diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/changelog linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/changelog --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/changelog 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/changelog 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1,18 @@ +linux-generate-iot (5.4.0-1012.14) focal; urgency=medium + + * Master version: 5.4.0-1012.14 + + * SIGNEDv3: add a linux-generate ancillary package (LP: #1989705) + - [Packaging] add linux-generate* direct ancillary + + * Miscellaneous Ubuntu changes + - debian/tracking-bug -- update from master + + -- Stefan Bader Wed, 25 Jan 2023 16:07:54 +0100 + +linux-generate-iot (5.4.0-1007.9) focal; urgency=medium + + * Master version: 5.4.0-1007.9 + + -- Wen-chien Jesse Sung Mon, 21 Nov 2022 11:34:52 +0800 + diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/compat linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/compat --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/compat 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/compat 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1 @@ +9 diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/control.common linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/control.common --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/control.common 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/control.common 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1,14 @@ +Source: linux-generate-iot +Section: kernel +Priority: optional +Maintainer: Canonical Kernel Team +Build-Depends: + debhelper (>= 9), + lsb-release, + python3, + python3-apt, +Build-Depends-Arch: + sbsigntool [amd64 arm64], + linux-image-unsigned-5.4.0-1012-iot (= 5.4.0-1012.14) [amd64], + linux-buildinfo-5.4.0-1012-iot (= 5.4.0-1012.14) [amd64], +Standards-Version: 3.9.4 diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/copyright linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/copyright --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/copyright 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/copyright 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1,33 @@ +This package exists to take the signed version of the kernel binaries +and insert them into packages. The source is as per the source for +the main kernel package. + +This is the Ubuntu prepackaged version of the Linux kernel. +Linux was written by Linus Torvalds +and others. + +This package was put together by the Ubuntu Kernel Team, from +sources retrieved from upstream linux git. +The sources may be found at most Linux ftp sites, including +ftp://ftp.kernel.org/pub/linux/kernel/ + +This package is currently maintained by the +Ubuntu Kernel Team + +Linux is copyrighted by Linus Torvalds and others. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Ubuntu Linux systems, the complete text of the GNU General +Public License v2 can be found in `/usr/share/common-licenses/GPL-2'. diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/files.json linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/files.json --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/files.json 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/files.json 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1,11 @@ +{ + "linux-generate-iot": { + "files": [ + { + "sig_type": "efi", + "file": "/boot/vmlinuz-5.4.0-1012-iot", + "arch": "amd64" + } + ] + } +} \ No newline at end of file diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/rules linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/rules --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/rules 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/rules 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,8 @@ +#! /usr/bin/make -f + +clean: + ./debian/scripts/gen-rules + $(MAKE) -f debian/rules.gen clean + +%: + $(MAKE) -f debian/rules.gen $@ diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/scripts/gen-rules linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/scripts/gen-rules --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/scripts/gen-rules 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/scripts/gen-rules 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,113 @@ +#!