From nobody Sat Apr 18 06:54:50 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FA2232ED32; Tue, 10 Feb 2026 07:05:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770707108; cv=none; b=Xu/iTt5jD6NvIXbHPAo+jyYuVQOmTlHELamro3gQYbm+OWTsjotDaylVV8Z/bty8uBqpHfs11Pl/HVSwYJLnt0FN6aXem55hy8h5uESW9mzvU+89Y8SMU73ZjExD5bLAdvDT81JFGYKrKk1LG5fIMmLSfgIUcrG0eL7FaXExRZE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770707108; c=relaxed/simple; bh=+qzEFBmfeqSLYrCR2eI88t+RY0Z1ab7ZBq1BYl/KUvw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=h5dWP/EaqWNkXDvhLCvSRKUKCACg5wv3+HIdd3G5DFj2eK3Cil7T+EOWt5tywgJQ4TRmkYN67kA8g74wLe74VD2uvqOHbe8dyhLNYmpTJVJxdbCGTesfFaL9NAkTsfIxEKGHo96nE8uydmqdEh/f73i9DS3xyxFoH0Nft0SWxj0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rn067kQe; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rn067kQe" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49D85C19424; Tue, 10 Feb 2026 07:05:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770707108; bh=+qzEFBmfeqSLYrCR2eI88t+RY0Z1ab7ZBq1BYl/KUvw=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=rn067kQe3vdwaIPZWIjNv2y9iD100K0itZ/RIM/iIn4WYFBvXniJfywh57AKMMRCR UFdMSvA4UI/aau2g2GIMaxCdpqbkhXnLtsIZunnvZGnqjUkCfAEOuhgQViZgvcFEmY YHrXN6MdoaYU49iwrH+lDaMJ1s96NNEgKxiuj5Snr8Mg+lnOseY0gpH5mHLr+rmTr/ RJhSbeBqJ3I08qE76Ifo5WP5DS6jPuwzGeXNpKjY1gOll6CVYKd3EDWeRYUzvqIbfk EcwYgC6SMlfCWBahc8s1sz/eb2gR3YtMt/IQMhOEQzZWzu4cdDbY5GMuSLPNDtzXC3 zvGjoRnqJ3hzw== From: Nathan Chancellor Date: Tue, 10 Feb 2026 00:04:48 -0700 Subject: [PATCH 1/2] kbuild: rpm-pkg: Restrict manual debug package creation Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260210-kbuild-fix-debuginfo-rpm-v1-1-0730b92b14bc@kernel.org> References: <20260210-kbuild-fix-debuginfo-rpm-v1-0-0730b92b14bc@kernel.org> In-Reply-To: <20260210-kbuild-fix-debuginfo-rpm-v1-0-0730b92b14bc@kernel.org> To: Nathan Chancellor , Nicolas Schier Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Steve French X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=6150; i=nathan@kernel.org; h=from:subject:message-id; bh=+qzEFBmfeqSLYrCR2eI88t+RY0Z1ab7ZBq1BYl/KUvw=; b=owGbwMvMwCUmm602sfCA1DTG02pJDJldNxba6h/nVViytPLEdmO1yxEHbZzPcqst/Fhqotn6Z vnXuq07O0pZGMS4GGTFFFmqH6seNzScc5bxxqlJMHNYmUCGMHBxCsBE7E4yMiy49EFlgaFvfcyS T1Md30R0tO/fkZ/LIsxiJ5deH7JXQJ/hN8t7vcWMHOnh7PyzXiT9Cd5/d+7VDXtWm0Q0dPEpXZt 4lAUA X-Developer-Key: i=nathan@kernel.org; a=openpgp; fpr=2437CB76E544CB6AB3D9DFD399739260CB6CB716 Commit 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package manually") moved away from the built-in RPM machinery for generating -debuginfo packages to a more manual way to be compatible with module signing, as the built-in machinery strips the modules after the installation process, breaking the signatures. Unfortunately, prior to rpm 4.20.0, there is a bug where a custom %files directive is ignored for a -debuginfo subpackage [1], meaning builds using older versions of RPM (such as on RHEL9 or RHEL10) fail with: Checking for unpackaged file(s): /usr/lib/rpm/check-files .../rpmbuild/BU= ILDROOT/kernel-6.19.0_dirty-1.x86_64 error: Installed (but unpackaged) file(s) found: /debuginfo.list /usr/lib/debug/.build-id/09/748c214974bfba1522d434a7e0a02e2fd7f29b.deb= ug /usr/lib/debug/.build-id/0b/b96dd9c7d3689d82e56d2e73b46f53103cc6c7.deb= ug /usr/lib/debug/.build-id/0e/979a2f34967c7437fd30aabb41de1f0c8b6a66.deb= ug ... To workaround this, restrict the manual debug info package creation process to when it is necessary (CONFIG_MODULE_SIG=3Dy) and