From 34c1b859c2e3a33d278013cff5e13298906de0df Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 21 Nov 2012 10:47:38 +0100
Subject: [PATCH] dracut.sh: do not strip signed kernel modules

https://bugzilla.redhat.com/show_bug.cgi?id=873796
---
 dracut.sh | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/dracut.sh b/dracut.sh
index e463404..469f408 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1041,21 +1041,27 @@ if [[ $do_strip = yes ]] ; then
     dinfo "*** Stripping files ***"
     if [[ $DRACUT_FIPS_MODE ]]; then
         find "$initdir" -type f \
-            '(' -perm -0100 -or -perm -0010 -or -perm -0001 \
-            -or -path '*/lib/modules/*.ko' ')' -print0 \
+            -executable -not -path '*/lib/modules/*.ko' -print0 \
             | while read -r -d $'\0' f; do
             if ! [[ -e "${f%/*}/.${f##*/}.hmac" ]] \
                 && ! [[ -e "/lib/fipscheck/${f##*/}.hmac" ]] \
                 && ! [[ -e "/lib64/fipscheck/${f##*/}.hmac" ]]; then
                 echo -n "$f"; echo -n -e "\000"
             fi
-        done |xargs -r -0 strip -g 2>/dev/null
+        done | xargs -r -0 strip -g 2>/dev/null
     else
         find "$initdir" -type f \
-            '(' -perm -0100 -or -perm -0010 -or -perm -0001 \
-            -or -path '*/lib/modules/*.ko' ')' -print0 \
+            -executable -not -path '*/lib/modules/*.ko' -print0 \
             | xargs -r -0 strip -g 2>/dev/null
     fi
+
+    # strip kernel modules, but do not touch signed modules
+    find "$initdir" -type f -path '*/lib/modules/*.ko' -print0 \
+        | while read -r -d $'\0' f; do
+        SIG=$(tail -c 28 "$f")
+        [[ $SIG == '~Module signature appended~' ]] || { echo -n "$f"; echo -n -e "\000"; }
+    done | xargs -r -0 strip -g
+
     dinfo "*** Stripping files done ***"
 fi