From 55b09345b80f8e1800c62c40ed610bf7ab2ce11b Mon Sep 17 00:00:00 2001
From: huangzq6 <huangzhenqiang2@huawei.com>
Date: Sat, 16 Dec 2023 16:24:46 +0800
Subject: [PATCH 1/2] add signature for vmlinux

Signed-off-by: Li Nan <linan122@huawei.com>
---
 kernel.spec | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/kernel.spec b/kernel.spec
index c4d37a0..16d5950 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -105,6 +105,11 @@ BuildRequires: pciutils-devel gettext
 BuildRequires: rpm-build, elfutils
 BuildRequires: numactl-devel python3-devel glibc-static python3-docutils
 BuildRequires: perl-generators perl(Carp) libunwind-devel gtk2-devel libbabeltrace-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel perl-devel
+
+%if 0%{?openEuler_sign_rsa}
+BuildRequires: sign-openEuler
+%endif
+
 AutoReq: no
 AutoProv: yes
 
@@ -483,6 +488,22 @@ install -m 755 vmlinux.elf $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
 install -m 755 $(make -s image_name) $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
 %endif
 
+#%if 0%{?openEuler_sign_rsa}
+echo "start sign"
+%ifarch %arm aarch64
+    gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
+    /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
+    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
+    gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
+    rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
+%endif
+%ifarch x86_64
+    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
+    /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
+    mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
+%endif
+#%endif
+
 pushd $RPM_BUILD_ROOT/boot
 sha512hmac ./vmlinuz-%{KernelVer} >./.vmlinuz-%{KernelVer}.hmac
 popd
-- 
Gitee


From f04ac82fc7a79cc400a7f23b2baeed61a0234ff9 Mon Sep 17 00:00:00 2001
From: Li Nan <linan122@huawei.com>
Date: Wed, 25 Dec 2024 15:36:17 +0800
Subject: [PATCH 2/2] check build id of vmlinux

Signed-off-by: Li Nan <linan122@huawei.com>
---
 kernel.spec | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel.spec b/kernel.spec
index 16d5950..bfe22f0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -17,7 +17,7 @@
 %global upstream_sublevel   0
 %global devel_release       136
 %global maintenance_release .105.0
-%global pkg_release         .186
+%global pkg_release         .187
 
 %define with_debuginfo 1
 # Do not recompute the build-id of vmlinux in find-debuginfo.sh
@@ -93,6 +93,7 @@ BuildRequires: hmaccalc
 BuildRequires: ncurses-devel
 #BuildRequires: pesign >= 0.109-4
 BuildRequires: elfutils-libelf-devel
+BuildRequires: elfutils-extra
 BuildRequires: rpm >= 4.14.2
 #BuildRequires: sparse >= 0.4.1
 %if 0%{?with_python2}
@@ -520,6 +521,7 @@ install -m 755 %{SOURCE200} $RPM_BUILD_ROOT%{_sbindir}/mkgrub-menu-%{version}-%{
 %if 0%{?with_debuginfo}
     mkdir -p $RPM_BUILD_ROOT%{debuginfodir}/lib/modules/%{KernelVer}
     cp vmlinux $RPM_BUILD_ROOT%{debuginfodir}/lib/modules/%{KernelVer}
+    eu-readelf -n vmlinux
 %endif
 
 # deal with module, if not kdump
@@ -962,6 +964,10 @@ fi
 %endif
 
 %changelog
+* Thu Dec 27 2024 Li Nan <linan122@huawei.com> - 5.10.0-136.105.0.187
+- check build id of vmlinux
+- add signature for vmlinux
+
 * Tue Dec 10 2024 Li Nan <linan122@huawei.com> - 5.10.0-136.105.0.186
 - !14047  smb: client: Fix use-after-free of network namespace.
 - !14118  bpf: sync_linked_regs() must preserve subreg_def
-- 
Gitee