kernel: harden the signature check #321
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Kernel - WSA | |
on: | |
push: | |
branches: ["main"] | |
paths: | |
- ".github/workflows/build-kernel-wsa.yml" | |
- "kernel/**" | |
pull_request: | |
branches: ["main"] | |
paths: | |
- ".github/workflows/build-kernel-wsa.yml" | |
- "kernel/**" | |
workflow_call: | |
workflow_dispatch: | |
jobs: | |
build: | |
strategy: | |
matrix: | |
arch: [x86_64, arm64] | |
version: ["5.15.94.2", "5.15.104.1", "5.15.104.2", "5.15.104.3"] | |
name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }} | |
runs-on: ubuntu-20.04 | |
env: | |
CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion" | |
CCACHE_NOHASHDIR: "true" | |
CCACHE_HARDLINK: "true" | |
steps: | |
- name: Install Build Tools | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip | |
export LLVM_VERSION=12 | |
wget -q https://apt.llvm.org/llvm.sh | |
sudo bash ./llvm.sh $LLVM_VERSION | |
cd /usr/bin | |
sudo ln -sf clang-$LLVM_VERSION clang | |
sudo ln -sf ld.lld-$LLVM_VERSION ld.lld | |
sudo ln -sf llvm-objdump-$LLVM_VERSION llvm-objdump | |
sudo ln -sf llvm-ar-$LLVM_VERSION llvm-ar | |
sudo ln -sf llvm-nm-$LLVM_VERSION llvm-nm | |
sudo ln -sf llvm-strip-$LLVM_VERSION llvm-strip | |
sudo ln -sf llvm-objcopy-$LLVM_VERSION llvm-objcopy | |
sudo ln -sf llvm-readelf-$LLVM_VERSION llvm-readelf | |
sudo ln -sf clang++-$LLVM_VERSION clang++ | |
- name: Checkout KernelSU | |
uses: actions/checkout@v4 | |
with: | |
path: KernelSU | |
fetch-depth: 0 | |
- name: Setup kernel source | |
uses: actions/checkout@v4 | |
with: | |
repository: microsoft/WSA-Linux-Kernel | |
ref: android-lts/latte-2/${{ matrix.version }} | |
path: WSA-Linux-Kernel | |
- name: Setup Ccache | |
uses: hendrikmuhs/[email protected] | |
with: | |
key: WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }} | |
save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
max-size: 2G | |
- name: Setup KernelSU | |
working-directory: WSA-Linux-Kernel | |
run: | | |
echo "[+] KernelSU setup" | |
KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel | |
echo "[+] KERNEL_ROOT: $KERNEL_ROOT" | |
echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers" | |
ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu | |
echo "[+] Add KernelSU driver to Makefile" | |
DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile | |
grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE | |
echo "[+] Apply KernelSU patches" | |
cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.15/*.patch | |
echo "[+] KernelSU setup done." | |
cd $GITHUB_WORKSPACE/KernelSU | |
VERSION=$(($(git rev-list --count HEAD) + 10200)) | |
echo "VERSION: $VERSION" | |
echo "kernelsu_version=$VERSION" >> $GITHUB_ENV | |
- name: Build Kernel | |
working-directory: WSA-Linux-Kernel | |
run: | | |
declare -A ARCH_MAP=(["x86_64"]="x64" ["arm64"]="arm64") | |
cp configs/wsa/config-wsa-${ARCH_MAP[${{ matrix.arch }}]} .config | |
make olddefconfig | |
if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then | |
export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }} | |
export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }} | |
fi | |
declare -A FILE_NAME=(["x86_64"]="bzImage" ["arm64"]="Image") | |
make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} $(if [ "${{ matrix.arch }}" == "arm64" ]; then echo CROSS_COMPILE=aarch64-linux-gnu; fi) ${FILE_NAME[${{ matrix.arch }}]} CCACHE="/usr/bin/ccache" | |
declare -A ARCH_MAP_FILE=(["x86_64"]="x86" ["arm64"]="arm64") | |
echo "file_path=WSA-Linux-Kernel/arch/${ARCH_MAP_FILE[${{ matrix.arch }}]}/boot/${FILE_NAME[${{ matrix.arch }}]}" >> $GITHUB_ENV | |
- name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }} | |
path: "${{ env.file_path }}" | |
- name: Post to Telegram | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.ref_type == 'tag' | |
env: | |
CHAT_ID: ${{ secrets.CHAT_ID }} | |
CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }} | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }} | |
COMMIT_MESSAGE: ${{ github.event.head_commit.message }} | |
COMMIT_URL: ${{ github.event.head_commit.url }} | |
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
run: | | |
TITLE=kernel-${{ matrix.arch }}-WSA-${{ matrix.version }} | |
echo "[+] title: $TITLE" | |
export TITLE | |
export VERSION="${{ env.kernelsu_version }}" | |
echo "[+] Compress images" | |
gzip -n -f -9 "${{ env.file_path }}" | |
echo "[+] Image to upload" | |
ls -l "${{ env.file_path }}.gz" | |
if [ -n "${{ secrets.BOT_TOKEN }}" ]; then | |
pip3 install python-telegram-bot | |
python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz" | |
fi |