CI: build Qubes OS RPMs

.github/workflows/qubesos.yml

@@ -0,0 +1,16 @@
+name: Create QubesOS RPMs
+
+on:
+  push:
+    branches:
+      - '*'
+    tags:
+      - '*'
+
+jobs:
+  qubes-dom0-package:
+    uses: TrenchBoot/.github/.github/workflows/qubes-dom0-packagev2.yml@master
+
+    with:
+      qubes-component: 'secure-kernel-loader'
+      qubes-pkg-src-dir: 'qubesos'

Makefile

@@ -54,7 +54,7 @@ all: skl.bin
 # image.  One reason this might fail is if the linker decides to put an
 # unreferenced section ahead of .text, in which case link.lds needs adjusting.
 skl.bin: skl Makefile
-	objcopy -O binary -S $< $@
+	objcopy -O binary -S -R '.note.*' $< $@
 	@./sanity_check.sh
 
 skl: link.lds $(OBJ) Makefile

qubesos/.qubesbuilder

@@ -0,0 +1,9 @@
+host:
+  rpm:
+    build:
+    - secure-kernel-loader.spec
+source:
+  files:
+  # mind that generated archives can change their contents
+  - url: https://github.com/TrenchBoot/secure-kernel-loader/archive/@VERSION@.tar.gz
+    sha512: @VERSION@.tar.gz.sha512

qubesos/87150e03f54cab1b0c0fde5e1eba8257953a378b.tar.gz.sha512

@@ -0,0 +1 @@
+96b4e02a5dee3f4a4b8f1b787c5600efc11a2586546d70a15aa910bd7d540515d55ff95f6a6f6181413bae5c34e493487b6dee7d3e48c99491fc3eba406f9986

qubesos/Makefile

@@ -0,0 +1,42 @@
+.DEFAULT_GOAL = get-sources
+.SECONDEXPANSION:
+
+DIST ?= fc37
+VERSION := $(shell cat version)
+
+SRC_FILES := \
+             $(VERSION).tar.gz \
+
+BUILDER_DIR ?= ../..
+SRC_DIR ?= qubes-src
+
+SRC_URLS := \
+            https://github.com/TrenchBoot/secure-kernel-loader/archive/$(VERSION).tar.gz \
+
+UNTRUSTED_SUFF := .UNTRUSTED
+
+SHELL := bash
+
+.PHONY: get-sources verify-sources clean clean-sources
+
+ifeq ($(FETCH_CMD),)
+$(error "You can not run this Makefile without having FETCH_CMD defined")
+endif
+
+%: %.sha512
+	@$(FETCH_CMD) $@$(UNTRUSTED_SUFF) -- $(filter %/$@,$(SRC_URLS))
+	@sha512sum --status -c <(printf "$$(cat $<)  -\n") <$@$(UNTRUSTED_SUFF) || \
+		{ echo "Wrong SHA512 checksum on $@$(UNTRUSTED_SUFF)!"; exit 1; }
+	@mv $@$(UNTRUSTED_SUFF) $@
+
+get-sources: $(SRC_FILES)
+	@true
+
+verify-sources:
+	@true
+
+clean:
+	@true
+
+clean-sources:
+	rm -f $(SRC_FILES) *$(UNTRUSTED_SUFF)

qubesos/Makefile.builder

@@ -0,0 +1,5 @@
+ifeq ($(PACKAGE_SET),dom0)
+  RPM_SPEC_FILES := secure-kernel-loader.spec
+endif
+
+NO_ARCHIVE := 1

qubesos/rel

@@ -0,0 +1 @@
+1

qubesos/secure-kernel-loader.spec.in

@@ -0,0 +1,40 @@
+Name:		secure-kernel-loader
+Version:	@VERSION@
+Release:	1%{?dist}
+Summary:	TrenchBoot Secure Kernel Loader
+License:	GPLv2+
+URL:		https://github.com/TrenchBoot/%{name}
+
+Source0:	https://github.com/TrenchBoot/%{name}/archive/%{version}.tar.gz
+
+BuildArch:		x86_64
+BuildRequires:	gcc
+
+
+%description
+Open source implementation of Secure Loader for AMD Secure Startup.
+
+# This is to avoid "Empty %files file ..." error and also because debug package
+# doesn't seem to be useful.
+%global debug_package %{nil}
+
+%prep
+%setup -q
+
+%build
+make
+
+%install
+install -D -p -m 0755 ./skl.bin %{buildroot}/boot/skl.bin
+install -D -p -m 0644 ./util.sh %{buildroot}%{_docdir}/%{name}/scripts/util.sh
+install -D -p -m 0755 ./extend_multiboot.sh %{buildroot}%{_docdir}/%{name}/scripts/extend_multiboot.sh
+
+%files
+%license COPYING
+%doc README.md
+/boot/skl.bin
+%{_docdir}/%{name}/scripts/util.sh
+%{_docdir}/%{name}/scripts/extend_multiboot.sh
+
+%changelog
+@CHANGELOG@

qubesos/version

@@ -0,0 +1 @@
+87150e03f54cab1b0c0fde5e1eba8257953a378b