/usr/bin/python3 + +import os +import sys +import json +from textwrap import dedent, indent + + +def dedent_makefile(raw, prefix=''): + lines = [] + for line in indent(dedent(raw), prefix=prefix).rstrip().split("\n"): + lines.append(line.replace(" ", " ", 1)) + return "\n".join(lines) + +with open("debian/changelog") as cfd: + bits = cfd.readline().split() + source_name = bits[0] + +with open("debian/files.json") as ffd: + signing_config = json.load(ffd) + +if source_name not in signing_config: + raise ValueError(f"{source_name} not found in files.json") + +to_sign = signing_config[source_name] + +overall_archs = set() +for file in to_sign["files"]: + overall_archs.add(file["arch"]) + +# Convert debian/control: pull off and rename the source stanza. Also add a +# simple build interlock package as we have to produce something. +in_control = os.path.join("debian", "control.common") +out_control = os.path.join("debian", "control") +with open(in_control) as ifd, open(out_control, "w") as ofd: + for line in ifd: + print(line, end='', file=ofd) + + print(dedent(f"""\ + + Package: {source_name} + Architecture: {" ".join(sorted(overall_archs))} + Section: kernel + Description: Build interlock package + Build interlock package. You do not want to install this package. + """.rstrip()), file=ofd) + +out_rules = os.path.join("debian", "rules.gen") +with open(out_rules, "w") as ofd: + print(dedent_makefile("""\ + #! /usr/bin/make -f + arch = $(shell dpkg-architecture -qDEB_HOST_ARCH) + source = $(shell dpkg-parsechangelog -SSource) + version = $(shell dpkg-parsechangelog -SVersion) + + clean:: + dh_clean + rm -rf $(custom_top) + + %: + dh $@ + + define copy_or_download + if [ -r "$(1)" ]; then \\ + exec cp -p "$(1)" "$(2)"; \\ + fi; \\ + pkg=$$(dpkg -S "$(1)" | awk -F: '{print $$1;}'); \\ + apt-get download $${pkg} || exit 1; \\ + for deb in $${pkg}_*.deb; do break; done; \\ + dpkg-deb -x "$$deb" "$$deb--contents" || exit 1; \\ + cp -p "$$deb--contents$(1)" "$(2)"; \\ + rm -rf "$$deb--contents" + endef + + custom_top=debian/custom + custom_dir=$(custom_top)/$(version) + custom_tar=$(source)_$(version)_$(arch).tar.gz + .PHONY: custom-upload + custom-upload: + install -d $(custom_dir)/control + { echo "tarball"; } >$(custom_dir)/control/options + cd $(custom_top) && tar czvf ../../../$(custom_tar) . + dpkg-distaddfile $(custom_tar) raw-signing - + + override_dh_auto_install: generate-$(arch) custom-upload + dh_install + """), file=ofd) + + for signing in to_sign["files"]: + arch = signing["arch"] + in_file = signing["file"] + out_file = signing["file"] + out_file = "$(custom_dir)" + signing["file"] + "." + signing["sig_type"] + print(dedent_makefile(f'''\ + + .PHONY: generate-{arch} + generate-{arch}:: + install -d {os.path.dirname(out_file)} + $(call copy_or_download,{in_file},{out_file}) + '''), file=ofd) + # arm64 platforms normally have compressed gzip'd kernels, these must be + # uncompressed for sigining and recompressed later. Where indicated gunzip + # the file and mark it for recompression in -signed. + if signing["sig_type"] == "efi" and arch == "arm64": + print(dedent_makefile(f'''\ + if [ $$(file --brief --mime-type "{out_file}") = "application/gzip" ]; then \\ + gunzip -cv <{out_file} >{out_file}.gunzip; \\ + mv -f {out_file}.gunzip {out_file}; \\ + echo "GZIP=1" >>{out_file}.vars; \\ + fi; \\ + ''', prefix=' '), file=ofd) + +os.chmod(out_rules, 0o755) diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/format linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/format --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/format 