possible (when using RPM >=3D 4.20.0). A follow up change will restore the RPM debuginfo creation process using a separate internal flag to allow the package to be built in more situations, as RPM 4.20.0 is a fairly recent version and the built-in -debuginfo generation works fine when module signing is disabled. Cc: stable@vger.kernel.org Fixes: 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package manually") Link: https://github.com/rpm-software-management/rpm/commit/49f906998f3cf1f= 4152162ca61ac0869251c380f [1] Reported-by: Steve French Closes: https://lore.kernel.org/CAH2r5mugbrHTwnaQwQiYEUVwbtqmvFYf0WZiLrrJWp= gT8iwftw@mail.gmail.com/ Signed-off-by: Nathan Chancellor Acked-by: Nicolas Schier Tested-by: Stefano Garzarella --- scripts/package/kernel.spec | 9 +++++---- scripts/package/mkspec | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/scripts/package/kernel.spec b/scripts/package/kernel.spec index 0f1c8de1bd95..b7deb159f404 100644 --- a/scripts/package/kernel.spec +++ b/scripts/package/kernel.spec @@ -47,12 +47,13 @@ This package provides kernel headers and makefiles suff= icient to build modules against the %{version} kernel package. %endif =20 -%if %{with_debuginfo} +%if %{with_debuginfo_manual} %package debuginfo Summary: Debug information package for the Linux kernel %description debuginfo This package provides debug information for the kernel image and modules f= rom the %{version} package. +%define install_mod_strip 1 %endif =20 %prep @@ -67,7 +68,7 @@ patch -p1 < %{SOURCE2} mkdir -p %{buildroot}/lib/modules/%{KERNELRELEASE} cp $(%{make} %{makeflags} -s image_name) %{buildroot}/lib/modules/%{KERNEL= RELEASE}/vmlinuz # DEPMOD=3Dtrue makes depmod no-op. We do not package depmod-generated fil= es. -%{make} %{makeflags} INSTALL_MOD_PATH=3D%{buildroot} INSTALL_MOD_STRIP=3D1= DEPMOD=3Dtrue modules_install +%{make} %{makeflags} INSTALL_MOD_PATH=3D%{buildroot} %{?install_mod_strip:= INSTALL_MOD_STRIP=3D1} DEPMOD=3Dtrue modules_install %{make} %{makeflags} INSTALL_HDR_PATH=3D%{buildroot}/usr headers_install cp System.map %{buildroot}/lib/modules/%{KERNELRELEASE} cp .config %{buildroot}/lib/modules/%{KERNELRELEASE}/config @@ -98,7 +99,7 @@ ln -fns /usr/src/kernels/%{KERNELRELEASE} %{buildroot}/li= b/modules/%{KERNELRELEA echo "%exclude /lib/modules/%{KERNELRELEASE}/build" } > %{buildroot}/kernel.list =20 -%if %{with_debuginfo} +%if %{with_debuginfo_manual} # copying vmlinux directly to the debug directory means it will not get # stripped (but its source paths will still be collected + fixed up) mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} @@ -162,7 +163,7 @@ fi /lib/modules/%{KERNELRELEASE}/build %endif =20 -%if %{with_debuginfo} +%if %{with_debuginfo_manual} %files -f %{buildroot}/debuginfo.list debuginfo %defattr (-, root, root) %exclude /debuginfo.list diff --git a/scripts/package/mkspec b/scripts/package/mkspec index c7375bfc25a9..1080395ca0e1 100755 --- a/scripts/package/mkspec +++ b/scripts/package/mkspec @@ -23,15 +23,42 @@ else echo '%define with_devel 0' fi =20 +# manually generate -debuginfo package +with_debuginfo_manual=3D0 # debuginfo package generation uses find-debuginfo.sh under the hood, # which only works on uncompressed modules that contain debuginfo if grep -q CONFIG_DEBUG_INFO=3Dy include/config/auto.conf && (! grep -q CONFIG_MODULE_COMPRESS=3Dy include/config/auto.conf) && (! grep -q CONFIG_DEBUG_INFO_SPLIT=3Dy include/config/auto.conf); then -echo '%define with_debuginfo %{?