[mantic:linux-signed][PATCH 4/5] UBUNTU: Implement support for signed kernel.efi
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Fri Jul 14 21:30:52 UTC 2023
Implement support for signed kernel.efi as produced by
ubuntu-core-initrd (uci).
BugLink: https://bugs.launchpad.net/bugs/2027818
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
debian/rules | 22 ++++++++++++++++++++--
debian/scripts/config.py | 3 +++
debian/scripts/generate-control | 14 ++++++++++++++
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/debian/rules b/debian/rules
index 06651f2f5f..c316847b75 100755
--- a/debian/rules
+++ b/debian/rules
@@ -124,16 +124,34 @@ override_dh_auto_install:
fi; \
\
cvm_pkg="linux-image-$$verflav-fde"; \
+ uci_pkg="linux-image-$$verflav-uci"; \
if [ "$$instfile" = "kernel.efi" ]; then \
if grep -q "^Package: *$$cvm_pkg\$$" debian/control; then \
package=$$cvm_pkg; \
templates=cvm; \
echo "$$package: adding $$signed"; \
echo "$$signed usr/lib/linux/efi" >>"debian/$$package.install";\
+ elif grep -q "^Package: *$$uci_pkg\$$" debian/control; then \
+ package=$$uci_pkg; \
+ templates=uci; \
+ echo "$$package: adding $$signed"; \
+ echo "$$signed boot" >>"debian/$$package.install";\
+ case $$flavour in *fips) \
+ hmac="$$(dirname "$$signed")/.$$(basename "$$signed").hmac"; \
+ openssl sha512 -r -hmac FIPS-FTW-RHT2009 "$$signed" | \
+ awk -vpkg="/boot/$$(basename "$$signed")" \
+ '{ printf("%s %s\n", $$1, pkg) }' \
+ > "$$hmac"; \
+ echo "$$package: adding $$hmac"; \
+ echo "$$hmac boot" >>"debian/$$package.install"; \
+ ;; esac; \
+ snapdinfo=$(ver)/snapd-info; \
+ echo "$$package: adding $$snapdinfo"; \
+ echo "$$snapdinfo boot" >>"debian/$$package.install"; \
else \
- continue; \
+ continue; \
fi; \
- else \
+ else \
package="linux-image-$$verflav"; \
templates=image; \
echo "$$package: adding $$signed"; \
diff --git a/debian/scripts/config.py b/debian/scripts/config.py
index d2693051bf..f87384f1ad 100644
--- a/debian/scripts/config.py
+++ b/debian/scripts/config.py
@@ -13,6 +13,9 @@ class Signing:
if "cvm" in options:
self._package_to_flavour_to_arch.setdefault("cvm", {}).setdefault(flavour, set()).add(arch)
continue
+ if "uci" in options:
+ self._package_to_flavour_to_arch.setdefault("uci", {}).setdefault(flavour, set()).add(arch)
+ continue
self._package_to_flavour_to_arch.setdefault("image", {}).setdefault(flavour, set()).add(arch)
# all other options are supplementary to the image
if "di" in options:
diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control
index 65a3841b7e..b44c313e0d 100755
--- a/debian/scripts/generate-control
+++ b/debian/scripts/generate-control
@@ -22,6 +22,8 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
uci_archs = set()
for _, archs in signing.package_flavour_archs("cvm"):
uci_archs.update(archs)
+ for _, archs in signing.package_flavour_archs("uci"):
+ uci_archs.update(archs)
if uci_archs:
print(f' ubuntu-core-initramfs [{" ".join(uci_archs)}] <generate>,', file=cfd)
print(f" {generate_name} (= {source_version}),", file=cfd)
@@ -96,6 +98,18 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
A kernel image for {flavour}. This version of it is signed with
Canonical's signing key.
""").rstrip(), file=cfd)
+ for flavour, archs in signing.package_flavour_archs("uci"):
+ # Mostly similar to image, but we don't have recommands nor conflicts
+ print(dedent(f"""\
+
+ Package: linux-image-{abi_version}-{flavour}-uci
+ Architecture: {" ".join(archs)}
+ Depends: linux-modules-{abi_version}-{flavour}
+ Built-Using: {unsigned_name} (= {unsigned_version})
+ Description: Signed kernel image {flavour} for Ubuntu Core
+ A kernel image for {flavour}. This version of it is signed with
+ Canonical's signing key.
+ """).rstrip(), file=cfd)
# XXX: all dbgsym packages _must_ be at the end of debian/control else the
# build will hang forever on the builder.
for flavour, archs in signing.package_flavour_archs("image"):
--
2.34.1
More information about the kernel-team
mailing list