On 07.03.2016 07:40, Thorsten Leemhuis wrote:
Hi Justin! Please consider merging the two patches I'll send as
reply to
this mail.
From 73643da91a47992f42616875984baec116667511 Mon Sep 17 00:00:00 2001
From: Thorsten Leemhuis <fedora(a)leemhuis.info>
Date: Fri, 1 Jan 2016 17:45:08 +0100
Subject: [PATCH 2/2] sign modules on all archs
---
config-generic | 17 ++++++++++++++---
config-x86-generic | 13 +------------
kernel.spec | 9 ++++-----
3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/config-generic b/config-generic
index 30f00b2..0e8f192 100644
--- a/config-generic
+++ b/config-generic
@@ -5855,11 +5855,22 @@ CONFIG_POWERCAP=y
# CONFIG_CPUFREQ_DT is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+# CONFIG_MODULE_SIG_UEFI is not set
+# CONFIG_EFI_SIGNATURE_LIST_PARSER is not set
# FIXME: Revisit this to see if we can use it instead of the spec file stuff
# CONFIG_MODULE_COMPRESS is not set
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
# CONFIG_RTC_DRV_EFI is not set
# CONFIG_NET_XGENE is not set
diff --git a/config-x86-generic b/config-x86-generic
index 33b55f3..4815913 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -583,18 +583,7 @@ CONFIG_MOUSE_PS2_VMMOUSE=y
CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=y
-# CONFIG_PKCS7_TEST_KEY is not set
-CONFIG_SIGNED_PE_FILE_VERIFICATION=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_BLACKLIST_KEYRING=y
-CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_ALL=y
-# CONFIG_MODULE_SIG_SHA1 is not set
-CONFIG_MODULE_SIG_SHA256=y
-# CONFIG_MODULE_SIG_FORCE is not set
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
CONFIG_EFI_SIGNATURE_LIST_PARSER=y
diff --git a/kernel.spec b/kernel.spec
index 6081458..ad3fd42 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -16,7 +16,7 @@ Summary: The Linux kernel
%global zipmodules 1
%else
%global signkernel 0
-%global signmodules 0
+%global signmodules 1
%global zipmodules 0
%endif
@@ -393,14 +393,12 @@ BuildRequires: rpm-build, elfutils
%define debuginfo_args --strict-build-id -r
%endif
-%ifarch %{ix86} x86_64
-# MODULE_SIG is enabled in config-x86-generic and needs these:
+%if %{signkernel}%{signmodules}
BuildRequires: openssl openssl-devel
-%endif
-
%if %{signkernel}
BuildRequires: pesign >= 0.10-4
%endif
+%endif
%if %{with_cross}
BuildRequires: binutils-%{_build_arch}-linux-gnu, gcc-%{_build_arch}-linux-gnu
@@ -2149,6 +2147,7 @@ fi
* Sat Mar 5 2016 Thorsten Leemhuis <fedora(a)leemhuis.info>
- add signkernel macro to make signing kernel and signing modules
independent from each other
+- sign modules on all archs
* Fri Mar 04 2016 Justin M. Forbes <jforbes(a)fedoraproject.org> -
4.5.0-0.rc6.git3.1
- Linux v4.5-rc6-41-ge3c2ef4
--
1.8.3.1