From 325c2c7c528f8e762b1880f9b9dffc95043d4566 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 23:54:54 -0400 Subject: [PATCH 01/10] feat: verify kmod signatures for dual-sign --- Containerfile.common | 2 +- Containerfile.extra | 2 +- Containerfile.nvidia | 2 +- Containerfile.zfs | 2 +- dual-sign-check.sh | 24 ++++++++++++++++++++++++ dual-sign-zfs.sh | 3 +++ dual-sign.sh | 3 +++ 7 files changed, 34 insertions(+), 4 deletions(-) create mode 100755 dual-sign-check.sh diff --git a/Containerfile.common b/Containerfile.common index a5d7d6b1..3f6e7e5a 100644 --- a/Containerfile.common +++ b/Containerfile.common @@ -17,7 +17,7 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG RPMFUSION_MIRROR="" ARG DUAL_SIGN="true" -COPY build*.sh dual-sign.sh /tmp/ +COPY build*.sh dual-sign*.sh /tmp/ COPY certs /tmp/certs # cached kernel rpms diff --git a/Containerfile.extra b/Containerfile.extra index 0d317880..463a0183 100644 --- a/Containerfile.extra +++ b/Containerfile.extra @@ -17,7 +17,7 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG RPMFUSION_MIRROR="" ARG DUAL_SIGN="true" -COPY build*.sh dual-sign.sh /tmp/ +COPY build*.sh dual-sign*.sh /tmp/ COPY certs /tmp/certs # cached kernel rpms diff --git a/Containerfile.nvidia b/Containerfile.nvidia index 42b92038..16fbe82b 100644 --- a/Containerfile.nvidia +++ b/Containerfile.nvidia @@ -17,7 +17,7 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG RPMFUSION_MIRROR="" ARG DUAL_SIGN="true" -COPY build*.sh dual-sign.sh /tmp/ +COPY build*.sh dual-sign*.sh /tmp/ COPY certs /tmp/certs # cached kernel rpms diff --git a/Containerfile.zfs b/Containerfile.zfs index 1784462e..52de7c55 100644 --- a/Containerfile.zfs +++ b/Containerfile.zfs @@ -18,7 +18,7 @@ ARG DUAL_SIGN="true" ARG RPMFUSION_MIRROR="" ARG ZFS_MINOR_VERSION="${ZFS_MINOR_VERSION:-2.2}" -COPY build*.sh dual-sign-zfs.sh /tmp/ +COPY build*.sh dual-sign*.sh /tmp/ COPY certs /tmp/certs # cached kernel rpms diff --git a/dual-sign-check.sh b/dual-sign-check.sh new file mode 100755 index 00000000..109aeb16 --- /dev/null +++ b/dual-sign-check.sh @@ -0,0 +1,24 @@ +#!/usr/bin/bash + +KERNEL="$1" +module="$2" +PUBLIC_CERT="$3" + +kmod_sig="/tmp/kmod.sig" +kmod_p7s="/tmp/kmod.p7s" +kmod_data="/tmp/kmod.data" +/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -s "${module}" > ${kmod_sig} +openssl pkcs7 -inform der -in ${kmod_sig} -out ${kmod_p7s} +/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -0 "${module}" > ${kmod_data} +if openssl cms -verify -binary -inform PEM \ + -in ${kmod_p7s} \ + -content ${kmod_data} \ + -certfile "${PUBLIC_CERT}" \ + -out "/dev/null" \ + -nointern -noverify + then + echo "Signature Verified for ${module}" +else + echo "Signature Failed for ${module}" + exit 1 +fi diff --git a/dual-sign-zfs.sh b/dual-sign-zfs.sh index c7a93a44..83990905 100755 --- a/dual-sign-zfs.sh +++ b/dual-sign-zfs.sh @@ -18,15 +18,18 @@ if [[ "${DUAL_SIGN}" == "true" ]]; then xz --decompress "$module" openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" xz -f "${module_basename}" elif [[ "$module_suffix" == ".gz" ]]; then gzip -d "$module" openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" gzip -9f "${module_basename}" else openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_CHAIN}" "${module}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}" fi done rpmrebuild --batch /var/cache/rpms/kmods/zfs/kmod-zfs-*.rpm diff --git a/dual-sign.sh b/dual-sign.sh index