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/format 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1 @@ +3.0 (native) diff -Nru linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/options linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/options --- linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/options 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/ancillary/linux-generate-iot/debian/source/options 2023-01-25 15:07:54.000000000 +0000 @@ -0,0 +1,3 @@ +# force "dpkg-source -I -i" behavior +diff-ignore +tar-ignore diff -Nru linux-signed-iot-5.4.0/debian/changelog linux-signed-iot-5.4.0/debian/changelog --- linux-signed-iot-5.4.0/debian/changelog 2022-12-06 12:21:09.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/changelog 2023-01-25 15:07:54.000000000 +0000 @@ -1,14 +1,20 @@ -linux-signed-iot (5.4.0-1010.12) focal; urgency=medium +linux-signed-iot (5.4.0-1012.14) focal; urgency=medium - * Master version: 5.4.0-1010.12 + * Master version: 5.4.0-1012.14 - -- Wen-chien Jesse Sung Tue, 06 Dec 2022 20:21:09 +0800 + * SIGNEDv3: add a linux-generate ancillary package (LP: #1989705) + - [Packaging] add linux-generate* direct ancillary -linux-signed-iot (5.4.0-1009.11) focal; urgency=medium + * Miscellaneous Ubuntu changes + - debian/tracking-bug -- update from master - * Master version: 5.4.0-1009.11 + -- Stefan Bader Wed, 25 Jan 2023 16:07:54 +0100 - -- Thadeu Lima de Souza Cascardo Thu, 24 Nov 2022 23:13:42 -0300 +linux-signed-iot (5.4.0-1007.9) focal; urgency=medium + + * Master version: 5.4.0-1007.9 + + -- Wen-chien Jesse Sung Mon, 21 Nov 2022 11:34:52 +0800 linux-signed-iot (5.4.0-1006.8) focal; urgency=medium diff -Nru linux-signed-iot-5.4.0/debian/control linux-signed-iot-5.4.0/debian/control --- linux-signed-iot-5.4.0/debian/control 2022-12-06 12:21:09.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/control 2023-01-25 15:07:54.000000000 +0000 @@ -9,25 +9,26 @@ python3-apt, Build-Depends-Arch: sbsigntool [amd64 arm64], - linux-iot-headers-5.4.0-1010 (>= 5.4.0-1010.12), - linux-headers-5.4.0-1010-iot (>= 5.4.0-1010.12), + linux-image-unsigned-5.4.0-1012-iot (= 5.4.0-1012.14) [amd64], + linux-buildinfo-5.4.0-1012-iot (= 5.4.0-1012.14) [amd64], + linux-generate-iot (= 5.4.0-1012.14), Standards-Version: 3.9.4 -Package: linux-image-5.4.0-1010-iot +Package: linux-image-5.4.0-1012-iot Architecture: amd64 Depends: ${unsigned:Depends} Recommends: ${unsigned:Recommends} Suggests: ${unsigned:Suggests} Conflicts: ${unsigned:Conflicts} Provides: ${unsigned:Provides} -Built-Using: linux-iot (= 5.4.0-1010.12) -Description: Signed kernel image IoT - A kernel image for IoT. This version of it is signed with - Canonical's UEFI/Opal signing key. +Built-Using: linux-iot (= 5.4.0-1012.14) +Description: Signed kernel image iot + A kernel image for iot. This version of it is signed with + Canonical's signing key. -Package: linux-image-5.4.0-1010-iot-dbgsym +Package: linux-image-5.4.0-1012-iot-dbgsym Section: devel Architecture: amd64 -Depends: linux-image-unsigned-5.4.0-1010-iot-dbgsym -Description: Signed kernel image IoT - A link to the debugging symbols for the IoT kernel. +Depends: linux-image-unsigned-5.4.0-1012-iot-dbgsym +Description: Signed kernel image iot + A link to the debugging symbols for the iot signed kernel. diff -Nru linux-signed-iot-5.4.0/debian/control.stub linux-signed-iot-5.4.0/debian/control.stub --- linux-signed-iot-5.4.0/debian/control.stub 2022-06-01 06:09:05.