From: Michael Shigorin <mike@osdn.org.ua>
To: devel-distro@lists.altlinux.org
Subject: Re: [devel-distro] [#110111] DONE (try 8) srpm=refind-0.6.12-alt3.src.rpm srpm=elilo-3.14-alt1.5926535.src.rpm ...
Date: Thu, 19 Dec 2013 00:17:12 +0200
Message-ID: <20131218221712.GC12432@osdn.org.ua> (raw)
In-Reply-To: <20131218210658.GA28248@gitery.altlinux.org> <20131218161058.GA25957@gitery.altlinux.org> <20131218211819.GA12220@gitery.altlinux.org>
[-- Attachment #1: Type: text/plain, Size: 2209 bytes --]
Здравствуйте.
Вниманию всех собирающих образы с поддержкой EFI: после прохождения
этих заданий в сизиф (бишь с ближайшего утра) несколько изменяется
работа с mkimage в случае необходимости включения подписанных для
условий UEFI SB бинарников.
Для mkimage потребуется патч вроде приложенного коммита
относительно 0.2.10 (надеюсь, на днях будет опубликован
и упакован).
В случае применения mkimage-profiles также потребуется патч
вроде приложенного (который ещё будет изменён до включения
в публикуемый репозиторий) -- это поверх 1.1.17.
Дальнейшие детали -- в более разумное время суток.
On Wed, Dec 18, 2013 at 09:18:19PM +0000, Girar Builder pender robot wrote:
> http://git.altlinux.org/tasks/archive/done/_107/110111/logs/events.8.1.log
>
> 2013-Dec-18 21:10:17 :: task #110111 for sisyphus resumed by mike:
[...]
> #400 build refind-0.6.12-alt3.src.rpm
> #500 build elilo-3.14-alt1.5926535.src.rpm
> #600 build 2.00-alt20 from /people/mike/packages/grub2.git
[...]
> 2013-Dec-18 21:18:19 :: task #110111 for sisyphus DONE
On Wed, Dec 18, 2013 at 04:10:58PM +0000, Girar Builder awaiter robot wrote:
> http://git.altlinux.org/tasks/110111/logs/events.6.1.log
>
> 2013-Dec-18 15:52:44 :: test-only task #110111 for sisyphus resumed by mike:
[...]
> 2013-Dec-18 15:54:32 :: [x86_64] #400: pesigning approved by mike
> 2013-Dec-18 15:54:44 :: [x86_64] #400: refind: pesign OK
> 2013-Dec-18 15:55:17 :: [x86_64] #500: pesigning approved by mike
> 2013-Dec-18 15:55:28 :: [x86_64] #500: elilo: pesign OK
> 2013-Dec-18 16:05:18 :: [x86_64] #600: pesigning approved by mike
> 2013-Dec-18 16:05:31 :: [x86_64] #600: grub2-efi: pesign OK
> 2013-Dec-18 16:05:31 :: [x86_64] #600 grub2.git 2.00-alt20: build OK
On Wed, Dec 18, 2013 at 09:06:58PM +0000, Girar Builder pender robot wrote:
> http://git.altlinux.org/tasks/archive/done/_108/110658/logs/events.3.3.log
>
> 2013-Dec-18 20:59:40 :: task #110658 for sisyphus resumed by mike:
> #100 build shim-0.4-alt1.2.src.rpm
> #200 build 0.4-alt3 from /people/mike/packages/shim-signed.git
[...]
> 2013-Dec-18 21:06:57 :: task #110658 for sisyphus DONE
--
---- WBR, Michael Shigorin / http://altlinux.org
------ http://opennet.ru / http://anna-news.info
[-- Attachment #2: 0001-mki-copy-efiboot-drop-signed-subpackages.patch --]
[-- Type: text/plain, Size: 2019 bytes --]
>From d7c348de603ef11f63fb4d8a0ddcc51c3e7b44dc Mon Sep 17 00:00:00 2001
From: Michael Shigorin <mike@altlinux.org>
Date: Wed, 18 Dec 2013 02:23:47 +0400
Subject: [PATCH] mki-copy-efiboot: drop -signed subpackages
There are no (un)signed EFI subpackages now but presence
of a signature or the lack thereof is being determined
by the build environment or postprocessing; just drop
the code written to support the experimental state
of affairs.
