Commit 00997cf9 authored by Andy Whitcroft's avatar Andy Whitcroft Committed by Juerg Haefliger

UBUNTU: [Packaging] signing -- switch to linux-image as signed when available

When we are signing for an architecture switch to producing a
linux-image-unsigned package from the primary source.  linux-signed will
then produce the linux-image package which will be signed.  We expect
all consumers to use the signed form even if they are not utilising
the signature.

BugLink: http://bugs.launchpad.net/bugs/1764794Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Acked-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 8cd938a7
......@@ -21,20 +21,36 @@
#
# XXX: Leave the blank line before the first package!!
Package: linux-image-PKGVER-ABINUM-FLAVOUR
Package: linux-image=SIGN-ME-PKG=-PKGVER-ABINUM-FLAVOUR
Build-Profiles: <!stage1>
Architecture: ARCH
Section: kernel
Priority: optional
Provides: linux-image, fuse-module, =PROVIDES=${linux:rprovides}
Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base
Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base, linux-modules-PKGVER-ABINUM-FLAVOUR
Recommends: BOOTLOADER, initramfs-tools | linux-initramfs-tool
Conflicts: linux-image=SIGN-PEER-PKG=-PKGVER-ABINUM-FLAVOUR
Suggests: fdutils, SRCPKGNAME-doc-PKGVER | SRCPKGNAME-source-PKGVER, SRCPKGNAME-tools, linux-headers-PKGVER-ABINUM-FLAVOUR
Description: Linux kernel image for version PKGVER on DESC
This package contains the Linux kernel image for version PKGVER on
This package contains the=SIGN-ME-TXT= Linux kernel image for version PKGVER on
DESC.
.
Also includes the corresponding System.map file, the modules built by the
Supports SUPPORTED processors.
.
TARGET
.
You likely do not want to install this package directly. Instead, install
the linux-FLAVOUR meta-package, which will ensure that upgrades work
correctly, and that supporting packages are also installed.
Package: linux-modules-PKGVER-ABINUM-FLAVOUR
Build-Profiles: <!stage1>
Architecture: ARCH
Section: kernel
Priority: optional
Depends: ${misc:Depends}, ${shlibs:Depends}
Description: Linux kernel extra modules for version PKGVER on DESC
Contains the corresponding System.map file, the modules built by the
packager, and scripts that try to ensure that the system is not left in an
unbootable state after an update.
.
......@@ -46,12 +62,12 @@ Description: Linux kernel image for version PKGVER on DESC
the linux-FLAVOUR meta-package, which will ensure that upgrades work
correctly, and that supporting packages are also installed.
Package: linux-image-extra-PKGVER-ABINUM-FLAVOUR
Package: linux-modules-extra-PKGVER-ABINUM-FLAVOUR
Build-Profiles: <!stage1>
Architecture: ARCH
Section: kernel
Priority: optional
Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR | linux-image-unsigned-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
Description: Linux kernel extra modules for version PKGVER on DESC
This package contains the Linux kernel extra modules for version PKGVER on
DESC.
......@@ -82,7 +98,7 @@ Description: Linux kernel headers for version PKGVER on DESC
This is for sites that want the latest kernel headers. Please read
/usr/share/doc/linux-headers-PKGVER-ABINUM/debian.README.gz for details.
Package: linux-image-PKGVER-ABINUM-FLAVOUR-dbgsym
Package: linux-image=SIGN-ME-PKG=-PKGVER-ABINUM-FLAVOUR-dbgsym
Build-Profiles: <!stage1>
Architecture: ARCH
Section: devel
......@@ -90,7 +106,7 @@ Priority: optional
Depends: ${misc:Depends}
Provides: linux-debug
Description: Linux kernel debug image for version PKGVER on DESC
This package provides a kernel debug image for version PKGVER on
This package provides the=SIGN-ME-TXT= kernel debug image for version PKGVER on
DESC.
.
This is for sites that wish to debug the kernel.
......
......@@ -43,6 +43,14 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
do_zfs=false
endif
# Are any of the kernel signing options enabled.
any_signed=$(sort $(filter-out false,$(uefi_signed)))
ifeq ($(any_signed),true)
bin_pkg_name=$(bin_pkg_name_unsigned)
else
bin_pkg_name=$(bin_pkg_name_signed)
endif
# Stages -- support both DEB_STAGE=stage1 and DEB_BUILD_PROFILE=bootstrap
ifeq ($(DEB_STAGE),stage1)
DEB_BUILD_PROFILES=stage1
......@@ -161,7 +169,7 @@ $(DEBIAN)/control.stub: $(DEBIAN)/d-i/kernel-versions.in \
done
flavours="$(sort $(wildcard $(DEBIAN)/control.d/vars.* $(DEBIAN)/sub-flavours/*.vars))";\
for i in $$flavours; do \
$(SHELL) $(DROOT)/scripts/control-create $$i | \
$(SHELL) $(DROOT)/scripts/control-create $$i "$(any_signed)" | \
sed -e 's/PKGVER/$(release)/g' \
-e 's/ABINUM/$(abinum)/g' \
-e 's/SRCPKGNAME/$(src_pkg_name)/g' \
......
