ACK/Cmnt: [RFC] SIGNEDv4: add Azure CVM support to the linux-generate ancillary package
Tim Gardner
tim.gardner at canonical.com
Wed May 3 14:27:04 UTC 2023
On 4/27/23 19:32, Dimitri John Ledkov wrote:
> jammy:linux-azure and jammy:linux-azure-fde now use the same ABI of
> the kernel build, with the only difference being kenel image packaging
> format (kernel.efi vs vmlinuz) and minor dependencies changes (control
> fields & maintainer scripts). With otherwise identical publication
> cycles, signing keys and targets.
>
> With these patches I am proposing to add ability in
> linux-signed/linux-generate packages to automatically paramerise and
> produce kernel.efi and package it appropriately. Once deployed, it
> will allow to remove linux-azure-fde derivatives, as all the packages
> they currently produce will be superseeded by linux-azure set of
> source packages.
>
> Landing these changes will need to happen in order, thus this set of
> patches is submitted for review, as post initial upgrade of
> linux-signed, the other changes will be possible to do on per each
> azure-fde kernel active at the time.
>
> Steps:
> 1) Land ubuntu-core-initramfs changes to autocreate kernel.efi for linux-generate
> https://github.com/snapcore/core-initrd/pull/150 (ready to land)
>
> 2) Land linux-signed v4 upgrade to support `--cvm` flag that will
> automatically parameterise and produce CVM signed tarball, and
> linux-image-*-fde signed packages. (ready to land)
>
> 3) Activate individual linux-signed-azure packages to produce -fde
> variant (blocked on above).
>
> 4) Make individual linux-meta-azure changes to provide -fde meta's,
> and also ensure transitional packages are in place to migrate people
> off -fde variants of all other packages (headers, tools, modules, and
> so on). (blocked on above)
>
> I am sending out these patches for review, and to figure out if this
> design approach is appropriate, and desired outcome. Care has been
> taken to ensure that all package relationships remain the same, or
> functionally equivalent. For example the linux-image-*-fde packages
> will now contains more correct Provides matching the regular azure
> packages. Invalid / no-op maintainer scripts are dropped, and
> funtional parity is maintained. And test builds of these are also
> provided.
>
> If the review of these patches is satisfactory, I would want to
> attempt applying these to jammy:linux-azure-6.2 (the upcoming edge
> variant of azure). Once successful there, deploy signed changes to
> rest of the signed packages, followed by conversion of the current
> non-edge azure variants.
>
> Patches after this cover letter:
> step2 - linux-signed changes for all signed packages
> step3 - example on how to modify package.config to activate CVM build for a given kernel
> step4 - example meta changes to create metas for regular & CVM builds
>
> Not provided is the final step to mark linux-*-fde packages a obsolete
> in kernel-series.yaml.
>
> Example builds are available in ppa:xnox/ubuntu/nonvirt for a 1037 azure/azure-fde abi:
>
> https://launchpad.net/~xnox/+archive/ubuntu/nonvirt/+packages?field.name_filter=azure&field.status_filter=published&field.series_filter=jammy
>
> Specifically linux-generate-azure, linux-signed-azure, linux-meta-azure are of interest.
>
> Once all of the above is successful it will eliminate 4 kernel cranks
> per each cycle. But it is also a gateway to do a similar conversion
> for most linux-uc* packages as well, which will leverage most of this
> work verbantim.
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
I am a big fan of this approach. I have a jammy:linux-azure-6.2 kernel
building at ppa:timg-tpi/jammy-azure-fde. Relevant repos at [1] and [2].
rtg
[1] -
git://git.launchpad.net/~timg-tpi/ubuntu/+source/linux-signed-azure/+git/jammy
jammy-azure-6.2-fde-lp2017571
[2] -
git://git.launchpad.net/~timg-tpi/ubuntu/+source/linux-meta-azure/+git/jammy
jammy-azure-6.2-fde-lp2017571
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list