From bb988d4625a3cd6ece6b03fddc9ec6a8901bfaf1 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Feb 11 2022 18:44:29 +0000
Subject: kernel-binary: Do not include sourcedir in certificate path.


The certs macro runs before build directory is set up so it creates the
aggregate of supplied certificates in the source directory.

Using this file directly as the certificate in kernel config works but
embeds the source directory path in the kernel config.

To avoid this symlink the certificate to the build directory and use
relative path to refer to it.

Also fabricate a certificate in the same location in build directory
when none is provided.

---

diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in
index 071466e..d7c720b 100644
--- a/rpm/kernel-binary.spec.in
+++ b/rpm/kernel-binary.spec.in
@@ -84,7 +84,7 @@ done )
 
 # Define some CONFIG variables as rpm macros as well. (rpm cannot handle
 # defining them all at once.)
-%define config_vars CONFIG_MODULES CONFIG_MODULE_SIG CONFIG_KMSG_IDS CONFIG_SUSE_KERNEL_SUPPORTED CONFIG_EFI_STUB CONFIG_LIVEPATCH_IPA_CLONES CONFIG_DEBUG_INFO_BTF_MODULES
+%define config_vars CONFIG_MODULES CONFIG_MODULE_SIG CONFIG_MODULE_SIG_HASH CONFIG_KMSG_IDS CONFIG_SUSE_KERNEL_SUPPORTED CONFIG_EFI_STUB CONFIG_LIVEPATCH_IPA_CLONES CONFIG_DEBUG_INFO_BTF_MODULES
 %{expand:%(eval "$(test -n "%cpu_arch_flavor" && tar -xjf %_sourcedir/config.tar.bz2 --to-stdout config/%cpu_arch_flavor)"; for config in %config_vars; do echo "%%global $config ${!config:-n}"; done)}
 %define split_extra ("%CONFIG_MODULES" == "y" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y")
 
@@ -450,10 +450,34 @@ fi
 
 if [ %CONFIG_MODULE_SIG = "y" ]; then
 	if [ -n "%certs" ] ; then
-		../scripts/config --set-str CONFIG_MODULE_SIG_KEY "%_sourcedir/.kernel_signing_key.pem"
+		ln -s %_sourcedir/.kernel_signing_key.pem .
 	else
-		../scripts/config --set-str CONFIG_MODULE_SIG_KEY ""
+		if ! [ -f .kernel.genkey ] ; then
+			cat > .kernel.genkey <<EOF
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+CN = Build time autogenerated kernel key
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+extendedKeyUsage=codeSigning
+EOF
+		fi
+		openssl req -new -nodes -utf8 -%CONFIG_MODULE_SIG_HASH -days 36500 \
+			-batch -x509 -config .kernel.genkey \
+			-outform PEM -out .kernel_signing_key.pem \
+			-keyout .kernel_signing_key.pem
 	fi
+	../scripts/config --set-str CONFIG_MODULE_SIG_KEY ".kernel_signing_key.pem"
 fi
 
 case %cpu_arch in