kbuild: rpm-pkg: Generate debuginfo package manually

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") adjusted
the __spec_install_post macro to include __os_install_post, which runs
brp-strip. This ends up stripping module signatures, breaking loading
modules with lockdown enabled.

Undo most of the changes of the aforementioned debuginfo patch and
mirror commit 16c36f8864e3 ("kbuild: deb-pkg: use build ID instead of
debug link for dbg package") in kernel.spec to generate a functionally
equivalent debuginfo package while avoiding touching the modules after
they have already been signed during modules_install.

Fixes: a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM")
Reported-by: Holger Kiehl <Holger.Kiehl@dwd.de>
Closes: https://lore.kernel.org/68c375f6-e07e-fec-434d-6a45a4f1390@praktifix.dwd.de/
Tested-by: Holger Kiehl <Holger.Kiehl@dwd.de>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20260121-fix-module-signing-binrpm-pkg-v1-1-8fc5832b6cbc@kernel.org
Signed-off-by: Nicolas Schier <nsc@kernel.org>

authored by

Nathan Chancellor and committed by

Nicolas Schier 2 months ago 62089b80 63804fed

+30 -35

1 changed file

expand all

scripts

package

kernel.spec

+30 -35

scripts/package/kernel.spec

··· 2 2 %{!?_arch: %define _arch dummy} 3 3 %{!?make: %define make make} 4 4 %define makeflags %{?_smp_mflags} ARCH=%{ARCH} 5 + %define __spec_install_post /usr/lib/rpm/brp-compress || : 6 + %define debug_package %{nil} 5 7 6 8 Name: kernel 7 9 Summary: The Linux Kernel ··· 48 46 %endif 49 47 50 48 %if %{with_debuginfo} 51 - # list of debuginfo-related options taken from distribution kernel.spec 52 - # files 53 - %undefine _include_minidebuginfo 54 - %undefine _find_debuginfo_dwz_opts 55 - %undefine _unique_build_ids 56 - %undefine _unique_debug_names 57 - %undefine _unique_debug_srcs 58 - %undefine _debugsource_packages 59 - %undefine _debuginfo_subpackages 60 - %global _find_debuginfo_opts -r 61 - %global _missing_build_ids_terminate_build 1 62 - %global _no_recompute_build_ids 1 63 - %{debug_package} 49 + %package debuginfo 50 + Summary: Debug information package for the Linux kernel 51 + %description debuginfo 52 + This package provides debug information for the kernel image and modules from the 53 + %{version} package. 64 54 %endif 65 - # some (but not all) versions of rpmbuild emit %%debug_package with 66 - # %%install. since we've already emitted it manually, that would cause 67 - # a package redefinition error. ensure that doesn't happen 68 - %define debug_package %{nil} 69 - 70 - # later, we make all modules executable so that find-debuginfo.sh strips 71 - # them up. but they don't actually need to be executable, so remove the 72 - # executable bit, taking care to do it _after_ find-debuginfo.sh has run 73 - %define __spec_install_post \ 74 - %{?__debug_package:%{__debug_install_post}} \ 75 - %{__arch_install_post} \ 76 - %{__os_install_post} \ 77 - find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \\\ 78 - | xargs --no-run-if-empty chmod u-x 79 55 80 56 %prep 81 57 %setup -q -n linux ··· 67 87 mkdir -p %{buildroot}/lib/modules/%{KERNELRELEASE} 68 88 cp $(%{make} %{makeflags} -s image_name) %{buildroot}/lib/modules/%{KERNELRELEASE}/vmlinuz 69 89 # DEPMOD=true makes depmod no-op. We do not package depmod-generated files. 70 - %{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} DEPMOD=true modules_install 90 + %{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} INSTALL_MOD_STRIP=1 DEPMOD=true modules_install 71 91 %{make} %{makeflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install 72 92 cp System.map %{buildroot}/lib/modules/%{KERNELRELEASE} 73 93 cp .config %{buildroot}/lib/modules/%{KERNELRELEASE}/config ··· 98 118 echo "%exclude /lib/modules/%{KERNELRELEASE}/build" 99 119 } > %{buildroot}/kernel.list 100 120 101 - # make modules executable so that find-debuginfo.sh strips them. this 102 - # will be undone later in %%__spec_install_post 103 - find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \ 104 - | xargs --no-run-if-empty chmod u+x 105 - 106 121 %if %{with_debuginfo} 107 122 # copying vmlinux directly to the debug directory means it will not get 108 123 # stripped (but its source paths will still be collected + fixed up) 109 124 mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} 110 125 cp vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} 126 + 127 + echo /usr/lib/debug/lib/modules/%{KERNELRELEASE}/vmlinux > %{buildroot}/debuginfo.list 128 + 129 + while read -r mod; do 130 + mod="${mod%.o}.ko" 131 + dbg="%{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}/kernel/${mod}" 132 + buildid=$("${READELF}" -n "${mod}" | sed -n 's@^.*Build ID: $..$$.*$@\1/\2@p') 133 + link="%{buildroot}/usr/lib/debug/.build-id/${buildid}.debug" 134 + 135 + mkdir -p "${dbg%/*}" "${link%/*}" 136 + "${OBJCOPY}" --only-keep-debug "${mod}" "${dbg}" 137 + ln -sf --relative "${dbg}" "${link}" 138 + 139 + echo "${dbg#%{buildroot}}" >> %{buildroot}/debuginfo.list 140 + echo "${link#%{buildroot}}" >> %{buildroot}/debuginfo.list 141 + done < modules.order 111 142 %endif 112 143 113 144 %clean 114 145 rm -rf %{buildroot} 115 - rm -f debugfiles.list debuglinks.list debugsourcefiles.list debugsources.list \ 116 - elfbins.list 117 146 118 147 %post 119 148 if [ -x /usr/bin/kernel-install ]; then ··· 160 171 %defattr (-, root, root) 161 172 /usr/src/kernels/%{KERNELRELEASE} 162 173 /lib/modules/%{KERNELRELEASE}/build 174 + %endif 175 + 176 + %if %{with_debuginfo} 177 + %files -f %{buildroot}/debuginfo.list debuginfo 178 + %defattr (-, root, root) 179 + %exclude /debuginfo.list 163 180 %endif