......@@ -124,8 +124,10 @@ stampdir := $(CURDIR)/debian/stamps
# are places that you'll find linux-image hard coded, but I guess thats OK since the
# assumption that the binary package always starts with linux-image will never change.
#
bin_pkg_name=linux-image-$(abi_release)
extra_pkg_name=linux-image-extra-$(abi_release)
bin_pkg_name_signed=linux-image-$(abi_release)
bin_pkg_name_unsigned=linux-image-unsigned-$(abi_release)
mods_pkg_name=linux-modules-$(abi_release)
mods_extra_pkg_name=linux-modules-extra-$(abi_release)
hdrs_pkg_name=linux-headers-$(abi_release)
indep_hdrs_pkg_name=$(src_pkg_name)-headers-$(abi_release)
......
......@@ -94,8 +94,9 @@ define install_control =
endef
# Install the finished build
install-%: pkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*
install-%: pkgdir_ex = $(CURDIR)/debian/$(extra_pkg_name)-$*
install-%: pkgdir_bin = $(CURDIR)/debian/$(bin_pkg_name)-$*
install-%: pkgdir = $(CURDIR)/debian/$(mods_pkg_name)-$*
install-%: pkgdir_ex = $(CURDIR)/debian/$(mods_extra_pkg_name)-$*
install-%: bindoc = $(pkgdir)/usr/share/doc/$(bin_pkg_name)-$*
install-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym
install-%: signingv = $(CURDIR)/debian/$(bin_pkg_name)-signing/$(release)-$(revision)
......@@ -122,6 +123,7 @@ install-%: checks-%
dh_testdir
dh_testroot
dh_clean -k -p$(bin_pkg_name)-$*
dh_clean -k -p$(mods_pkg_name)-$*
dh_clean -k -p$(hdrs_pkg_name)-$*
ifneq ($(skipdbg),true)
dh_clean -k -p$(dbg_pkg_name)-$*
......@@ -132,25 +134,26 @@ endif
# generate a zImage automatically out of the box
ifeq ($(compress_file),)
install -m600 -D $(builddir)/build-$*/$(kernfile) \
$(pkgdir)/boot/$(instfile)-$(abi_release)-$*
$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
else
install -d $(pkgdir)/boot
install -d $(pkgdir_bin)/boot
gzip -c9v $(builddir)/build-$*/$(kernfile) > \
$(pkgdir)/boot/$(instfile)-$(abi_release)-$*
chmod 600 $(pkgdir)/boot/$(instfile)-$(abi_release)-$*
$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
chmod 600 $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
endif
ifeq ($(uefi_signed),true)
install -d $(signingv)
# Check to see if this supports handoff, if not do not sign it.
# Check the identification area magic and version >= 0x020b
handoff=`dd if="$(pkgdir)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
handoff=`dd if="$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
if [ "$$handoff" = "GOOD" ]; then \
cp -p $(pkgdir)/boot/$(instfile)-$(abi_release)-$* \
cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
$(signingv)/$(instfile)-$(abi_release)-$*.efi; \
fi
endif
install -d $(pkgdir)/boot
install -m644 $(builddir)/build-$*/.config \
$(pkgdir)/boot/config-$(abi_release)-$*
install -m644 $(abidir)/$* \
......@@ -242,11 +245,11 @@ endif
echo "interest linux-update-$(abi_release)-$*" >"$(DROOT)/$(bin_pkg_name)-$*.triggers"
$(call install_control,$(bin_pkg_name)-$*,image,postinst postrm preinst prerm)
$(call install_control,$(mods_pkg_name)-$*,extra,postinst postrm)
ifeq ($(do_extras_package),true)