d113efc9..6b978167 100755 --- a/dual-sign.sh +++ b/dual-sign.sh @@ -16,15 +16,18 @@ if [[ "${DUAL_SIGN}" == "true" ]]; then xz --decompress "$module" openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" xz -f "${module_basename}" elif [[ "$module_suffix" == ".gz" ]]; then gzip -d "$module" openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" gzip -9f "${module_basename}" else openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_CHAIN}" "${module}" + /tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}" fi done find /var/cache/akmods -type f -name \kmod-*.rpm From adb4de5cf1e9c1503e95a49021713723beb2021f Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 09:21:39 -0400 Subject: [PATCH 02/10] use a test container --- .github/workflows/reusable-build.yml | 30 +++++- Containerfile.test | 45 +++++++++ check-signatures.sh | 23 +++++ test-prep.sh | 136 +++++++++++++++++++++++++++ 4 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 Containerfile.test create mode 100644 check-signatures.sh create mode 100755 test-prep.sh diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 1cfe8b15..82948e7d 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -142,9 +142,10 @@ jobs: for TAG in "${COMMIT_TAGS[@]}"; do echo "${TAG}" done - + default_tag=${COMMIT_TAGS[0]} alias_tags=("${COMMIT_TAGS[@]}") else + default_tag=${BUILD_TAGS[0]} alias_tags=("${BUILD_TAGS[@]}") fi @@ -154,6 +155,7 @@ jobs: done echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + echo "default_tag=$default_tag" >> $GITHUB_ENV # Build metadata - name: Image Metadata @@ -206,6 +208,32 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false + - name: Build Test Image + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./Containerfile.test + image: akmods-test + tags: latest + build-args: | + BUILDER_IMAGE=${{ env.BUILDER_IMAGE }} + KERNEL_ORG=${{ github.repository_owner }} + KERNEL_FLAVOR=${{ matrix.kernel_flavor }} + FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }} + INPUT_AKMODS=${{ env.IMAGE_NAME }} + INPUT_TAG=${{ env.default_tag }} + DUAL_SIGN=true + oci: false + + - name: Test Akmods Signature + id: test_akmods + shell: bash + run: | + if ! podman run akmods-test:latest; then + echo "Signatures Failed" + exit 1 + fi + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry diff --git a/Containerfile.test b/Containerfile.test new file mode 100644 index 00000000..1441df55 --- /dev/null +++ b/Containerfile.test @@ -0,0 +1,45 @@ +### +### Containerfile.test - used to test akmods +### + +ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" +ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" +ARG KERNEL_IMAGE="${KERNEL_IMAGE:-${KERNEL_FLAVOR}-kernel}" +ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" +ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" +ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" +ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" +ARG INPUT_AKMODS="${INPUT_AKMODS:-akmods}" +ARG INPUT_TAG="${INPUT_TAG:-${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}}" +FROM ${KERNEL_BASE} AS kernel_cache +FROM ${INPUT_AKMODS}:${INPUT_TAG} AS akmod_cache +FROM ${BUILDER_BASE}:${FEDORA_MAJOR_VERSION} AS tester + +ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" +ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" +ARG RPMFUSION_MIRROR="" +ARG DUAL_SIGN="true" + +COPY test-prep.sh /tmp +COPY check-signatures.sh / + +# cached kernel rpms +COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache +COPY --from=akmods_cache /rpms /tmp/akmods-rpms + +# files for akmods +COPY ublue-os-akmods-addons.spec /tmp/ublue-os-akmods-addons/ublue-os-akmods-addons.spec +ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \ + /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo +ADD https://negativo17.org/repos/fedora-multimedia.repo \ + /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo + +RUN --mount=type=cache,dst=/var/cache/dnf \ + if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ + export KERNEL_NAME="kernel" \ + ; else \ + export KERNEL_NAME="kernel-surface" \ + ; fi && \ + /tmp/test-prep.sh + +CMD ["/check-signatures.sh"] diff --git a/check-signatures.sh b/check-signatures.sh new file mode 100644 index 00000000..f2dae077 --- /dev/null +++ b/check-signatures.sh @@ -0,0 +1,23 @@ +#!/usr/bin/bash + +KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +PUBLIC_CHAIN="/tmp/certs/public_key_chain.pem" + +if [[ "${DUAL_SIGN}" == "true" ]]; then + for module in /usr/lib/modules/"${KERNEL}"/extra/*/*.ko*; + do + module_basename=${module:0:-3} + module_suffix=${module: -3} + if [[ "$module_suffix" == ".xz" ]]; then + xz --decompress "$module" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" + xz -f "${module_basename}" + elif [[ "$module_suffix" == ".gz" ]]; then + gzip -d "$module" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" + gzip -9f "${module_basename}" + else + /tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}" + fi + done +fi diff --git a/test-prep.sh b/test-prep.sh new file mode 100755 index 00000000..c5194ff2 --- /dev/null +++ b/test-prep.sh @@ -0,0 +1,136 @@ +#!/usr/bin/bash + +set -oeux pipefail + +### PREPARE REPOS +# ARCH="$(rpm -E '%_arch')" +RELEASE="$(rpm -E '%fedora')" + +sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo + +# enable RPMs with alternatives to create them in this image build +mkdir -p /var/lib/alternatives + +# install kernel_cache provided kernel +echo "Installing ${KERNEL_FLAVOR} kernel-cache RPMs..." +# fedora image has no kernel so this needs nothing fancy, just install +dnf install -y /tmp/kernel_cache/*.rpm + +if [[ "${KERNEL_FLAVOR}" == "surface" ]]; then + KERNEL_VERSION=$(rpm -q kernel-surface|cut -d '-' -f2-) +else + KERNEL_VERSION=$(rpm -q kernel|cut -d '-' -f2-) +fi + +# enable more repos +RPMFUSION_MIRROR_RPMS="https://mirrors.rpmfusion.org" +if [ -n "${RPMFUSION_MIRROR}" ]; then + RPMFUSION_MIRROR_RPMS=${RPMFUSION_MIRROR} +fi + +if [[ "${RELEASE}" -ge 41 ]]; then + COPR_RELEASE="rawhide" +else + COPR_RELEASE="${RELEASE}" +fi + +if [[ -f $(find /tmp/akmods-rpms/kmod-vhba-*.rpm) ]]; then +curl -LsSf -o /etc/yum.repos.d/_copr_rok-cdemu.repo \ + "https://copr.fedorainfracloud.org/coprs/rok/cdemu/repo/fedora-${COPR_RELEASE}/rok-cdemu-fedora-${COPR_RELEASE}.repo" +fi + +if [[ -f $(find /tmp/akmods-rpms/kmod-facetimehd-*.rpm) ]]; then +curl -LsSf -o /etc/yum.repos.d/_copr_mulderje-facetimehd-kmod.repo \ + "https://copr.fedorainfracloud.org/coprs/mulderje/facetimehd-kmod/repo/fedora-${COPR_RELEASE}/mulderje-facetimehd-kmod-fedora-${COPR_RELEASE}.repo" +fi + +if [[ -f $(find /tmp/akmods-rpms/kmod-kvmfr-*.rpm) ]]; then +curl -LsSf -o /etc/yum.repos.d/_copr_hikariknight-looking-glass-kvmfr.repo \ + "https://copr.fedorainfracloud.org/coprs/hikariknight/looking-glass-kvmfr/repo/fedora-${COPR_RELEASE}/hikariknight-looking-glass-kvmfr-fedora-${COPR_RELEASE}.repo" +fi + +if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then + curl -Lo /etc/yum.repos.d/negativo17-fedora-nvidia.repo \ + "https://negativo17.org/repos/fedora-nvidia.repo" + curl -Lo /etc/yum.repos.d/nvidia-container-toolkit.repo \ + "https://nvidia.github.io/libnvidia-container/stable/rpm/nvidia-container-toolkit.repo" + curl -Lo /etc/yum.repos.d/nvidia-container.pp \ + "https://raw.githubusercontent.com/NVIDIA/dgx-selinux/master/bin/RHEL9/nvidia-container.pp" + curl -Lo /etc/yum.repos.d/eyecantcu-supergfxctl.repo \ + "https://copr.fedorainfracloud.org/coprs/eyecantcu/supergfxctl/repo/fedora-${COPR_RELEASE}/eyecantcu-supergfxctl-fedora-${COPR_RELEASE}.repo" + curl -Lo /tmp/nvidia-install.sh \ + "https://raw.githubusercontent.com/ublue-os/hwe/main/nvidia-install.sh" + chmod +x /tmp/nvidia-install.sh + sed -i "s@gpgcheck=0@gpgcheck=1@" /etc/yum.repos.d/nvidia-container-toolkit.repo +fi + +dnf install -y \ + "${RPMFUSION_MIRROR_RPMS}"/free/fedora/rpmfusion-free-release-"${RELEASE}".noarch.rpm \ + "${RPMFUSION_MIRROR_RPMS}"/nonfree/fedora/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm \ + fedora-repos-archive + + +# after F41 launches, bump to 42 +if [[ "${FEDORA_MAJOR_VERSION}" -ge 41 ]]; then + # pre-release rpmfusion is in a different location + sed -i "s%free/fedora/releases%free/fedora/development%" /etc/yum.repos.d/rpmfusion-*.repo + # pre-release rpmfusion needs to enable testing + sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/rpmfusion-*-updates-testing.repo +fi + +if [ -n "${RPMFUSION_MIRROR}" ]; then + # force use of single rpmfusion mirror + echo "Using single rpmfusion mirror: ${RPMFUSION_MIRROR}" + sed -i.bak "s%^metalink=%#metalink=%" /etc/yum.repos.d/rpmfusion-*.repo + sed -i "s%^#baseurl=http://download1.rpmfusion.org%baseurl=${RPMFUSION_MIRROR}%" /etc/yum.repos.d/rpmfusion-*.repo +fi + +if [[ ! -s "/tmp/certs/private_key.priv" ]]; then + echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds." + cp /tmp/certs/public_key.der{.test,} +fi + +openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt +cat /tmp/certs/public_key.crt > /tmp/certs/public_key_chain.pem + +if [[ "${DUAL_SIGN}" == "true" ]]; then + if [[ ! -s "/tmp/certs/private_key_2.priv" ]]; then + echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds." + cp /tmp/certs/public_key_2.der{.test,} + fi + openssl x509 -in /tmp/certs/public_key_2.der -out /tmp/certs/public_key_2.crt + rm -f /tmp/certs/public_key_chain.pem + cat /tmp/certs/public_key.crt <(echo) /tmp/certs/public_key_2.crt >> /tmp/certs/public_key_chain.pem +fi + +if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then + dnf install -y \ + /tmp/akmods-rpms/ublue-os/*.rpm \ + sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo + sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo + sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo + source /tmp/akmods-rpms/kmods/nvidia-vars + dnf install -y \ + libnvidia-fbc \ + libnvidia-ml.i686 \ + libva-nvidia-driver \ + mesa-vulkan-drivers.i686 \ + nvidia-driver \ + nvidia-driver-cuda \ + nvidia-driver-cuda-libs.i686 \ + nvidia-driver-libs.i686 \ + nvidia-modprobe \ + nvidia-persistenced \ + nvidia-settings \ + nvidia-container-toolkit \ + /tmp/akmods-rpms/kmods/kmod-nvidia-"${KERNEL_VERSION}"-"${NVIDIA_AKMOD_VERSION}".fc"${RELEASE}".rpm +elif [[ -f $(find /tmp/akmods-rpms/kmods/zfs/kmod-*.rpm) ]]; then + dnf install -y \ + pv \ + /tmp/akmods-rpms/ublue-os/*.rpm \ + /tmp/akmods-rpms/kmods/zfs/*.rpm +else + dnf install -y \ + /tmp/akmods-rpms/ublue-os/*.rpm \ + /tmp/akmods-rpms/kmods/*.rpm +fi From d7cbb2a86cd9a3d0e26df55bfcf66537727dde99 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 09:32:43 -0400 Subject: [PATCH 03/10] fix test container --- Containerfile.test | 2 +- check-signatures.sh | 34 ++++++++++++++++------------------ test-prep.sh | 3 +++ 3 files changed, 20 insertions(+), 19 deletions(-) diff --git a/Containerfile.test b/Containerfile.test index 1441df55..398d426d 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -13,7 +13,7 @@ ARG INPUT_AKMODS="${INPUT_AKMODS:-akmods}" ARG INPUT_TAG="${INPUT_TAG:-${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}}" FROM ${KERNEL_BASE} AS kernel_cache FROM ${INPUT_AKMODS}:${INPUT_TAG} AS akmod_cache -FROM ${BUILDER_BASE}:${FEDORA_MAJOR_VERSION} AS tester +FROM ${BUILDER_BASE} AS tester ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" diff --git a/check-signatures.sh b/check-signatures.sh index f2dae077..b5fe9c94 100644 --- a/check-signatures.sh +++ b/check-signatures.sh @@ -3,21 +3,19 @@ KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" PUBLIC_CHAIN="/tmp/certs/public_key_chain.pem" -if [[ "${DUAL_SIGN}" == "true" ]]; then - for module in /usr/lib/modules/"${KERNEL}"/extra/*/*.ko*; - do - module_basename=${module:0:-3} - module_suffix=${module: -3} - if [[ "$module_suffix" == ".xz" ]]; then - xz --decompress "$module" - /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" - xz -f "${module_basename}" - elif [[ "$module_suffix" == ".gz" ]]; then - gzip -d "$module" - /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" - gzip -9f "${module_basename}" - else - /tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}" - fi - done -fi +for module in /usr/lib/modules/"${KERNEL}"/extra/*/*.ko*; +do + module_basename=${module:0:-3} + module_suffix=${module: -3} + if [[ "$module_suffix" == ".xz" ]]; then + xz --decompress "$module" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" + xz -f "${module_basename}" + elif [[ "$module_suffix" == ".gz" ]]; then + gzip -d "$module" + /tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}" + gzip -9f "${module_basename}" + else + /tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}" + fi +done diff --git a/test-prep.sh b/test-prep.sh index c5194ff2..8f028511 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -92,6 +92,7 @@ fi openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt cat /tmp/certs/public_key.crt > /tmp/certs/public_key_chain.pem +rm -f /tmp/certs/private_key.priv if [[ "${DUAL_SIGN}" == "true" ]]; then if [[ ! -s "/tmp/certs/private_key_2.priv" ]]; then @@ -103,6 +104,8 @@ if [[ "${DUAL_SIGN}" == "true" ]]; then cat /tmp/certs/public_key.crt <(echo) /tmp/certs/public_key_2.crt >> /tmp/certs/public_key_chain.pem fi +rm -f /tmp/certs/private_key_2.priv + if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then dnf install -y \ /tmp/akmods-rpms/ublue-os/*.rpm \ From 9cc3c4e541bc2fd727cd51f9cbb0b774d25e81a8 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 09:44:30 -0400 Subject: [PATCH 04/10] specify localhost for input_image --- Containerfile.