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/control.stub 2023-01-25 14:53:16.000000000 +0000 @@ -1,4 +1,4 @@ -Source: SRCPKGNAME +Source: @SRCPKGNAME@ Section: kernel Priority: optional Maintainer: Canonical Kernel Team @@ -9,25 +9,5 @@ python3-apt, Build-Depends-Arch: sbsigntool [amd64 arm64], - HEADERS_COMMON (>= UNSIGNED_SRC_VERSION), - HEADERS_ARCH (>= UNSIGNED_SRC_VERSION), + @DEPENDS@, Standards-Version: 3.9.4 - -Package: linux-image-ABI-iot -Architecture: amd64 -Depends: ${unsigned:Depends} -Recommends: ${unsigned:Recommends} -Suggests: ${unsigned:Suggests} -Conflicts: ${unsigned:Conflicts} -Provides: ${unsigned:Provides} -Built-Using: UNSIGNED_SRC_PACKAGE (= UNSIGNED_SRC_VERSION) -Description: Signed kernel image IoT - A kernel image for IoT. This version of it is signed with - Canonical's UEFI/Opal signing key. - -Package: linux-image-ABI-iot-dbgsym -Section: devel -Architecture: amd64 -Depends: linux-image-unsigned-ABI-iot-dbgsym -Description: Signed kernel image IoT - A link to the debugging symbols for the IoT kernel. diff -Nru linux-signed-iot-5.4.0/debian/package.config linux-signed-iot-5.4.0/debian/package.config --- linux-signed-iot-5.4.0/debian/package.config 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/package.config 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1 @@ +sign amd64 efi vmlinuz iot diff -Nru linux-signed-iot-5.4.0/debian/rules linux-signed-iot-5.4.0/debian/rules --- linux-signed-iot-5.4.0/debian/rules 2021-08-30 05:59:16.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/rules 2023-01-25 14:53:16.000000000 +0000 @@ -4,32 +4,29 @@ DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) -src = $(shell dpkg-parsechangelog -S Source) -ver = $(shell dpkg-parsechangelog -S Version) +src = $(shell dpkg-parsechangelog -SSource) +ver = $(shell dpkg-parsechangelog -SVersion) abi = $(shell echo "$(ver)" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p') +series = $(shell dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$$//') + +generate_src = $(shell echo $(src) | sed -e 's/-signed/-generate/') # Work out the source package name and version of the unsigned package # By convention, it is the name of this package with -signed stripped. # The version is identical to this package less any rebuild suffix (+signedN). unsigned_src = $(shell echo $(src) | sed -e 's/-signed//') -unsigned_ver = $(shell echo $(ver) | sed -e 's/+[0-9][0-9]*//') +unsigned_ver = $(shell echo $(ver) | sed -e 's/+[0-9][0-9]*$$//') -# Work out header packges for build deps. Depend on the common header -# package and the per-arch generic headers package (assumes all arches # have a generic flavour, which is currently true). src_headers = $(unsigned_src)-headers-$(abi) -src_headers_arch = linux-headers-$(abi)-iot +src_headers_arch = linux-headers-$(abi)-generic # We build our control file. This has to be done before dh runs otherwise # we have no binary files and we will not run the appropriate targets. pre-clean: - sed debian/control \ - -e "s/ABI/$(abi)/g" \ - -e "s/UNSIGNED_SRC_PACKAGE/$(unsigned_src)/g" \ - -e "s/UNSIGNED_SRC_VERSION/$(unsigned_ver)/g" \ - -e 's/SRCPKGNAME/$(src)/g' \ - -e 's/HEADERS_COMMON/$(src_headers)/g' \ - -e 's/HEADERS_ARCH/$(src_headers_arch)/g' + rm -f debian/control + ./debian/scripts/generate-control $(series) $(src) $(generate_src) $(ver) $(unsigned_src) $(unsigned_ver) $(abi) + ./debian/scripts/parameterise-ancillaries $(abi) $(generate_src) rm -rf ./$(unsigned_ver) UNSIGNED SIGNED rm -f debian/linux-image-*.install \ debian/linux-image-*.preinst \ @@ -45,15 +42,31 @@ %: dh $@ +override_dh_auto_build: SHELL=/bin/sh -x + override_dh_auto_build: - ./download-signed "$(src_headers_arch)" "$(unsigned_ver)" "$(unsigned_src)" + ./download-signed "$(generate_src)" "$(ver)" "$(generate_src)" #./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)" mkdir SIGNED ( \ - cd "$(unsigned_ver)" || exit 1; \ + signed="$(CURDIR)/SIGNED"; \ + cd "$(ver)/boot" || exit 1; \ for s in *.efi.signed; do \ [ ! -f "$$s" ] && continue; \ base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ + flavour=$$(echo "$$base" | sed -e "s@.*-$(abi)-@@"); \ + verflav="$(abi)-$$flavour"; \ + if [ -e /usr/lib/linux/$$verflav/canonical-revoked-certs.pem ]; then \ + awk 'BEGIN {c=0;} /Certificate:/{c++} { print > "revoked-cert." c ".pem"}' < /usr/lib/linux/$$verflav/canonical-revoked-certs.pem; \ + for cert in revoked-cert.