[PATCH 1/1][linux-signed-hwe][linux-signed-hwe-edge][SRU Bionic] UBUNTU: support recompression of signed kernels

dann frazier dann.frazier at canonical.com
Tue May 14 13:04:27 UTC 2019 

On Wed, May 8, 2019 at 3:46 PM dann frazier <dann.frazier at canonical.com> wrote:
>
> From: Seth Forshee <seth.forshee at canonical.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1804481

fyi, it may make sense to change this buglink. We tagged this one with
LP: #1804481 in disco because it was part of a series that enabled
signing. But, in bionic the actual arm64 *signing* bits already
landed. Since I submitted this, the regression *this* patch fixes was
reported as LP: #1828553. So, it may make sense to just consider LP:
#1804481 closed and reference LP: #1828553 in the commit.

  -dann

> Our arm64 generic kernels are compressed, but they must be
> decompressed for signing. The kernel build will indicate that a
> signed kernel image should be recompressed by adding GZIP=1 into
> a <kernel-image>.vars file in the signing tarball. Add support
> for reading the contents of this file and compressing the kernel
> image when GZIP=1.
>
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
> [ dannf: Use maximum gzip compression to match unsigned build ]
> Signed-off-by: dann frazier <dann.frazier at canonical.com>
> ---
>  debian/rules | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/debian/rules b/debian/rules
> index 926c4ae..0fbd900 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -44,8 +44,16 @@ override_dh_auto_build:
>                 cd "$(src_version)" || exit 1;                                  \
>                 for s in *.efi.signed; do                                       \
>                         [ ! -f "$$s" ] && continue;                             \
> -                       chmod 600 "$$s";                                        \
>                         base=$$(echo "$$s" | sed -e 's/.efi.signed//');         \
> +                       (                                                       \
> +                               vars="$${base}.efi.vars";                       \
> +                               [ -f "$$vars" ] && . "./$$vars";                \
> +                               if [ "$$GZIP" = "1" ]; then                     \
> +                                       gzip -9 "$$s";                          \
> +                                       mv "$${s}.gz" "$$s";                    \
> +                               fi;                                             \
> +                       );                                                      \
> +                       chmod 600 "$$s";                                        \
>                         ln "$$s" "../SIGNED/$$base";                            \
>                 done;                                                           \
>                 for s in *.opal.sig; do                                         \
> --
> 2.20.1
>

More information about the kernel-team mailing list