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile.test b/Containerfile.test index 398d426d..66af0aed 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -9,7 +9,7 @@ ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -ARG INPUT_AKMODS="${INPUT_AKMODS:-akmods}" +ARG INPUT_AKMODS="localhost/${INPUT_AKMODS:-akmods}" ARG INPUT_TAG="${INPUT_TAG:-${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}}" FROM ${KERNEL_BASE} AS kernel_cache FROM ${INPUT_AKMODS}:${INPUT_TAG} AS akmod_cache From f06d1dd9764400615e114d1470a822ca037bcf38 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 10:07:16 -0400 Subject: [PATCH 05/10] test container --- Containerfile.test | 13 ++++--------- test-prep.sh | 7 ++++--- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/Containerfile.test b/Containerfile.test index 66af0aed..1390dd33 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -9,10 +9,11 @@ ARG KERNEL_ORG="${KERNEL_ORG:-ublue-os}" ARG KERNEL_BASE="ghcr.io/${KERNEL_ORG}/${KERNEL_IMAGE}:${FEDORA_MAJOR_VERSION}" ARG BUILDER_IMAGE="${BUILDER_IMAGE:-quay.io/fedora/fedora}" ARG BUILDER_BASE="${BUILDER_IMAGE}:${FEDORA_MAJOR_VERSION}" -ARG INPUT_AKMODS="localhost/${INPUT_AKMODS:-akmods}" +ARG INPUT_AKMODS="${INPUT_AKMODS:-akmods}" ARG INPUT_TAG="${INPUT_TAG:-${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION}}" +ARG INPUT_BASE="${INPUT_AKMODS}:${INPUT_TAG}" FROM ${KERNEL_BASE} AS kernel_cache -FROM ${INPUT_AKMODS}:${INPUT_TAG} AS akmod_cache +FROM ${INPUT_BASE} AS akmods_cache FROM ${BUILDER_BASE} AS tester ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -22,18 +23,12 @@ ARG DUAL_SIGN="true" COPY test-prep.sh /tmp COPY check-signatures.sh / +COPY certs /tmp/certs # cached kernel rpms COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache COPY --from=akmods_cache /rpms /tmp/akmods-rpms -# files for akmods -COPY ublue-os-akmods-addons.spec /tmp/ublue-os-akmods-addons/ublue-os-akmods-addons.spec -ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA_MAJOR_VERSION}/ublue-os-akmods-fedora-${FEDORA_MAJOR_VERSION}.repo \ - /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/_copr_ublue-os-akmods.repo -ADD https://negativo17.org/repos/fedora-multimedia.repo \ - /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo - RUN --mount=type=cache,dst=/var/cache/dnf \ if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \ export KERNEL_NAME="kernel" \ diff --git a/test-prep.sh b/test-prep.sh index 8f028511..4481d5f9 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -67,7 +67,8 @@ fi dnf install -y \ "${RPMFUSION_MIRROR_RPMS}"/free/fedora/rpmfusion-free-release-"${RELEASE}".noarch.rpm \ "${RPMFUSION_MIRROR_RPMS}"/nonfree/fedora/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm \ - fedora-repos-archive + fedora-repos-archive \ + openssl # after F41 launches, bump to 42 @@ -106,7 +107,7 @@ fi rm -f /tmp/certs/private_key_2.priv -if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then +if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm 2> /dev/null) ]]; then dnf install -y \ /tmp/akmods-rpms/ublue-os/*.rpm \ sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo @@ -127,7 +128,7 @@ if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then nvidia-settings \ nvidia-container-toolkit \ /tmp/akmods-rpms/kmods/kmod-nvidia-"${KERNEL_VERSION}"-"${NVIDIA_AKMOD_VERSION}".fc"${RELEASE}".rpm -elif [[ -f $(find /tmp/akmods-rpms/kmods/zfs/kmod-*.rpm) ]]; then +elif [[ -f $(find /tmp/akmods-rpms/kmods/zfs/kmod-*.rpm 2> /dev/null) ]]; then dnf install -y \ pv \ /tmp/akmods-rpms/ublue-os/*.rpm \ From e7a6bdcfa2185e2653ccfc6f934cd21d645f68f9 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 10:30:16 -0400 Subject: [PATCH 06/10] add