*.pem; do \ + echo Checking signature against $$cert; \ + if sbverify --verbose --verbose --cert $$cert $$s; then \ + echo Which is bad. EFI binary signed with revoked cert $$cert; \ + exit 1; \ + fi; \ + done; \ + echo All good. EFI binary not signed with a revoked key.; \ + fi; \ ( \ vars="$${base}.efi.vars"; \ [ -f "$$vars" ] && . "./$$vars"; \ @@ -63,20 +76,26 @@ fi; \ ); \ chmod 600 "$$s"; \ - ln "$$s" "../SIGNED/$$base"; \ + ln "$$s" "$$signed/$$base"; \ done; \ for s in *.opal.sig; do \ [ ! -f "$$s" ] && continue; \ base=$$(echo "$$s" | sed -e 's/.opal.sig//'); \ - cat "$$base.opal" "$$s" >"../SIGNED/$$base"; \ - chmod 600 "../SIGNED/$$base"; \ + cat "$$base.opal" "$$s" >"$$signed/$$base"; \ + chmod 600 "$$signed/$$base"; \ done; \ for s in *.sipl.sig; do \ [ ! -f "$$s" ] && continue; \ base=$$(echo "$$s" | sed -e 's/.sipl.sig//'); \ - cat "$$base.sipl" "$$s" >"../SIGNED/$$base"; \ - chmod 600 "../SIGNED/$$base"; \ - done \ + cat "$$base.sipl" "$$s" >"$$signed/$$base"; \ + chmod 600 "$$signed/$$base"; \ + done; \ + for s in *.fit.signed; do \ + [ ! -f "$$s" ] && continue; \ + chmod 600 "$$s"; \ + base=$$(echo "$$s" | sed -e 's/.fit.signed//'); \ + ln "$$s" "$$signed/$$base"; \ + done; \ ) override_dh_auto_install: @@ -86,15 +105,29 @@ -e "s@-$(abi)-.*@@"); \ verflav="$(abi)-$$flavour"; \ \ + hmac_pkg="linux-image-hmac-$$verflav"; \ + if grep -q "^Package: *$$hmac_pkg\$$" debian/control; then \ + unsigned_hmac_pkg="linux-image-unsigned-hmac-$$verflav";\ + hmac="$$(dirname "$$signed")/.$$(basename "$$signed").hmac"; \ + sha512hmac "$$signed" | \ + awk -vpkg="/boot/$$(basename "$$signed")" \ + '{ printf("%s %s\n", $$1, pkg) }' \ + > "$$hmac"; \ + echo "$$hmac_pkg: adding $$hmac"; \ + echo "$$hmac boot" >>"debian/$$hmac_pkg.install"; \ + fi; \ + \ package="kernel-signed-image-$$verflav-di"; \ - echo "$$package: adding $$signed"; \ - echo "$$signed boot" >>"debian/$$package.install"; \ + if grep -q "^Package: *$$package\$$" debian/control; then \ + echo "$$package: adding $$signed"; \ + echo "$$signed boot" >>"debian/$$package.install"; \ + fi; \ \ package="linux-image-$$verflav"; \ echo "$$package: adding $$signed"; \ echo "$$signed boot" >>"debian/$$package.install"; \ \ - ./generate-depends linux-image-unsigned-$$verflav $(unsigned_ver) \ + ./debian/scripts/generate-depends linux-image-unsigned-$$verflav $(unsigned_ver) \ linux-image-$$verflav \ >>"debian/linux-image-$$verflav.substvars"; \ \ diff -Nru linux-signed-iot-5.4.0/debian/scripts/config.py linux-signed-iot-5.4.0/debian/scripts/config.py --- linux-signed-iot-5.4.0/debian/scripts/config.py 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/scripts/config.py 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,43 @@ +class Signing: + + def __init__(self): + self._flavour_to_arch = {} + self._package_to_flavour_to_arch = {} + self._arch_flavour_data = {} + + def add(self, arch, stype, binary, flavours, options): + for flavour in flavours: + self._arch_flavour_data[(arch, flavour)] = (stype, binary) + self._flavour_to_arch.setdefault(flavour, set()).add(arch) + self._package_to_flavour_to_arch.setdefault("image", {}).setdefault(flavour, set()).add(arch) + if "di" in options: + self._package_to_flavour_to_arch.setdefault("di", {}).setdefault(flavour, set()).add(arch) + if "hmac" in options: + self._package_to_flavour_to_arch.setdefault("hmac", {}).setdefault(flavour, set()).add(arch) + + @property + def flavour_archs(self): + for flavour, archs in sorted(self._flavour_to_arch.items()): + yield flavour, sorted(list(archs)) + + def package_flavour_archs(self, package): + for flavour, archs in sorted(self._package_to_flavour_to_arch.get(package, {}).items()): + yield flavour, sorted(list(archs)) + + @property + def arch_flavour_data(self): + return sorted(self._arch_flavour_data.items()) + + @classmethod + def