# Install the postinit/postrm scripts in the extras package.
if [ -f $(DEBIAN)/control.d/$(target_flavour).inclusion-list ] ; then \
$(call install_control,$(extra_pkg_name)-$*,extra,postinst postrm); \
$(call install_control,$(mods_extra_pkg_name)-$*,extra,postinst postrm); \
fi
endif
......@@ -440,7 +443,8 @@ endif
endif
binary-%: pkgimg = $(bin_pkg_name)-$*
binary-%: pkgimg_ex = $(extra_pkg_name)-$*
binary-%: pkgimg_mods = $(mods_pkg_name)-$*
binary-%: pkgimg_ex = $(mods_extra_pkg_name)-$*
binary-%: pkghdr = $(hdrs_pkg_name)-$*
binary-%: dbgpkg = $(bin_pkg_name)-$*-dbgsym
binary-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym
......@@ -463,6 +467,16 @@ binary-%: install-%
dh_md5sums -p$(pkgimg)
dh_builddeb -p$(pkgimg) -- -Zbzip2 -z9
dh_installchangelogs -p$(pkgimg_mods)
dh_installdocs -p$(pkgimg_mods)
dh_compress -p$(pkgimg_mods)
dh_fixperms -p$(pkgimg_mods) -X/boot/
dh_installdeb -p$(pkgimg_mods)
dh_shlibdeps -p$(pkgimg_mods) $(shlibdeps_opts)
$(lockme) dh_gencontrol -p$(pkgimg_mods)
dh_md5sums -p$(pkgimg_mods)
dh_builddeb -p$(pkgimg_mods)
ifeq ($(do_extras_package),true)
if [ -f $(DEBIAN)/control.d/$(target_flavour).inclusion-list ] ; then \
dh_installchangelogs -p$(pkgimg_ex); \
......@@ -701,9 +715,9 @@ binary-debs: signingv = $(CURDIR)/debian/$(bin_pkg_name)-signing/$(release)-$(re
binary-debs: signing_tar = $(src_pkg_name)_$(release)-$(revision)_$(arch).tar.gz
binary-debs: binary-perarch $(addprefix binary-,$(flavours))
@echo Debug: $@
ifeq ($(uefi_signed),true)
ifeq ($(any_signed),true)
install -d $(signingv)/control
{ echo "tarball"; echo "signed-only"; } >$(signingv)/control/options
{ echo "tarball"; } >$(signingv)/control/options
cd $(signing) && tar czvf ../../../$(signing_tar) .
dpkg-distaddfile $(signing_tar) raw-signing -
endif
......
......@@ -14,14 +14,17 @@ do-binary-udebs: debian/control
# unpack the kernels into a temporary directory
mkdir -p debian/d-i-${arch}
imagelist=$$(cat $(builddir)/kernel-versions | grep ^${arch} | gawk '{print $$4}') && \
for i in $$imagelist; do \
dpkg -x $$(ls ../linux-image-$$i\_$(release)-$(revision)_${arch}.deb) \
debian/d-i-${arch}; \
if [ -f ../linux-image-extra-$$i\_$(release)-$(revision)_${arch}.deb ] ; then \
dpkg -x ../linux-image-extra-$$i\_$(release)-$(revision)_${arch}.deb \
debian/d-i-${arch}; \
fi; \
imagelist=$$(cat $(CURDIR)/$(DEBIAN)/d-i/kernel-versions | grep ^${arch} | gawk '{print $$3}') && \
for f in $$imagelist; do \
i=$(release)-$(abinum)-$$f; \
for f in \
../linux-image-$$i\_$(release)-$(revision)_${arch}.deb \
../linux-image-unsigned-$$i\_$(release)-$(revision)_${arch}.deb \
../linux-modules-$$i\_$(release)-$(revision)_${arch}.deb \
../linux-modules-extra-$$i\_$(release)-$(revision)_${arch}.deb; \
do \
[ -f $$f ] && dpkg -x $$f debian/d-i-${arch}; \
done; \
/sbin/depmod -b debian/d-i-${arch} $$i; \
done
......
......@@ -3,12 +3,22 @@
. debian/debian.env
vars=$1
any_signed=$2
. $vars
if [ "$is_sub" = "" ]; then
flavour=$(basename $vars | sed 's/.*\.//')
stub=${DEBIAN}/control.d/flavour-control.stub
if [ "$any_signed" = 'true' ]; then
sign_me_pkg="-unsigned"
sign_me_txt=" unsigned"
sign_peer_pkg=""
else
sign_me_pkg=""
sign_me_txt=""
sign_peer_pkg="-unsigned"
fi
else
flavour=$(basename $vars .vars)
stub=${DEBIAN}/sub-flavours/control.stub
......@@ -22,4 +32,7 @@ cat $stub | grep -v '^#' | sed \
-e "s#TARGET#$target#g" \
-e "s#BOOTLOADER#$bootloader#g" \
-e "s#=PROVIDES=#$provides#g" \
-e "s#=CONFLICTS=#$conflicts#g"
-e "s#=CONFLICTS=#$conflicts#g" \
-e "s#=SIGN-ME-PKG=#$sign_me_pkg#g" \
-e "s#=SIGN-ME-TXT=#$sign_me_txt#g" \
-e "s#=SIGN-PEER-PKG=#$sign_peer_pkg#g"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment