel_version}" \ - kernel-core-"${kernel_version}" \ kernel-modules-"${kernel_version}" \ kernel-modules-core-"${kernel_version}" \ kernel-modules-extra-"${kernel_version}" \ kernel-devel-"${kernel_version}" \ kernel-devel-matched-"${kernel_version}" \ kernel-uki-virt-"${kernel_version}" + elif [[ "${kernel_flavor}" == "surface" ]]; then dnf download -y \ kernel-surface-"${kernel_version}" \ - kernel-surface-core-"${kernel_version}" \ kernel-surface-modules-"${kernel_version}" \ kernel-surface-modules-core-"${kernel_version}" \ kernel-surface-modules-extra-"${kernel_version}" \ kernel-surface-devel-"${kernel_version}" \ kernel-surface-devel-matched-"${kernel_version}" \ kernel-surface-default-watchdog-"${kernel_version}" \ - iptsd + iptsd \ + libwacom-surface \ + libwacom-surface-data + + else KERNEL_MAJOR_MINOR_PATCH=$(echo "$kernel_version" | cut -d '-' -f 1) KERNEL_RELEASE="$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 1).$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 2)" ARCH=$(uname -m) dnf download -y \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-"$kernel_version".rpm \ - https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-core-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-extra-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-matched-"$kernel_version".rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-uki-virt-"$kernel_version".rpm + fi if [[ "${kernel_flavor}" =~ fsync ]]; then @@ -69,6 +76,114 @@ if [[ "${kernel_flavor}" =~ fsync ]]; then kernel-headers-"${kernel_version}" fi +if [[ ! -s /tmp/certs/private_key.priv ]]; then + echo "WARNING: Using test signing key." + cp /tmp/certs/private_key.priv{.test,} + cp /tmp/certs/public_key.der{.test,} +fi + +PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key.crt" +PRIVATE_KEY_PATH="/etc/pki/kernel/private/private_key.priv" + +openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt + +install -Dm644 /tmp/certs/public_key.crt "$PUBLIC_KEY_PATH" +install -Dm644 /tmp/certs/private_key.priv "$PRIVATE_KEY_PATH" + +if [[ "${kernel_flavor}" =~ asus|fsync ]]; then + dnf install -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + kernel-core-"${kernel_version}" +elif [[ "${kernel_flavor}" =~ surface ]]; then + dnf install -y \ + /kernel-surface-"$kernel_version".rpm \ + /kernel-surface-modules-"$kernel_version".rpm \ + /kernel-surface-modules-core-"$kernel_version".rpm \ + /kernel-surface-modules-extra-"$kernel_version".rpm \ + kernel-surface-core-"${kernel_version}" +else + dnf install -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm +fi + +# Strip Signatures from non-fedora Kernels +if [[ ${kernel_flavor} =~ main|coreos ]]; then + echo "Will not strip Fedora signature(s) from ${kernel_flavor} kernel." +else + EXISTING_SIGNATURES="$(sbverify --list /usr/lib/modules/"$kernel_version"/vmlinuz | grep '^signature \([0-9]\+\)$' | sed 's/^signature \([0-9]\+\)$/\1/')" || true + if [[ -n "$EXISTING_SIGNATURES" ]]; then + for SIGNUM in $EXISTING_SIGNATURES; do + echo "Found existing signature at signum $SIGNUM, removing..." + sbattach --remove /usr/lib/modules/"${kernel_version}"/vmlinuz + done + fi +fi + +# Sign Kernel with Key +sbsign --cert "$PUBLIC_KEY_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz + +# Verify Signatures +sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + +rm -f "$PRIVATE_KEY_PATH" "$PUBLIC_KEY_PATH" + +if [[ ${DUAL_SIGN:-} == "true" ]]; then + SECOND_PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key_2.crt" + SECOND_PRIVATE_KEY_PATH="/etc/pki/kernel/private/public_key_2.priv" + if [[ ! -s /tmp/certs/private_key_2.priv ]]; then + echo "WARNING: Using test signing key." + cp /tmp/certs/private_key_2.priv{.test,} + cp /tmp/certs/public_key_2.der{.test,} + find /tmp/certs/ + fi + openssl x509 -in /tmp/certs/public_key_2.der -out /tmp/certs/public_key_2.crt + install -Dm644 /tmp/certs/public_key_2.crt "$SECOND_PUBLIC_KEY_PATH" + install -Dm644 /tmp/certs/private_key_2.priv "$SECOND_PRIVATE_KEY_PATH" + sbsign --cert "$SECOND_PUBLIC_KEY_PATH" --key "$SECOND_PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz + sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + rm -f "$SECOND_PRIVATE_KEY_PATH" "$SECOND_PUBLIC_KEY_PATH" +fi + +# Rebuild RPMs and Verify +if [[ "${kernel_flavor}" =~ surface ]]; then + rpmrebuild --batch kernel-surface-core-"${kernel_version}" + rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz + dnf reinstall -y \ + /kernel-surface-"$kernel_version".rpm \ + /kernel-surface-modules-"$kernel_version".rpm \ + /kernel-surface-modules-core-"$kernel_version".rpm \ + /kernel-surface-modules-extra-"$kernel_version".rpm \ + /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm +else + rpmrebuild --batch kernel-core-"${kernel_version}" + rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz + dnf reinstall -y \ + /kernel-"$kernel_version".rpm \ + /kernel-modules-"$kernel_version".rpm \ + /kernel-modules-core-"$kernel_version".rpm \ + /kernel-modules-extra-"$kernel_version".rpm \ + /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm +fi + +sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz + +# Make Temp Dir mkdir -p /tmp/rpms +# Move RPMs over mv /kernel-*.rpm /tmp/rpms +mv /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm /tmp/rpms + +if [[ "${kernel_flavor}" =~ surface ]]; then + cp iptsd-*.rpm libwacom-*.rpm /tmp/rpms +fi + +# Delete keys in /tmp if we decide to publish this later +rm -rf /tmp/certs