repos, fix perms --- check-signatures.sh | 0 test-prep.sh | 22 +++++++++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) mode change 100644 => 100755 check-signatures.sh diff --git a/check-signatures.sh b/check-signatures.sh old mode 100644 new mode 100755 diff --git a/test-prep.sh b/test-prep.sh index 4481d5f9..99fecf16 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -34,22 +34,34 @@ else COPR_RELEASE="${RELEASE}" fi -if [[ -f $(find /tmp/akmods-rpms/kmod-vhba-*.rpm) ]]; then +curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo \ + "https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-${COPR_RELEASE}/ublue-os-staging-fedora-${COPR_RELEASE}.repo" + +curl -Lo /etc/yum.repos.d/_copr_kylegospo_oversteer.repo \ + "https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-${COPR_RELEASE}/kylegospo-oversteer-fedora-${COPR_RELEASE}.repo" + +curl -Lo /etc/yum.repos.d/_copr_ublue-os-akmods.repo \ + "https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${COPR_RELEASE}/ublue-os-akmods-fedora-${COPR_RELEASE}.repo" + +curl -Lo /etc/yum.repos.d/negativo17-fedora-multimedia.repo \ + "https://negativo17.org/repos/fedora-multimedia.repo" + +if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-vhba-*.rpm) ]]; then curl -LsSf -o /etc/yum.repos.d/_copr_rok-cdemu.repo \ "https://copr.fedorainfracloud.org/coprs/rok/cdemu/repo/fedora-${COPR_RELEASE}/rok-cdemu-fedora-${COPR_RELEASE}.repo" fi -if [[ -f $(find /tmp/akmods-rpms/kmod-facetimehd-*.rpm) ]]; then +if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-facetimehd-*.rpm) ]]; then curl -LsSf -o /etc/yum.repos.d/_copr_mulderje-facetimehd-kmod.repo \ "https://copr.fedorainfracloud.org/coprs/mulderje/facetimehd-kmod/repo/fedora-${COPR_RELEASE}/mulderje-facetimehd-kmod-fedora-${COPR_RELEASE}.repo" fi -if [[ -f $(find /tmp/akmods-rpms/kmod-kvmfr-*.rpm) ]]; then +if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-kvmfr-*.rpm) ]]; then curl -LsSf -o /etc/yum.repos.d/_copr_hikariknight-looking-glass-kvmfr.repo \ "https://copr.fedorainfracloud.org/coprs/hikariknight/looking-glass-kvmfr/repo/fedora-${COPR_RELEASE}/hikariknight-looking-glass-kvmfr-fedora-${COPR_RELEASE}.repo" fi -if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm) ]]; then +if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-nvidia-*.rpm) ]]; then curl -Lo /etc/yum.repos.d/negativo17-fedora-nvidia.repo \ "https://negativo17.org/repos/fedora-nvidia.repo" curl -Lo /etc/yum.repos.d/nvidia-container-toolkit.repo \ @@ -107,7 +119,7 @@ fi rm -f /tmp/certs/private_key_2.priv -if [[ -f $(find /tmp/akmods-rpms/kmod-nvidia-*.rpm 2> /dev/null) ]]; then +if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-nvidia-*.rpm 2> /dev/null) ]]; then dnf install -y \ /tmp/akmods-rpms/ublue-os/*.rpm \ sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo From a4d452041929e99b9c0d3bcb7f2be31f71c33995 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 10:33:35 -0400 Subject: [PATCH 07/10] missing script --- Containerfile.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile.test b/Containerfile.test index 1390dd33..39bccb23 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -21,7 +21,7 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG RPMFUSION_MIRROR="" ARG DUAL_SIGN="true" -COPY test-prep.sh /tmp +COPY test-prep.sh dual-sign-check.sh /tmp/ COPY check-signatures.sh / COPY certs /tmp/certs From f9af3a2789431ca26d80b9c7ffc8dc1e6b6d7f5b Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 10:48:18 -0400 Subject: [PATCH 08/10] pass kernel name to script --- check-signatures.sh | 2 ++ test-prep.