http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c1 --- Comment #1 from Guillaume GARDET <guillaume.gardet@arm.com> --- Please note that all non-x86 openSUSE and SUSE kernels are affected. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c3 Andreas Färber <afaerber@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |diego.assencio@suse.com, | |ihno@suse.com, | |mchang@suse.com, | |yousaf.kaukab@suse.com Assignee|kernel-maintainers@forge.pr |msuchanek@suse.com |ovo.novell.com | OS|Other |openSUSE Factory --- Comment #3 from Andreas Färber <afaerber@suse.com> --- The patch looks okay to me so far. However it is only for aarch64 and may need to be revisited later for jsc#PM-26 if we choose to package Image.gz or something. For %arm it would need to be the zImage equivalent. Not sure whether the other non-x86 architectures care. There are some sections further down the file that set an $image variable with the name - maybe it would make sense to rearrange the code so that we can just reuse that variable instead of duplicating it? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c5 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(afaerber@suse.com | |) --- Comment #5 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Andreas Färber from comment #3)

The patch looks okay to me so far. However it is only for aarch64 and may need to be revisited later for jsc#PM-26 if we choose to package Image.gz or something.

Not sure what jsc#PM-26 is about, but we can update later, if needed.

For %arm it would need to be the zImage equivalent.

Not sure if it is useful to sign armv7 zImage, as I am not sure if there are firmware supporting it, but why not.

Not sure whether the other non-x86 architectures care.

There are some sections further down the file that set an $image variable with the name - maybe it would make sense to rearrange the code so that we can just reuse that variable instead of duplicating it?

Indeed, we could do that. FYI, in master branch, only armv6, armv7, arm64, x86 and x86_64 do have CONFIG_EFI_STUB=y and would have a signed kernel. So, should I add support for all archs, which would add armv6 and armv7 to the current patch? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c7 --- Comment #7 from Michal Suchanek <msuchanek@suse.com> --- I think it is preferable to use $image so changes to image name does not cause regression in signing. However, we should select explicitly which archs we want to sign as well. Signing ppc64 or s390x might break boot on some systems. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c9 --- Comment #9 from Michal Suchanek <msuchanek@suse.com> --- (In reply to Guillaume GARDET from comment #8)

As only ARM and x86* have CONFIG_EFI_STUB=y, ppc64 and s390x will not be signed anyway. Do you need explicit %ifarch to disable signing for ppc64 and s390x? Or CONFIG_EFI_STUB=y condition is enough?

CONFIG_EFI_STUB=y condition should be fine -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c10 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #804375|0 |1 is obsolete| | --- Comment #10 from Guillaume GARDET <guillaume.gardet@arm.com> --- Created attachment 804591 --> http://bugzilla.opensuse.org/attachment.cgi?id=804591&action=edit Patch to enable non-x86 kernels signing in spec, if CONFIG_EFI_STUB=y Move BRP_PESIGN_FILES handling to be able to make use of $image var for kernel name. Signing is still guarded by CONFIG_EFI_STUB=y so that ppc and s390 kernels are not signed, but aarch64 kernels are. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c12 --- Comment #12 from Guillaume GARDET <guillaume.gardet@arm.com> --- 'pesign' is not built for armv6 and armv7. Any reason for that? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c15 --- Comment #15 from Guillaume GARDET <guillaume.gardet@arm.com> --- Now that 'pesign' is built for %arm, we can update stable and master branches. Leap 15.1 branch is blocked by bug#1134670 as 'pesign' update must go through SLE15-SP1 to later land on Leap 15.1. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c16 --- Comment #16 from Michal Suchanek <msuchanek@suse.com> ---

Leap 15.1 branch is blocked by bug#1134670 as 'pesign' update must go through SLE15-SP1 to later land on Leap 15.1.

It seems progressing just fine. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c18 --- Comment #18 from Michal Suchanek <msuchanek@suse.com> --- The patch is queued for SLE15 SP1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c23 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(guillaume.gardet@ | |arm.com) | --- Comment #23 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Andreas Färber from comment #22)

Guillaume, how would you use signed kernels in Leap 15.1 without GRUB support? It is really late for SP1 (GMC!) and 15.1.

@Andreas, not sure what you mean. AFAICT, Grub is fine, signed with openSUSE key. Anyway, signing a kernel will not hurt as it will continue to boot in a non-secureboot environment. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c25 --- Comment #25 from Guillaume GARDET <guillaume.gardet@arm.com> --- (In reply to Petr Tesařík from comment #24)

I'm concerned about any last-minute changes in the build process. If something blows up, we have no time to fix it.

Anyway, it sounds like it does not really bring any immediate benefit, so let me just postpone the change for SLE15 SP1 and Leap 15.1.

Ok, I understand it is a bit late. But, please push it for master/stable branches to get it in Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.