load(cls, config): + signing = Signing() + with open(config) as cfd: + for line in cfd: + cmd, *args = line.strip().split() + if cmd == "sign": + arch, stype, binary, *flavours = args + options = [] + while flavours[-1].startswith("--"): + options.append(flavours.pop()[2:]) + signing.add(arch, stype, binary, flavours, options) + return signing diff -Nru linux-signed-iot-5.4.0/debian/scripts/debian-depends linux-signed-iot-5.4.0/debian/scripts/debian-depends --- linux-signed-iot-5.4.0/debian/scripts/debian-depends 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/scripts/debian-depends 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,9 @@ +#!/bin/bash + +from="$1" +version="$2" +to="$3" + +apt-cache show "$from=$version" | \ + egrep '^(Depends|Suggests|Provides|Conflicts|Replaces|Recommends):' | \ + sed -e 's/: /=/' -e 's/^/unsigned:/' -e "s/\\<$to\\>/$from/" diff -Nru linux-signed-iot-5.4.0/debian/scripts/generate-control linux-signed-iot-5.4.0/debian/scripts/generate-control --- linux-signed-iot-5.4.0/debian/scripts/generate-control 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/scripts/generate-control 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,80 @@ +#!/usr/bin/python3 -B + +import os +import sys +from textwrap import dedent + +from config import Signing + +(series, source_name, generate_name, source_version, unsigned_name, unsigned_version, abi_version) = sys.argv[1:] + +signing = Signing.load("debian/package.config") + +with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd: + for line in tfd: + line = line.replace("@SRCPKGNAME@", source_name) + line = line.replace("@SERIES@", series) + if "@DEPENDS@" in line: + for flavour, archs in signing.flavour_archs: + print(f' linux-image-unsigned-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd) + print(f' linux-buildinfo-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd) + print(f" {generate_name} (= {source_version}),", file=cfd) + else: + print(line, end='', file=cfd) + + for flavour, archs in signing.package_flavour_archs("image"): + print(dedent(f"""\ + + Package: linux-image-{abi_version}-{flavour} + Architecture: {" ".join(archs)} + Depends: ${{unsigned:Depends}} + Recommends: ${{unsigned:Recommends}} + Suggests: ${{unsigned:Suggests}} + Conflicts: ${{unsigned:Conflicts}} + Provides: ${{unsigned:Provides}} + Built-Using: {unsigned_name} (= {unsigned_version}) + Description: Signed kernel image {flavour} + A kernel image for {flavour}. This version of it is signed with + Canonical's signing key. + """).rstrip(), file=cfd) + for flavour, archs in signing.package_flavour_archs("di"): + print(dedent(f"""\ + + Package: kernel-signed-image-{abi_version}-{flavour}-di + Package-Type: udeb + Section: debian-installer + Priority: extra + Provides: kernel-signed-image + Architecture: {" ".join(archs)} + Built-Using: {unsigned_name} (= {unsigned_version}) + Description: Signed kernel image generic for the Debian installer + A kernel image for {flavour}. This version of it is signed with + Canonical's UEFI signing key. It is intended for the Debian installer, + it does _not_ provide a usable kernel for your full Debian system. + """).rstrip(), file=cfd) + for flavour, archs in signing.package_flavour_archs("hmac"): + print(dedent(f"""\ + + Package: linux-image-hmac-{abi_version}-{flavour} + Build-Profiles: + Architecture: {" ".join(archs)} + Section: kernel + Priority: optional + Depends: ${{misc:Depends}}, ${{shlibs:Depends}}, linux-image-{abi_version}-{flavour} + Suggests: fips-initramfs-generic + Description: HMAC file for linux kernel image {abi_version}-{flavour} + This package contains the HMAC file for Linux kernel image for version + {abi_version}-{flavour} + """).rstrip(), file=cfd) + # XXX: all dbgsym packages _must_ be at the end of debian/control else the + # build will hang forever on the builder. + for flavour, archs in signing.package_flavour_archs("image"): + print(dedent(f"""\ + + Package: linux-image-{abi_version}-{flavour}-dbgsym + Section: devel + Architecture: {" ".join(archs)} + Depends: linux-image-unsigned-{abi_version}-{flavour}-dbgsym + Description: Signed kernel image {flavour} + A link to the debugging symbols for the {flavour} signed kernel. + """).rstrip(), file=cfd) diff -Nru linux-signed-iot-5.4.0/debian/scripts/generate-depends linux-signed-iot-5.4.0/debian/scripts/generate-depends --- linux-signed-iot-5.4.0/debian/scripts/generate-depends 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/scripts/generate-depends 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,9 @@ +#!/bin/bash + +from="$1" +version="$2" +to="$3" + +apt-cache show "$from=$version" | \ + egrep '^(Depends|Suggests|Provides|Conflicts|Replaces|Recommends):' | \ + sed -e 's/: /=/' -e 's/^/unsigned:/' -e "s/\\<$to\\>/$from/" diff -Nru linux-signed-iot-5.4.0/debian/scripts/parameterise-ancillaries linux-signed-iot-5.4.0/debian/scripts/parameterise-ancillaries --- linux-signed-iot-5.4.0/debian/scripts/parameterise-ancillaries 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/scripts/parameterise-ancillaries 2023-01-25 14:53:16.000000000 +0000 @@ -0,0 +1,78 @@ +#!/usr/bin/python3 -B + +import os +import sys +import json +from shutil import copy +from textwrap import dedent, indent + +from config import Signing + + +def build_changelog(outd, source_name): + # Convert debian/changelog: fix the package name in the first stanza. + in_changelog = os.path.join("debian", "changelog") + out_changelog = os.path.join(outd, "debian", "changelog") + with open(in_changelog) as ifd, open(out_changelog, "w") as ofd: + first = True + stanza = 0 + for line in ifd: + if line[0] not in (" ", "\n"): + stanza += 1 + first = True + if stanza == 3: + break + if first: + bits = line.split() + bits[0] = source_name + print(" ".join(bits), file=ofd) + first = False + else: + print(line, end="", file=ofd) + +# Build one of the ancillaries. +def build_ancillary(package): + outd = os.path.join("debian", "ancillary", package) + + os.makedirs(os.path.join(outd, "debian"), exist_ok=True) + build_changelog(outd, package) + for file in ( + os.path.join("debian", "compat"), + os.path.join("debian", "copyright"), + os.path.join("debian", "source", "format"), + os.path.join("debian", "source", "options"), + ): + os.makedirs(os.path.dirname(os.path.join(outd, file)), exist_ok=True) + copy(file, os.path.join(outd, file)) + + # Convert debian/control: pull off and rename the source stanza, then add a + # simple build interlock package as we have to produce something. + in_control = os.path.join("debian", "control") + out_control = os.path.join(outd, "debian", "control.common") + with open(in_control) as ifd, open(out_control, "w") as ofd: + for line in ifd: + line = line.rstrip() + if len(line) == 0: + break + if line.startswith("Source:"): + line = f"Source: {package}" + elif package and package in line: + continue + print(line, file=ofd) + + # Also dump out the files.json for -generate et al. + ancillary_dir = os.path.join("debian", "ancillary", package, "debian") + os.makedirs(ancillary_dir, exist_ok=True) + with open(os.path.join(ancillary_dir, "files.json"), "w") as ffd: + to_sign = {} + for (arch, flavour), (stype, binary) in signing.arch_flavour_data: + to_sign.setdefault("files", []).append({"sig_type": stype, "file": f"/boot/{binary}-{abi_version}-{flavour}", "arch": arch}) + files = {package: to_sign} + json.dump(files, ffd, indent=2) + + +abi_version, gen_pkg = sys.argv[1:] + +signing = Signing.load("debian/package.config") + +build_ancillary(gen_pkg) diff -Nru linux-signed-iot-5.4.0/debian/tracking-bug linux-signed-iot-5.4.0/debian/tracking-bug --- linux-signed-iot-5.4.0/debian/tracking-bug 1970-01-01 00:00:00.000000000 +0000 +++ linux-signed-iot-5.4.0/debian/tracking-bug 2023-01-25 15:04:32.000000000 +0000 @@ -0,0 +1 @@ +2003476 2023.01.02-2 diff -Nru linux-signed-iot-5.4.0/generate-depends linux-signed-iot-5.4.0/generate-depends --- linux-signed-iot-5.4.0/generate-depends 2021-08-30 05:42:17.000000000 +0000 +++ linux-signed-iot-5.4.0/generate-depends 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -#!