server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
5cc4c9b9cf753fc4a217e1b8e52c3577af471af2
Workstation/custom_kernel.sh
ducoterra 5cc4c9b9cf WIP: Notes
2023-01-22 10:23:32 -05:00

66 lines
3.0 KiB
Bash
Raw Blame History

### Set variables
export arch=x86_64
export ver=6.0
export minrel=15
export pkgrel=300
export subver=$minrel-$pkgrel
export fedver=fc37
export name=$(hostname)
### Custom Machine owner key for secure boot
# Allow kernel signing
sudo /usr/libexec/pesign/pesign-authorize
# Create key
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" -outform DER -out "cert.der" -nodes -days 36500 -subj "/CN=$name"
# Import key to UEFI database.
sudo mokutil --import "cert.der"
# You have to reboot the system after importing the key with "mokutil" to import the key via UEFI system
# After rebooting create PKCS #12 key file and import it into the nss database
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
sudo csudo ertutil -A -i cert.der -n "$name" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
sudo pk12util -i key.p12 -d /etc/pki/pesign
### Setup build system
rpmdev-setuptree
koji download-build --arch=src kernel-$ver.$subver.$fedver
rpm -Uvh kernel-$ver.$subver.$fedver.src.rpm
cd ~/rpmbuild/SPECS
### Apply patches and customize kernel configuration
# Get patch to enable hibernate in lockdown mode (secure boot)
wget https://gist.githubusercontent.com/kelvie/917d456cb572325aae8e3bd94a9c1350/raw/74516829883c7ee7b2216938550d55ebcb7be609/0001-Add-a-lockdown_hibernate-parameter.patch -O ~/rpmbuild/SOURCES/0001-Add-a-lockdown_hibernate-parameter.patch
# Define patch in kernel.spec for building the rpms
# Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch
sed -i '/^Patch999999/i Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec
# Add patch as ApplyOptionalPatch
sed -i '/^ApplyOptionalPatch linux-kernel-test.patch/i ApplyOptionalPatch 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec
# Add custom kernel name
sed -i "s/# define buildid .local/%define buildid .$name/g" kernel.spec
# Add machine owner key
sed -i "s/.$name/.$name\n%define pe_signing_cert $name/g" kernel.spec
# Install necessary dependencies for compiling hte kernel
rpmbuild -bp kernel.spec
### Optional steps
# Create own configuration file from fedora config file
# You find my "minimized" configuration for a 6.0.11 kernel here.
cp ~/rpmbuild/SOURCES/kernel-$arch-fedora.config ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/.config
cd ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/
make menuconfig
# Copy custom menuconfig kernel configuration to kernel-local
cp ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/.config ~/rpmbuild/SOURCES/kernel-local
# ... or copy kernel config from running kernel to kernel-local
#cp /boot/config-$(uname -r) ~/rpmbuild/SOURCES/kernel-local
# Remove build infos from custom config
sed -i '0,/^#\ General\ setup$/d' ~/rpmbuild/SOURCES/kernel-local
sed -i '1i # x86_64' ~/rpmbuild/SOURCES/kernel-local
### End optional steps ###
# Compile kernel
cd ~/rpmbuild/SPECS
time rpmbuild -bb --with baseonly --without debuginfo --target=$arch kernel.spec | tee ~/build-kernel.log
# Install kernel
cd ~/rpmbuild/RPMS/$arch/
sudo dnf install *.rpm
Reference in New Issue View Git Blame Copy Permalink