_without_debuginfo: 0} %{?!_without_debugi= nfo: 1}' -else -echo '%define with_debuginfo 0' + # If module signing is enabled (which may be required to boot with + # lockdown enabled), the find-debuginfo.sh machinery cannot be used + # because the signatures will be stripped off the modules. However, due + # to an rpm bug in versions prior to 4.20.0 + # + # https://github.com/rpm-software-management/rpm/issues/3057 + # https://github.com/rpm-software-management/rpm/commit/49f906998f3cf= 1f4152162ca61ac0869251c380f + # + # We cannot provide our own debuginfo package because it does not listen + # to our custom files list, failing the build due to unpackaged files. + # Manually generate the debug info package if using rpm 4.20.0. If not + # using rpm 4.20.0, avoid generating a -debuginfo package altogether, + # as it is not safe. + if grep -q CONFIG_MODULE_SIG=3Dy include/config/auto.conf; then + rpm_ver_str=3D$(rpm --version 2>/dev/null) + # Split the version on spaces + IFS=3D' ' + set -- $rpm_ver_str + if [ "${1:-}" =3D RPM -a "${2:-}" =3D version ]; then + IFS=3D. + set -- $3 + rpm_ver=3D$(( 1000000 * $1 + 10000 * $2 + 100 * $3 + ${4:-0} )) + if [ "$rpm_ver" -ge 4200000 ]; then + with_debuginfo_manual=3D'%{?_without_debuginfo:0}%{?!_without_debuginf= o:1}' + fi + fi + fi fi +echo "%define with_debuginfo_manual $with_debuginfo_manual" =20 cat< Date: Tue, 10 Feb 2026 00:04:49 -0700 Subject: [PATCH 2/2] kernel: rpm-pkg: Restore find-debuginfo.sh approach to -debuginfo package Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260210-kbuild-fix-debuginfo-rpm-v1-2-0730b92b14bc@kernel.org> References: <20260210-kbuild-fix-debuginfo-rpm-v1-0-0730b92b14bc@kernel.org> In-Reply-To: <20260210-kbuild-fix-debuginfo-rpm-v1-0-0730b92b14bc@kernel.org> To: Nathan Chancellor , Nicolas Schier Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=5041; i=nathan@kernel.org; h=from:subject:message-id; bh=hCN2nmr0Cunr+xmaxPIDlR1TXMxoDqdYCYTAfgqv3YY=; b=owGbwMvMwCUmm602sfCA1DTG02pJDJldNxb65bOH/31z1LP70qyYpO6NipdyJVjmnPTd/+3u6 8Xq64+JdJSyMIhxMciKKbJUP1Y9bmg45yzjjVOTYOawMoEMYeDiFICJRMQw/NNy3Pj42wXNH4Fq 4SZB+y7byrS2Gfz/vj/pd8UBozDH1IOMDC/yjB/HapwM6PVhvnSRzW9Tf1WjX2/1/0nHGCZemC8 cwQ8A X-Developer-Key: i=nathan@kernel.org; a=openpgp; fpr=2437CB76E544CB6AB3D9DFD399739260CB6CB716 Commit 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package manually") effectively reverted commit a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") but the approach it took is not safe for older RPM releases. Restore commit a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") for the !CONFIG_MODULE_SIG case to allow more environments and configurations to take advantage of the separate debug information package process. Cc: stable@vger.kernel.org Fixes: 62089b804895 ("kbuild: rpm-pkg: Generate debuginfo package manually") Signed-off-by: Nathan Chancellor Acked-by: Nicolas Schier Tested-by: Stefano Garzarella --- scripts/package/kernel.spec | 50 +++++++++++++++++++++++++++++++++++++++++= ---- scripts/package/mkspec | 5 +++++ 2 files changed, 51 insertions(+), 4 deletions(-) diff --git a/scripts/package/kernel.spec b/scripts/package/kernel.spec index b7deb159f404..af682a705477 100644 --- a/scripts/package/kernel.spec +++ b/scripts/package/kernel.spec @@ -2,8 +2,6 @@ %{!?_arch: %define _arch dummy} %{!?make: %define make make} %define makeflags %{?