Commit 4054d4af authored by Andy Whitcroft's avatar Andy Whitcroft Committed by Tim Gardner

UBUNTU: [debian] add custom upload for the kernel binary package

Pick out the kernel binaries and add them to a custom upload.  This upload
will trigger signing of the contained files which will later be pulled
into linux-*-signed packages.

Only include amd64 kernels as we only support EFI signed packages there.
Also ensure the kernel has a high enough interface version >= 0x020b
otherwise we may end up with an unsafe kernel loaded.
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
parent ecf31e89
...@@ -129,6 +129,7 @@ stampdir := $(CURDIR)/debian/stamps ...@@ -129,6 +129,7 @@ stampdir := $(CURDIR)/debian/stamps
# are places that you'll find linux-image hard coded, but I guess thats OK since the # are places that you'll find linux-image hard coded, but I guess thats OK since the
# assumption that the binary package always starts with linux-image will never change. # assumption that the binary package always starts with linux-image will never change.
# #
src_pkg_name=linux
bin_pkg_name=linux-image-$(abi_release) bin_pkg_name=linux-image-$(abi_release)
extra_pkg_name=linux-image-extra-$(abi_release) extra_pkg_name=linux-image-extra-$(abi_release)
hdrs_pkg_name=linux-headers-$(abi_release) hdrs_pkg_name=linux-headers-$(abi_release)
......
...@@ -45,6 +45,7 @@ install-%: pkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$* ...@@ -45,6 +45,7 @@ install-%: pkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*
install-%: pkgdir_ex = $(CURDIR)/debian/$(extra_pkg_name)-$* install-%: pkgdir_ex = $(CURDIR)/debian/$(extra_pkg_name)-$*
install-%: bindoc = $(pkgdir)/usr/share/doc/$(bin_pkg_name)-$* install-%: bindoc = $(pkgdir)/usr/share/doc/$(bin_pkg_name)-$*
install-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym install-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym
install-%: signed = $(CURDIR)/debian/$(bin_pkg_name)-signed
install-%: basepkg = $(hdrs_pkg_name) install-%: basepkg = $(hdrs_pkg_name)
install-%: hdrdir = $(CURDIR)/debian/$(basepkg)-$*/usr/src/$(basepkg)-$* install-%: hdrdir = $(CURDIR)/debian/$(basepkg)-$*/usr/src/$(basepkg)-$*
install-%: target_flavour = $* install-%: target_flavour = $*
...@@ -71,6 +72,16 @@ else ...@@ -71,6 +72,16 @@ else
chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$*
endif endif
ifeq ($(arch),amd64)
install -d $(signed)/$(release)-$(revision)
# Check to see if this supports handoff, if not do not sign it.
# Check the identification area magic and version >= 0x020b
handoff=`dd if="$(pkgdir)/boot/$(install_file)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | awk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
[ "$$handoff" = "GOOD" ] && \
cp -p $(pkgdir)/boot/$(install_file)-$(abi_release)-$* \
$(signed)/$(release)-$(revision)/$(install_file)-$(abi_release)-$*.efi
endif
install -m644 $(builddir)/build-$*/.config \ install -m644 $(builddir)/build-$*/.config \
$(pkgdir)/boot/config-$(abi_release)-$* $(pkgdir)/boot/config-$(abi_release)-$*
install -m644 $(abidir)/$* \ install -m644 $(abidir)/$* \
...@@ -470,8 +481,17 @@ ifeq ($(do_tools),true) ...@@ -470,8 +481,17 @@ ifeq ($(do_tools),true)
dh_builddeb -p$(toolspkg) dh_builddeb -p$(toolspkg)
endif endif
binary-debs: signed = $(CURDIR)/debian/$(bin_pkg_name)-signed
binary-debs: signedv = $(CURDIR)/debian/$(bin_pkg_name)-signed/$(release)-$(revision)
binary-debs: signed_tar = $(src_pkg_name)_$(release)-$(revision)_$(arch).tar.gz
binary-debs: binary-perarch $(addprefix binary-,$(flavours)) binary-debs: binary-perarch $(addprefix binary-,$(flavours))
@echo Debug: $@ @echo Debug: $@
ifeq ($(arch),amd64)
echo $(release)-$(revision) > $(signedv)/version
cd $(signedv) && ls *.efi >flavours
cd $(signed) && tar czvf ../../../$(signed_tar) .
dpkg-distaddfile $(signed_tar) raw-uefi -
endif
build-arch-deps-$(do_flavour_image_package) += $(addprefix $(stampdir)/stamp-build-,$(flavours)) build-arch-deps-$(do_flavour_image_package) += $(addprefix $(stampdir)/stamp-build-,$(flavours))
build-arch: $(build-arch-deps-true) build-arch: $(build-arch-deps-true)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment