Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: build Qubes OS RPMs #14

Merged
merged 3 commits into from
Feb 13, 2024
Merged

CI: build Qubes OS RPMs #14

merged 3 commits into from
Feb 13, 2024

Conversation

SergiiDmytruk
Copy link
Member

Initially made Qubes OS package which builds fine, then tried to feed it to new version of Qubes OS builder and turned out that two versions aren't fully compatible. In particular v1 is happy with commits and v2 needs archive name to follow a particular scheme and doesn't accept SHA1 for a version. Committed qubesos/ directory works with v1 builder and v2 would need some tag.

Example CI job: https://github.com/TrenchBoot/secure-kernel-loader/actions/runs/7020704817

Top commit will need s/@support-in-repo-pkgs/@master/ after TrenchBoot/.github#6 is merged.

@SergiiDmytruk SergiiDmytruk mentioned this pull request Nov 28, 2023
Closed
7 tasks
@krystian-hebel krystian-hebel mentioned this pull request Dec 4, 2023
Merged
krystian-hebel
krystian-hebel reviewed Dec 4, 2023
View reviewed changes
qubesos/secure-kernel-loader.spec.in Outdated Show resolved Hide resolved
qubesos/secure-kernel-loader.spec.in Outdated Show resolved Hide resolved
qubesos/secure-kernel-loader.spec.in Outdated Show resolved Hide resolved
@SergiiDmytruk
qubesos: add packages's sources
d9236ad 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@krystian-hebel
Copy link
Collaborator

krystian-hebel commented Dec 29, 2023
edited
Loading

There is some garbage at the end of produced file:

$ diff --side-by-side -W140 <(xxd expected.bin) <(xxd skl.bin) | tail
0000dff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................	0000dff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000e000: 78f1 268e 0492 11e9 832a c85b 76c4 cc02  x.&......*.[v...	0000e000: 78f1 268e 0492 11e9 832a c85b 76c4 cc02  x.&......*.[v...
0000e010: 0000 0000 1400 0000 0000 0000 0000 0000  ................	0000e010: 0000 0000 1400 0000 0000 0000 0000 0000  ................
0000e020: 0000 0000 0000 0000 0000 0000 0000 0000  ................	0000e020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000e030: 0000 0000 0000 0000 0000 0000 0000 0000  ................	0000e030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000e040: 0000 0000 0000 0000 0000 0000 0000 0000  ................	0000e040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000e050: 0000 0000 0000 0000 0000                 ..........	     |	0000e050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
								     >	0000e060: 0400 0000 2000 0000 0500 0000 474e 5500  .... .......GNU.
								     >	0000e070: 0100 01c0 0400 0000 0100 0000 0000 0000  ................
								     >	0000e080: 0200 01c0 0400 0000 0500 0000 0000 0000  ................

According to https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/f31/f/buildflags.md#annotated-buildswatermarking %undefine _annotated_build in RPM spec file should get rid of this.

This isn't that bad, when we tried to build packages with Nix those annotations somehow made it to the beginning of file, moving headers expected at offset 0 somewhere else. Still, better to not have it at all, it can impact size checks.

Also, TrenchBoot/.github#6 is merged, reminder to do s/@support-in-repo-pkgs/@master/

@SergiiDmytruk
CI: build QubesOS RPM packages
fee6308 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
Makefile: drop .note.* sections on making skl.bin
597a840 
This prevents those sections potentially breaking the produced image if
any of them will be placed in front of the binary.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
Copy link
Member Author

According to https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/f31/f/buildflags.md#annotated-buildswatermarking %undefine _annotated_build in RPM spec file should get rid of this.

I get this .note.gnu.property locally as well, so instead decided to update Makefile to not include it into skl.bin. Alternatively, it could be discarded in link.lds so that skl won't have the section either.

Also, TrenchBoot/.github#6 is merged, reminder to do s/@support-in-repo-pkgs/@master/

Done.

Changes: https://github.com/TrenchBoot/secure-kernel-loader/compare/cce60b62a84eb1d8c3d0730e07171d13dad97fd9..597a840b95cf411d06c2f48cb97c8b679a3ce643

macpijan
macpijan approved these changes Jan 18, 2024
View reviewed changes
Copy link
Member

@macpijan macpijan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is only CI and package metadata, not a single code change, I think this is fine if I approve this as well, so we do not need to bother the others.

@macpijan macpijan merged commit 597a840 into master Feb 13, 2024
66 checks passed
@macpijan macpijan deleted the qubes-ci branch February 13, 2024 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@macpijan macpijan macpijan approved these changes

@krystian-hebel krystian-hebel krystian-hebel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@SergiiDmytruk @krystian-hebel @macpijan