@Aissen definitely will do a cheat sheet and write it all down once i found a way!

@Aissen That said I would not recommend those instructions otherwise. I've found at least four different "how to build kernel" tutorials even from Fedora's domain and all of them are broken. You have to pick right bits here and there ;-)

@Aissen See, I have my own here:

$ sudo certutil -L -d /etc/pki/pesign

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Machine Owner Certificate                                    Pu,Pu,Pu

@Aissen Most distributions (including Fedora) provide reasonable ways to integrate your own additional MOK key, and get the build sign everything with that. And ubiquitos way to make shim to recognize that is "mokutil --import".

For Fedora I found the way it manages extra MOK keys from here: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/

And the extra flag I need to add to file called "kernel-local" is %define pe_signing_cert "Machine Owner Certificate", so that RPM build shenanigans will pick it up.

@Aissen it does not fulfill the test case i'm lookin for. using the distro kernel as it was meant to be. and e.g. integrating properly on how a distribution has chosen to integrate with secure boot, which is essential in my case.

for ad-hoc testing i have already a solution, which does the job perfectly generating both image for USB stick and scripts for running same payload in QEMU: https://codeberg.org/jarkko/linux-tpmdd-test

What you are suggesting would be a worse version of this, contaminating my rootfs.

@securepaul @kernellogger does not matter. i could grab some ideas. so far i don't have RPM packages that i'd be happy with using any method.

this is exactly why i was so committed to ubuntu even when i hated most of their decisions. only when they put kernel to snap my marriage ended.

for any distro, i still think, would be optimal to find a way to describe the build using a kernel tree with extra patches adding the packaging shenanigans on top. i think all major distributions fail misserably serving upstream kernel developers :-)

@idnorton of all i've tried i've ended up using LibreOffice Draw. Also, it is the only app that i use from LibreOffice. Why? I get the shit done.

i still want something that i can run in my own computer, not a subscription. and after trying "programming approach" like mermaid, it kind of disabled me being fuzzy and drawing random stuff. i write my diagrams as code when i actually implement them in a real programming language :-)

i've never thought that "oh i love libreoffice draw so much" but it is more like exclusion based choice.

@kernellogger @securepaul OK, this I've done successfully in the past but being ablet to do local builds is an asset :-)

For instance I use these sometimes just so that I can pre-check anything I push to Gitlab/Github just to check locally what CI will do:

- Gitlab: https://github.com/firecow/gitlab-ci-local
- GitHub: https://github.com/nektos/act

Ruin any kid's day with this one easy trick!

@kernellogger @securepaul thanks!

@securepaul this absolutely useful as i have absolutely no idea what i'm doing :-) i'll experiment with your and Thorsten's suggestions and try to find my own way...

@kernellogger for me the last draw was this FDE or whatever crap where you either have deb based kernel or snap based. too confusing for a developer like me - especially since the snap based had all the stuff I was interested (e.g. TPM2 boot) is the snap version. And as we know the Snap Store itself is as proprietary as Apple's App Store...

@kernellogger i'm sure i've seen worse don't worry ;-)

@kernellogger If you can append to kernel.spec, e.g. to kernel-local file, then that does the job. Thanks I give a shot.

I exactly picked one of @ljs patch sets because it is from alien subsystem. Using the stuff that I review myself and send to Linus eventually, could make me blind. This way I believe I can develop a robust workflow :-)

I mean 9/10 I just do trivial BuildRoot build but sometimes it is nice to be able to do proper packages and eat your own dog food (or should it be cat food given the patch set)...

@kernellogger dumb question perhaps: what is kernel-ark?

@vbabka i would be too, they get something to think about with decade(s) granularity :-)

@kernellogger I don't know. And also: I don't know what dist-git is :-) I spotted that maybe in some error message along the way.

So fedpkg is not the way to go for kernel dev?

Anyway I found many:

1. https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
2. https://docs.fedoraproject.org/en-US/quick-docs/kernel-testing-patches/ (I'd pay a note taht this page specifically speaks about kernel dev task and uses fedpkg. Thus one will asssumee that a kernel developer should stick to fedpkg, right?)
3. https://fedoraproject.org/wiki/Building_a_custom_kernel

Pretty hard to get from A to B IMHO ;-) I wish there was a tutorial page on "how do upstream kernel development with Fedora and build compatible packages with opt-in secure boot. Here's how you do it."

Ubuntu had smooth procedure where you had actual kernel git with packaging patches on top. This broke of course with snap kernel images so does not hold any more.

@mikebabcock also, usually better standardization in any networked protocol leads to better mechanisms to detect issues and bunch of other good properties. always for the better at least :-)

Learning to compile distro kernel for Fedora. I took a random patch set from mm just to learn this process [1]. Has taken couple of days because I don't know anything about RPM and have compiled so far only distro kernel for Ubuntu. I'm recent convertant to Fedora because between 2004-2021 I used Ubuntu util I had had enough ;-)

Glitches or things to reconsider:

- I have now kernel compilation ongoing with "fedpkg mockbuilld". I hope this is the right command. I got the kernel by "fedpkg clone --anonymous kernel ".
- I have no idea how to point out linux-next so had to backport a single patch from kselftest to v6.12-rc4. Any pointers how to use that nice fedpkg command AND have linux-next is appreciated.
- I hope this will ensure that the kernel will signed with my MOK key: [2].

[1] https://lore.kernel.org/all/cover.1729440856.git.lorenzo.stoakes@oracle.com/
[2]
I have a key created:

$ sudo certutil -L -d /etc/pki/pesign

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Machine Owner Certificate Pu,Pu,Pu

And I hope this will pick it for the kernel build:

--- a/kernel-local
+++ b/kernel-local
@@ -1,2 +1,3 @@
# This file is intentionally left empty in the stock kernel. Its a nicety
# added for those wanting to do custom rebuilds with altered config opts.
+%define pe_signing_cert "Machine Owner Certificate"

#fedora #linux #kernel #rpm

I don't think it will take long for Trump to officially, or without indirection, endorse Adolf Hitler. At least if he wins this will be inevitable.

So anyone who thinks that he will ensures the diplomatic relations with Israel, I'd think twice...

PS. Unrelated to ongoing horrible war in the mIddle east...

https://www.theatlantic.com/politics/archive/2024/10/trump-military-generals-hitler/680327/