_smp_mflags} ARCH=3D%{ARCH} -%define __spec_install_post /usr/lib/rpm/brp-compress || : -%define debug_package %{nil} =20 Name: kernel Summary: The Linux Kernel @@ -56,6 +54,38 @@ This package provides debug information for the kernel i= mage and modules from th %define install_mod_strip 1 %endif =20 +%if %{with_debuginfo_rpm} +# list of debuginfo-related options taken from distribution kernel.spec +# files +%undefine _include_minidebuginfo +%undefine _find_debuginfo_dwz_opts +%undefine _unique_build_ids +%undefine _unique_debug_names +%undefine _unique_debug_srcs +%undefine _debugsource_packages +%undefine _debuginfo_subpackages +%global _find_debuginfo_opts -r +%global _missing_build_ids_terminate_build 1 +%global _no_recompute_build_ids 1 +%{debug_package} + +# later, we make all modules executable so that find-debuginfo.sh strips +# them up. but they don't actually need to be executable, so remove the +# executable bit, taking care to do it _after_ find-debuginfo.sh has run +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \\\ + | xargs --no-run-if-empty chmod u-x +%else +%define __spec_install_post /usr/lib/rpm/brp-compress || : +%endif +# some (but not all) versions of rpmbuild emit %%debug_package with +# %%install. since we've already emitted it manually, that would cause +# a package redefinition error. ensure that doesn't happen +%define debug_package %{nil} + %prep %setup -q -n linux cp %{SOURCE1} .config @@ -99,14 +129,22 @@ ln -fns /usr/src/kernels/%{KERNELRELEASE} %{buildroot}= /lib/modules/%{KERNELRELEA echo "%exclude /lib/modules/%{KERNELRELEASE}/build" } > %{buildroot}/kernel.list =20 -%if %{with_debuginfo_manual} +%if 0%{with_debuginfo_manual}%{with_debuginfo_rpm} > 0 # copying vmlinux directly to the debug directory means it will not get # stripped (but its source paths will still be collected + fixed up) mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} cp vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} +%endif =20 -echo /usr/lib/debug/lib/modules/%{KERNELRELEASE}/vmlinux > %{buildroot}/de= buginfo.list +%if %{with_debuginfo_rpm} +# make modules executable so that find-debuginfo.sh strips them. this +# will be undone later in %%__spec_install_post +find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \ + | xargs --no-run-if-empty chmod u+x +%endif =20 +%if %{with_debuginfo_manual} +echo /usr/lib/debug/lib/modules/%{KERNELRELEASE}/vmlinux > %{buildroot}/de= buginfo.list while read -r mod; do mod=3D"${mod%.o}.ko" dbg=3D"%{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}/kernel/${m= od}" @@ -124,6 +162,10 @@ done < modules.order =20 %clean rm -rf %{buildroot} +%if %{with_debuginfo_rpm} +rm -f debugfiles.list debuglinks.list debugsourcefiles.list debugsources.l= ist \ + elfbins.list +%endif =20 %post if [ -x /usr/bin/kernel-install ]; then diff --git a/scripts/package/mkspec b/scripts/package/mkspec index 1080395ca0e1..c604f8c174e2 100755 --- a/scripts/package/mkspec +++ b/scripts/package/mkspec @@ -23,6 +23,8 @@ else echo '%define with_devel 0' fi =20 +# use %{debug_package} machinery to generate -debuginfo +with_debuginfo_rpm=3D0 # manually generate -debuginfo package with_debuginfo_manual=3D0 # debuginfo package generation uses find-debuginfo.sh under the hood, @@ -56,9 +58,12 @@ if grep -q CONFIG_DEBUG_INFO=3Dy include/config/auto.con= f && with_debuginfo_manual=3D'%{?_without_debuginfo:0}%{?!_without_debuginf= o:1}' fi fi + else + with_debuginfo_rpm=3D'%{?_without_debuginfo:0}%{?!_without_debuginfo:1}' fi fi echo "%define with_debuginfo_manual $with_debuginfo_manual" +echo "%define with_debuginfo_rpm $with_debuginfo_rpm" =20 cat<