tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

kbuild: rpm-pkg: Restrict manual debug package creation

Commit 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package
manually") moved away from the built-in RPM machinery for generating
-debuginfo packages to a more manual way to be compatible with module
signing, as the built-in machinery strips the modules after the
installation process, breaking the signatures.

Unfortunately, prior to rpm 4.20.0, there is a bug where a custom %files
directive is ignored for a -debuginfo subpackage [1], meaning builds
using older versions of RPM (such as on RHEL9 or RHEL10) fail with:

Checking for unpackaged file(s): /usr/lib/rpm/check-files .../rpmbuild/BUILDROOT/kernel-6.19.0_dirty-1.x86_64
error: Installed (but unpackaged) file(s) found:
/debuginfo.list
/usr/lib/debug/.build-id/09/748c214974bfba1522d434a7e0a02e2fd7f29b.debug
/usr/lib/debug/.build-id/0b/b96dd9c7d3689d82e56d2e73b46f53103cc6c7.debug
/usr/lib/debug/.build-id/0e/979a2f34967c7437fd30aabb41de1f0c8b6a66.debug
...

To workaround this, restrict the manual debug info package creation
process to when it is necessary (CONFIG_MODULE_SIG=y) and possible (when
using RPM >= 4.20.0). A follow up change will restore the RPM debuginfo
creation process using a separate internal flag to allow the package to
be built in more situations, as RPM 4.20.0 is a fairly recent version
and the built-in -debuginfo generation works fine when module signing is
disabled.

Cc: stable@vger.kernel.org
Fixes: 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package manually")
Link: https://github.com/rpm-software-management/rpm/commit/49f906998f3cf1f4152162ca61ac0869251c380f [1]
Reported-by: Steve French <smfrench@gmail.com>
Closes: https://lore.kernel.org/CAH2r5mugbrHTwnaQwQiYEUVwbtqmvFYf0WZiLrrJWpgT8iwftw@mail.gmail.com/
Tested-by: Stefano Garzarella <sgarzare@redhat.com>
Tested-by: Steve French <stfrench@microsoft.com>
Tested-by: Juergen Gross <jgross@suse.com>
Acked-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260210-kbuild-fix-debuginfo-rpm-v1-1-0730b92b14bc@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>

Nathan Chancellor 6d6b8b0e 59f18d88

+35 -7
+5 -4
scripts/package/kernel.spec
··· 47 47 against the %{version} kernel package. 48 48 %endif 49 49 50 - %if %{with_debuginfo} 50 + %if %{with_debuginfo_manual} 51 51 %package debuginfo 52 52 Summary: Debug information package for the Linux kernel 53 53 %description debuginfo 54 54 This package provides debug information for the kernel image and modules from the 55 55 %{version} package. 56 + %define install_mod_strip 1 56 57 %endif 57 58 58 59 %prep ··· 68 67 mkdir -p %{buildroot}/lib/modules/%{KERNELRELEASE} 69 68 cp $(%{make} %{makeflags} -s image_name) %{buildroot}/lib/modules/%{KERNELRELEASE}/vmlinuz 70 69 # DEPMOD=true makes depmod no-op. We do not package depmod-generated files. 71 - %{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} INSTALL_MOD_STRIP=1 DEPMOD=true modules_install 70 + %{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} %{?install_mod_strip:INSTALL_MOD_STRIP=1} DEPMOD=true modules_install 72 71 %{make} %{makeflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install 73 72 cp System.map %{buildroot}/lib/modules/%{KERNELRELEASE} 74 73 cp .config %{buildroot}/lib/modules/%{KERNELRELEASE}/config ··· 99 98 echo "%exclude /lib/modules/%{KERNELRELEASE}/build" 100 99 } > %{buildroot}/kernel.list 101 100 102 - %if %{with_debuginfo} 101 + %if %{with_debuginfo_manual} 103 102 # copying vmlinux directly to the debug directory means it will not get 104 103 # stripped (but its source paths will still be collected + fixed up) 105 104 mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} ··· 163 162 /lib/modules/%{KERNELRELEASE}/build 164 163 %endif 165 164 166 - %if %{with_debuginfo} 165 + %if %{with_debuginfo_manual} 167 166 %files -f %{buildroot}/debuginfo.list debuginfo 168 167 %defattr (-, root, root) 169 168 %exclude /debuginfo.list
+30 -3
scripts/package/mkspec
··· 23 23 echo '%define with_devel 0' 24 24 fi 25 25 26 + # manually generate -debuginfo package 27 + with_debuginfo_manual=0 26 28 # debuginfo package generation uses find-debuginfo.sh under the hood, 27 29 # which only works on uncompressed modules that contain debuginfo 28 30 if grep -q CONFIG_DEBUG_INFO=y include/config/auto.conf && 29 31 (! grep -q CONFIG_MODULE_COMPRESS=y include/config/auto.conf) && 30 32 (! grep -q CONFIG_DEBUG_INFO_SPLIT=y include/config/auto.conf); then 31 - echo '%define with_debuginfo %{?_without_debuginfo: 0} %{?!_without_debuginfo: 1}' 32 - else 33 - echo '%define with_debuginfo 0' 33 + # If module signing is enabled (which may be required to boot with 34 + # lockdown enabled), the find-debuginfo.sh machinery cannot be used 35 + # because the signatures will be stripped off the modules. However, due 36 + # to an rpm bug in versions prior to 4.20.0 37 + # 38 + # https://github.com/rpm-software-management/rpm/issues/3057 39 + # https://github.com/rpm-software-management/rpm/commit/49f906998f3cf1f4152162ca61ac0869251c380f 40 + # 41 + # We cannot provide our own debuginfo package because it does not listen 42 + # to our custom files list, failing the build due to unpackaged files. 43 + # Manually generate the debug info package if using rpm 4.20.0. If not 44 + # using rpm 4.20.0, avoid generating a -debuginfo package altogether, 45 + # as it is not safe. 46 + if grep -q CONFIG_MODULE_SIG=y include/config/auto.conf; then 47 + rpm_ver_str=$(rpm --version 2>/dev/null) 48 + # Split the version on spaces 49 + IFS=' ' 50 + set -- $rpm_ver_str 51 + if [ "${1:-}" = RPM -a "${2:-}" = version ]; then 52 + IFS=. 53 + set -- $3 54 + rpm_ver=$(( 1000000 * $1 + 10000 * $2 + 100 * $3 + ${4:-0} )) 55 + if [ "$rpm_ver" -ge 4200000 ]; then 56 + with_debuginfo_manual='%{?_without_debuginfo:0}%{?!_without_debuginfo:1}' 57 + fi 58 + fi 59 + fi 34 60 fi 61 + echo "%define with_debuginfo_manual $with_debuginfo_manual" 35 62 36 63 cat<<EOF 37 64 %define ARCH ${ARCH}