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/check-signatures.sh b/check-signatures.sh index b5fe9c94..d873e928 100755 --- a/check-signatures.sh +++ b/check-signatures.sh @@ -1,5 +1,7 @@ #!/usr/bin/bash +source /tmp/info.sh + KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" PUBLIC_CHAIN="/tmp/certs/public_key_chain.pem" diff --git a/test-prep.sh b/test-prep.sh index 99fecf16..deb15d59 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -150,3 +150,5 @@ else /tmp/akmods-rpms/ublue-os/*.rpm \ /tmp/akmods-rpms/kmods/*.rpm fi + +printf "KERNEL_NAME=%s" "$KERNEL_NAME" >> /tmp/info.sh From dff7bcc5f531275bb7f11dfb6271c4aa987c8b3b Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 11:03:24 -0400 Subject: [PATCH 09/10] only install ublue-os akmods if they exist --- test-prep.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test-prep.sh b/test-prep.sh index deb15d59..b97b3987 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -121,7 +121,7 @@ rm -f /tmp/certs/private_key_2.priv if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-nvidia-*.rpm 2> /dev/null) ]]; then dnf install -y \ - /tmp/akmods-rpms/ublue-os/*.rpm \ + /tmp/akmods-rpms/ublue-os/*.rpm sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo @@ -143,11 +143,12 @@ if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-nvidia-*.rpm 2> /dev/null) ]]; then elif [[ -f $(find /tmp/akmods-rpms/kmods/zfs/kmod-*.rpm 2> /dev/null) ]]; then dnf install -y \ pv \ - /tmp/akmods-rpms/ublue-os/*.rpm \ /tmp/akmods-rpms/kmods/zfs/*.rpm else + if [[ -f $(find /tmp/akmods-rpms/ublue-os/*.rpm 2> /dev/null) ]]; then + dnf install -y /tmp/akmods-rpms/ublue-os/*.rpm + fi dnf install -y \ - /tmp/akmods-rpms/ublue-os/*.rpm \ /tmp/akmods-rpms/kmods/*.rpm fi From b7b8a169fa84ec7b43924e840cb922214a34b454 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Sat, 20 Jul 2024 11:17:06 -0400 Subject: [PATCH 10/10] install ublue-os at top --- test-prep.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/test-prep.sh b/test-prep.sh index b97b3987..5ba8c09a 100755 --- a/test-prep.sh +++ b/test-prep.sh @@ -11,6 +11,11 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo # enable RPMs with alternatives to create them in this image build mkdir -p /var/lib/alternatives +if [[ -f $(find /tmp/akmods-rpms/ublue-os/ublue-os-*.rpm 2> /dev/null) ]]; then + dnf install -y /tmp/akmods-rpms/ublue-os/ublue-os-*.rpm +fi + + # install kernel_cache provided kernel echo "Installing ${KERNEL_FLAVOR} kernel-cache RPMs..." # fedora image has no kernel so this needs nothing fancy, just install @@ -120,8 +125,6 @@ fi rm -f /tmp/certs/private_key_2.priv if [[ -f $(find /tmp/akmods-rpms/kmods/kmod-nvidia-*.rpm 2> /dev/null) ]]; then - dnf install -y \ - /tmp/akmods-rpms/ublue-os/*.rpm sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/eyecantcu-supergfxctl.repo sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/negativo17-fedora-nvidia.repo sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo @@ -145,9 +148,6 @@ elif [[ -f $(find /tmp/akmods-rpms/kmods/zfs/kmod-*.rpm 2> /dev/null) ]]; then pv \ /tmp/akmods-rpms/kmods/zfs/*.rpm else - if [[ -f $(find /tmp/akmods-rpms/ublue-os/*.rpm 2> /dev/null) ]]; then - dnf install -y /tmp/akmods-rpms/ublue-os/*.rpm - fi dnf install -y \ /tmp/akmods-rpms/kmods/*.rpm fi