/bin/bash - -from="$1" -version="$2" -to="$3" - -apt-cache show "$from=$version" | \ - egrep '^(Depends|Suggests|Provides|Conflicts|Replaces|Recommends):' | \ - sed -e 's/: /=/' -e 's/^/unsigned:/' -e "s/\\<$to\\>/$from/" diff -Nru linux-signed-iot-5.4.0/update-version linux-signed-iot-5.4.0/update-version --- linux-signed-iot-5.4.0/update-version 2021-08-30 05:43:18.000000000 +0000 +++ linux-signed-iot-5.4.0/update-version 2023-01-25 14:53:16.000000000 +0000 @@ -1,29 +1,58 @@ #!/bin/bash -tag_prefix=`dpkg-parsechangelog -S Source | sed 's/linux-signed/Ubuntu/'`- +here=$(dirname $(readlink -f "$0")) -if [ "$#" -ne 1 ]; then - echo "Usage: $0 " 1>&2 - exit 1 -fi -master_dir="$1" - -# Work out the master kernel version. -if [ -f "$master_dir/debian/debian.env" ]; then - branch=`sed -ne 's/DEBIAN=//p' <"$master_dir/debian/debian.env"` - changelog="-l$branch/changelog" +tag_prefix=`dpkg-parsechangelog -SSource | sed 's/linux-signed/Ubuntu/'`- + +commit=: +no_update=false +master_version= +master_dir= +while : +do + if [ "$1" = "--commit" ]; then + shift + commit= + + elif [ "$1" = "--no-update" ]; then + shift + no_update=true + + elif [ "$1" = "--master-version" ]; then + master_version="$2" + shift 2 + + else + break + fi +done + +if [ "$master_version" = "" ]; then + if [ "$#" -ne 1 ]; then + echo "Usage: $0 " 1>&2 + exit 1 + fi + master_dir="$1" + + # Work out the master kernel version. + if [ -f "$master_dir/debian/debian.env" ]; then + branch=`sed -ne 's/DEBIAN=//p' <"$master_dir/debian/debian.env"` + changelog="-l$branch/changelog" + else + changelog="" + fi + master_version=`(cd "$master_dir" && LC_ALL=C dpkg-parsechangelog -SVersion $changelog)` else - changelog="" + no_update=true fi -master_version=`(cd "$master_dir" && LC_ALL=C dpkg-parsechangelog -S Version $changelog)` # Work out our current version taking into account closed sections. -here_series=$( LC_ALL=C dpkg-parsechangelog -S Distribution ) +here_series=$( LC_ALL=C dpkg-parsechangelog -SDistribution ) if [ "$here_series" = "UNRELEASED" ]; then - here_version=$( LC_ALL=C dpkg-parsechangelog -o 1 -S Version ) - here_series=$( LC_ALL=C dpkg-parsechangelog -c 1 -S Distribution ) + here_version=$( LC_ALL=C dpkg-parsechangelog -o 1 -SVersion ) + here_series=$( LC_ALL=C dpkg-parsechangelog -c 1 -SDistribution ) else - here_version=$( LC_ALL=C dpkg-parsechangelog -S Version ) + here_version=$( LC_ALL=C dpkg-parsechangelog -SVersion ) fi # Ensure we have the appropriate tag. @@ -34,6 +63,22 @@ exit 1 fi +update_file() +{ + local src="$1" + local dst="$2" + cp -p "$src" "$dst" || exit 1 + if ! git diff --exit-code -- "$dst" >/dev/null; then + git commit -m "UBUNTU: $dst -- update from master" -s -- "$dst" + else + echo "$dst: no changes from master" + fi +} + +# Update things from the primary package. +if [ "$no_update" = 'false' ]; then + update_file "$master_dir/$branch/tracking-bug" "debian/tracking-bug" +fi #echo "here_version<$here_version>" #echo "master_version<$master_version>" @@ -44,7 +89,7 @@ elif dpkg --compare-versions "$here_version" eq "$master_version"; then here_newversion="$master_version+1" else - minor=$(( ${here_version#*+} + 1 )) + minor=$(( ${here_version##*+} + 1 )) here_newversion="$master_version+$minor" fi @@ -81,5 +126,7 @@ # Emit final closing commands. echo "git commit -s -m 'UBUNTU: $tag_prefix$here_newversion' debian/changelog" +$commit git commit -s -m "UBUNTU: $tag_prefix$here_newversion" debian/changelog here_tagversion=$( echo "$tag_prefix$here_newversion" | sed -e 's/~/_/g' ) echo "git tag -s -m '$tag_prefix$here_newversion' '$here_tagversion'" +$commit git tag -s -m "$tag_prefix$here_newversion" "$here_tagversion"