diff options
Diffstat (limited to 'debian/signing_templates')
-rw-r--r-- | debian/signing_templates/README.source | 4 | ||||
-rw-r--r-- | debian/signing_templates/headers.meta.lintian-overrides.in | 3 | ||||
-rw-r--r-- | debian/signing_templates/image.control.in | 12 | ||||
-rwxr-xr-x | debian/signing_templates/rules | 20 | ||||
-rw-r--r-- | debian/signing_templates/rules.real | 94 | ||||
-rwxr-xr-x | debian/signing_templates/sign-file-attach | 56 | ||||
-rw-r--r-- | debian/signing_templates/source.control.in | 16 | ||||
-rw-r--r-- | debian/signing_templates/source.lintian-overrides.in | 7 | ||||
-rw-r--r-- | debian/signing_templates/source/format | 1 |
9 files changed, 213 insertions, 0 deletions
diff --git a/debian/signing_templates/README.source b/debian/signing_templates/README.source new file mode 100644 index 000000000..f175c35b3 --- /dev/null +++ b/debian/signing_templates/README.source @@ -0,0 +1,4 @@ +This source package is generated by the Debian signing service from a +template built by the linux package. It should never be updated directly. + + -- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Apr 2018 10:23:29 +0100 diff --git a/debian/signing_templates/headers.meta.lintian-overrides.in b/debian/signing_templates/headers.meta.lintian-overrides.in new file mode 100644 index 000000000..4a0a7c08c --- /dev/null +++ b/debian/signing_templates/headers.meta.lintian-overrides.in @@ -0,0 +1,3 @@ +# linux-signed-* source packages are generated by the linux source +# package, so it is OK for their binaries to share documentation +@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@ diff --git a/debian/signing_templates/image.control.in b/debian/signing_templates/image.control.in new file mode 100644 index 000000000..4fffd2b6f --- /dev/null +++ b/debian/signing_templates/image.control.in @@ -0,0 +1,12 @@ +Package: linux-image-@abiname@@localversion@ +Meta-Rules-Target: image +Depends: ${unsigned:Depends}, ${misc:Depends} +Recommends: ${unsigned:Recommends} +Suggests: ${unsigned:Suggests} +Breaks: ${unsigned:Breaks} +Conflicts: linux-image-@abiname@@localversion@-unsigned +Replaces: linux-image-@abiname@@localversion@-unsigned +Description: ${unsigned:DescriptionShort} (signed) + ${unsigned:DescriptionLong} + . + ${signed:Description} diff --git a/debian/signing_templates/rules b/debian/signing_templates/rules new file mode 100755 index 000000000..ad6156b87 --- /dev/null +++ b/debian/signing_templates/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f +SHELL := sh -e + +include /usr/share/dpkg/architecture.mk + +build: build-arch build-indep +build-arch: +build-indep: + +clean: + dh_testdir + dh_clean + +binary: binary-arch binary-indep +binary-arch: debian/control + dh_testdir + $(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH) +binary-indep: + +.PHONY: build build-arch build-indep clean binary binary-arch binary-indep diff --git a/debian/signing_templates/rules.real b/debian/signing_templates/rules.real new file mode 100644 index 000000000..d445e2672 --- /dev/null +++ b/debian/signing_templates/rules.real @@ -0,0 +1,94 @@ +SHELL := bash -e + +export DH_OPTIONS + +BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0) + +build-indep: + +build_image: + +binary_image: DH_OPTIONS = -p$(PACKAGE_NAME) +binary_image: KERNEL_VERSION = $(ABINAME)$(LOCALVERSION) +binary_image: IMAGE_PACKAGE_NAME = linux-image-$(KERNEL_VERSION)-unsigned +binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME) +binary_image: SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME) +binary_image: + mkdir -p $(PACKAGE_DIR)/boot + rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \ + $(PACKAGE_DIR)/boot/ + if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ + sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ + $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \ + else \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \ + fi + mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION) + rsync -a $(addprefix /lib/modules/$(KERNEL_VERSION)/,modules.builtin modules.builtin.modinfo modules.order) \ + $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/ + find $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) -name '*.sig' -printf '%P\n' | \ + debian/sign-file-attach \ + $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) \ + /lib/modules/$(KERNEL_VERSION) \ + $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION) +# Copy any device tree files + if [ -d /usr/lib/linux-image-$(KERNEL_VERSION) ]; then \ + mkdir -p $(PACKAGE_DIR)/usr/lib/linux-image-$(KERNEL_VERSION); \ + rsync -a /usr/lib/linux-image-$(KERNEL_VERSION)/ \ + $(PACKAGE_DIR)/usr/lib/linux-image-$(KERNEL_VERSION)/; \ + fi +# Copy bug scripts but change the info file to refer to the right package + mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME) + rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \ + $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/ + sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \ + -e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \ + $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info + dh_install + dh_installchangelogs + ln -sf linux-image.NEWS debian/$(PACKAGE_NAME).NEWS + dh_installdocs + dh_lintian + dh_compress + dh_fixperms + dh_installdeb +# Copy most package relations and description from unsigned package + for field in Depends Suggests Recommends Breaks; do \ + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \ + done + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)" + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')" + dh_gencontrol -- $(GENCONTROL_ARGS) + dh_md5sums + dh_builddeb -- $(BUILDDEB_ARGS) + +build_meta: + +binary_meta: + dh_testdir + dh_prep + dh_bugfiles + dh_installdocs --link-doc=$(INSTALLDOCS_LINK_DOC) + dh_lintian + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol -- $(GENCONTROL_ARGS) + dh_md5sums + dh_builddeb -- $(BUILDDEB_ARGS) + +build_udeb: + +binary_udeb: export KW_DEFCONFIG_DIR=/usr/share/linux-support-$(ABINAME)/installer +binary_udeb: export KW_CONFIG_DIR=/usr/share/linux-support-$(ABINAME)/installer +binary_udeb: + dh_testdir + dh_prep + kernel-wedge install-files $(ABINAME) + kernel-wedge check $(PACKAGE_NAMES) + dh_fixperms + dh_gencontrol -- $(GENCONTROL_ARGS) + dh_builddeb -- $(BUILDDEB_ARGS) + +.PHONY: build_% binary_% diff --git a/debian/signing_templates/sign-file-attach b/debian/signing_templates/sign-file-attach new file mode 100755 index 000000000..6a8a18cac --- /dev/null +++ b/debian/signing_templates/sign-file-attach @@ -0,0 +1,56 @@ +#!/usr/bin/python3 + +import argparse +import pathlib +import shutil +import struct +import sys + + +module_magic = b'~Module signature appended~\n' +# Only relevant fields are id_type and sig_len +module_signature = struct.Struct('!2xB2x3xL') +module_signature_PKEY_ID_PKCS7 = 2 + + +def sign_file_attach(sig_base: pathlib.Path, module_base: pathlib.Path, output_base: pathlib.Path) -> None: + for line in sys.stdin: + path, _, file = line.strip().rpartition('/') + name, _, _ = file.partition('.') + + sig = sig_base / path / f'{name}.ko.sig' + module = module_base / path / f'{name}.ko' + output = output_base / path / f'{name}.ko' + output.parent.mkdir(parents=True, exist_ok=True) + + with sig.open('rb') as f_sig, module.open('rb') as f_module, output.open('wb') as f_output: + shutil.copyfileobj(f_module, f_output) + shutil.copyfileobj(f_sig, f_output) + len_sig = f_sig.tell() + f_output.write(module_signature.pack( + module_signature_PKEY_ID_PKCS7, + len_sig, + )) + f_output.write(module_magic) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument( + 'sig_base', + metavar='SIGNATURE', + type=pathlib.Path, + ) + parser.add_argument( + 'module_base', + metavar='MODULE', + type=pathlib.Path, + ) + parser.add_argument( + 'output_base', + metavar='OUTPUT', + type=pathlib.Path, + ) + args = parser.parse_args() + + sign_file_attach(**vars(args)) diff --git a/debian/signing_templates/source.control.in b/debian/signing_templates/source.control.in new file mode 100644 index 000000000..2468a8c14 --- /dev/null +++ b/debian/signing_templates/source.control.in @@ -0,0 +1,16 @@ +Source: linux-signed@source_suffix@-@arch@ +Section: kernel +Priority: optional +Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> +Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org> +Standards-Version: 4.2.0 +Build-Depends: + debhelper-compat (= 12), dh-exec, + python3:any, + rsync, + sbsigntool [amd64 arm64 i386], + kernel-wedge (>= 2.102~), +Rules-Requires-Root: no +Vcs-Git: https://salsa.debian.org/kernel-team/linux.git +Vcs-Browser: https://salsa.debian.org/kernel-team/linux +Homepage: https://www.kernel.org/ diff --git a/debian/signing_templates/source.lintian-overrides.in b/debian/signing_templates/source.lintian-overrides.in new file mode 100644 index 000000000..34d68e762 --- /dev/null +++ b/debian/signing_templates/source.lintian-overrides.in @@ -0,0 +1,7 @@ +# linux-signed-* source packages are generated by the linux source +# package, and produce binaries with the same versions, even in case +# of a binNMU of linux +linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-* + +# The changelog is mostly copied from linux which is non-native +linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)* diff --git a/debian/signing_templates/source/format b/debian/signing_templates/source/format new file mode 100644 index 000000000..89ae9db8f --- /dev/null +++ b/debian/signing_templates/source/format @@ -0,0 +1 @@ +3.0 (native) |