[UNSTABLE][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Seth Forshee seth.forshee at canonical.com
Thu Oct 31 20:21:59 UTC 2019 

On Wed, Oct 23, 2019 at 12:07:24PM +0800, Shrirang Bagul wrote:
> BugLink: https://bugs.launchpad.net/bugs/1847969
> 
> Add a fit_signed option and a script so we can build FIT images that
> will be eventually signed.
> 
> Based on commit (in Bionic):
> 44efa9e736 UBUNTU: [Packaging] add rules to build FIT image
> 
> Signed-off-by: Alfonso Sánchez-Beato <alfonso.sanchez-beato at canonical.com>
> Signed-off-by: Shrirang Bagul <shrirang.bagul at canonical.com>
> ---
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 56 insertions(+), 1 deletion(-)
>  create mode 100755 debian/scripts/build-fit
> 
> diff --git a/debian/rules b/debian/rules
> index 8cb6604e18db..9281de598b03 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
>  endif
>  
>  # Are any of the kernel signing options enabled.
> -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed)))
> +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed)))
>  ifeq ($(any_signed),true)
>  bin_pkg_name=$(bin_pkg_name_unsigned)
>  else
> diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> index 6b4e0901c288..f20f537e1364 100644
> --- a/debian/rules.d/1-maintainer.mk
> +++ b/debian/rules.d/1-maintainer.mk
> @@ -94,6 +94,7 @@ printenv:
>  	@echo " uefi_signed               = $(uefi_signed)"
>  	@echo " opal_signed               = $(opal_signed)"
>  	@echo " sipl_signed               = $(sipl_signed)"
> +	@echo " fit_signed               = $(fit_signed)"
>  	@echo "full_build                = $(full_build)"
>  	@echo "libc_dev_version          = $(libc_dev_version)"
>  	@echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..f3279369c3a7 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -478,6 +478,20 @@ endif
>  	install -m644 $(abidir)/$*.compiler \
>  		$(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
>  
> +ifeq ($(fit_signed),true)
> +	install -d $(signingv)
> +	cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> +		$(signingv)/$(instfile)-$(abi_release)-$*;

It seems odd to me that you're putting both the vmlinuz and the fit
image into the signing tarball. Is there a reason for this other than
the fact that build-fit expects to find it there? If not, I think it
would be preferable to leave it out and pass the path to the vmlinuz to
build-fit.

> +	# Build FIT image now that the modules folder exists
> +	$(SHELL) $(DROOT)/scripts/build-fit \
> +		$(CURDIR)/$(DEBIAN)/$(fit_its) \

I assume fit_its will be defined in an <arch>.mk file?

> +		"$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
> +		$(abi_release)-$(target_flavour) \
> +		$(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
> +		$(signingv)
> +	cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
> +endif
> +
>  headers_tmp := $(CURDIR)/debian/tmp-headers
>  headers_dir := $(CURDIR)/debian/linux-libc-dev
>  
> diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
> new file mode 100755
> index 000000000000..09292611e39d
> --- /dev/null
> +++ b/debian/scripts/build-fit
> @@ -0,0 +1,40 @@
> +#!/bin/sh -e
> +# Creates a FIT image
> +# $1: ITS file (FIT components description)
> +# $2: list of space-separated dtb files
> +# $3: kernel version
> +# $4: kernel modules directory
> +# $5: destination directory
> +
> +. debian/debian.env
> +
> +echo "Creating FIT image"
> +fit_its="$1"
> +dtb_files="$2"
> +KERNEL_VERSION="$3"
> +KERNEL_MODULES_D="$4"
> +dest_d="$5"
> +
> +set -x
> +fit_d=$dest_d
> +mkdir -p "$fit_d"
> +# Export variables to be used by hooks
> +export KERNEL_VERSION
> +export KERNEL_MODULES_D
> +initrd_f=initrd.img
> +mkinitramfs -o "$initrd_f"
> +mv "$initrd_f" "$fit_d"

Can we assume mkinitramfs will always be installed, or do we need to add
a build dependency? And why not just generate the initramfs at its final
location?

> +mkdir -p "$fit_d"/dtbs/
> +for dtb in $dtb_files; do
> +    cp -f "$dtb" "$fit_d"/dtbs/
> +done
> +
> +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage

Note that there's an assumption here that the kernel image will be named
vmlinuz-*, whereas the name is actually based on the install_file
variable from the <arch>.mk file. If the path to the kernel image was
passed as an argument then it would be unnecessary.

Thanks,
Seth

> +cp -f "$fit_its" "$fit_d"
> +
> +cd "$fit_d"
> +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
> +cd -
> +
> +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list