---
tools/mki-copy-efiboot | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/tools/mki-copy-efiboot b/tools/mki-copy-efiboot
index 58f70a4..0116430 100755
--- a/tools/mki-copy-efiboot
+++ b/tools/mki-copy-efiboot
@@ -30,11 +30,11 @@ pkgs="$pkgs $EFI_BOOTLOADER"
pkgs="$pkgs $EFI_SHELL"
[ -z "${EFI_CERT:-}" ] ||
- pkgs="$pkgs alt-uefi-keys shim-signed $EFI_BOOTLOADER-signed"
+ pkgs="$pkgs alt-uefi-keys shim-signed"
case "${EFI_BOOTLOADER:-}" in
refind) # won't boot unsigned kernels in SB mode
- pkgs="$pkgs elilo${EFI_CERT:+-signed}"
+ pkgs="$pkgs elilo"
;;
esac
@@ -69,11 +69,9 @@ mkdir $verbose -p -- \$boot
if [ -n "${EFI_CERT:-}" ]; then
shim_path=\$boot/bootx64.efi
bin_path=\$boot/grubx64.efi
- bin_suffix=-signed
else
shim_path=
bin_path=\$boot/bootx64.efi
- bin_suffix=
fi
stage2_size="\$[ \$(stat -c%s \$stage2) / 1024 + 1 ]"
@@ -84,7 +82,7 @@ efi_bindir=/usr/lib64/efi
copy_shell() {
dest="\$efi/\$shell"
- src="\$efi_bindir/shell${EFI_CERT:+-signed}.efi"
+ src="\$efi_bindir/shell.efi"
[ ! -f "\$src" ] ||
cp $verbose -pLf "\$src" "\$dest"
}
@@ -115,7 +113,7 @@ copy_kernel() {
copy_elilo() {
copy_kernel
- cp $verbose -pLf \$efi_bindir/elilo\$bin_suffix.efi \${1:-\$bin_path}
+ cp $verbose -pLf \$efi_bindir/elilo.efi \${1:-\$bin_path}
cat > \$boot/elilo.conf <<- ELILO_EOF
default="linux"
image="vmlinuz"
@@ -126,7 +124,6 @@ copy_elilo() {
ELILO_EOF
}
-# refind is currently signed by default
refind_aux=\$efi/refind
refind_boot=\$refind_aux/refind_x64.efi
--
1.8.3.4
[-- Attachment #3: 0001-efi-drop-signed-subpackages.patch --]
[-- Type: text/plain, Size: 1312 bytes --]
>From 90429a850803cce7154755ffff74158053f62694 Mon Sep 17 00:00:00 2001
From: Michael Shigorin <mike@altlinux.org>
Date: Tue, 17 Dec 2013 14:22:11 +0200
Subject: [PATCH] efi: drop -signed subpackages
We chose to provide methods to sign packages but to avoid
signing these by default (with some arbitrary test keys)
the signatures are being added *after* the build by means
of rpmrebuild-pesign; all of this is made significantly
more complicated if there are separate -signed subpackages.
So these are being dropped in the packages; account for that.
---
features.in/efi/config.mk | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/features.in/efi/config.mk b/features.in/efi/config.mk
index 68c46a5..cf1699f 100644
--- a/features.in/efi/config.mk
+++ b/features.in/efi/config.mk
@@ -18,11 +18,9 @@ use/efi/refind: use/efi
@$(call set,EFI_BOOTLOADER,refind)
use/efi/signed: use/efi
- @$(call set,MKI_VER_MINIMAL,0.2.7) # refind->elilo handoff
+ @$(call set,MKI_VER_MINIMAL,0.2.7) # refind->elilo handoff ### 0.2.11
@$(call set,EFI_CERT,altlinux)
@$(call add,THE_PACKAGES,shim-signed)
- @$(call set,EFI_SHELL,efi-shell-signed) # even more useful
- @$(call add,RESCUE_PACKAGES,refind-signed)
@$(call add,RESCUE_PACKAGES,openssl sbsigntools)
use/efi/shell: use/efi
--
1.8.3.4
next parent reply other threads:[~2013-12-18 22:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-18 22:17 ` Michael Shigorin [this message]
2013-12-23 0:30 ` Michael Shigorin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131218221712.GC12432@osdn.org.ua \
--to=mike@osdn.org.ua \
--cc=devel-distro@lists.altlinux.org \
--cc=mike@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Distributions development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-distro/0 devel-distro/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-distro devel-distro/ http://lore.altlinux.org/devel-distro \
devel-distro@lists.altlinux.org devel-distro@lists.altlinux.ru devel-distro@lists.altlinux.com
public-inbox-index devel-distro
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-distro
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git