diff --git a/debian/certs/ci-test-sign/ci-test-sign-key.pem b/debian/certs/ci-test-sign/ci-test-sign-key.pem deleted file mode 100644 index edd06e3..0000000 --- a/debian/certs/ci-test-sign/ci-test-sign-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCo/R6tgfzFlvtA -bGb9QiwyCur1JB1eRE2UmU8t39jr0VRcr6p55v71fZE+ny4rLZl3ZibsKt1YeEhq -xAg7a7UfvjzT0PWaRV7M/XcwnRfKt032lUyNtcsEiMTp299Iak/Q/jm9M0yiTYxe -W1EsXfu1QrNSe0Zo8EZr9Q6eyFnjilJNgHpOlCyxH/7ujO73tzP84cEDZejFHYlo -ypKsjO2IWLcQssnM+llOlMYZ4mx6a6TxchSMKyYl6PRLviltkK4HF6AD4D4Lgoa0 -38pHPL2kJPEW9eb1cRsnFkzK4edYxGN6si728HUY/rQFSzehSaGXjPYR6kq2OCwQ -am4LcCm/AgMBAAECggEBAJso/df1+C88N6mpXs6+yXGRULaQ2F5LfKgqM+c9FyE+ -7KTFrlOLYyHoj0neQjfnAHf+1VIW8XFfz64oHB7jAEULGTKrNDbX5vl06NE8DDJX -KEB2SPn8p1GceqD2/wawhmSwaDduOLj1VyLz2Y5RJOIDQj9DbRzBMQfC1A+6ib4/ -LscWb1e1gQvZ0FIgSv2ZlOLqdSXVizsg7Am5iCizD5O9Pbw31QfZDyd7IJqpRi63 -Wo234CZS3Hhkr2267QttVeuY9AWgtYU1f6KMRrakEpLPf1mNqVIpY3M8Ee8KoMCr -a3pl39+N9+0DI4GCF5yctmzPn4YqWg25vFVirXJFluECgYEA1bRcPQ2EzTLDjm1U -tVrh3yd6ZPdY1Tch1UhzGf7lGIMY924tZZveDpWs7VGJMGO8hHTdo8Ku32AolJKA -yMW+P05+EcXo0GR8xcJ4Ol3yeJrblWhO4UNiQrTxhE6yy/g25zgVKcKUfbdkq7Cu -VOZpmNlh3bM4Iwno8ZGxvUI+GBcCgYEAym8r9G2MWFCmH6w6cOkt2EpOlzCEKLZ5 -q1nlZXTQBG+UB3EUPxZBviPTAjzZgfY1YS6SFZCb+fFEsVzGUAcz00xH6H2tHgmK -NoCX1bzqA7qDWjs2Dr2x33803jhRClQr/hg3rCwfoAkkImX2tPEf/URF6b5MuxgB -JPAT98lg3JkCgYEAzMG/8vtl99ogxvF4TT9j1ZWUzvKzma72as29AvZX+XF61XAq -bQW38I92nfgWk1esg9kZl9NsDDitCRWJ8VSOIUgKwOq4VBtD9ZOL8JidPvNZW0ES -+wC+QB3wno1tAMO1jzsMA/QcpIu4GEzz7ALMwJfgDjSun9vZ5sNq4mR67EcCgYEA -ibqbsEC8ZPXyIMiANoQfofHkiK8Eq+KC41dVYPLZ+Lqlf26rNMUC08fx76rQ3cBS -zxztXWi3BpXlg7q4XoiX9SIIJqEjILWi6LQTGePfX8wNRF3WyK69j28v3CV61ckw -6T822Zhnp+2wPQsckD0h46II4yCLehu545TIMSU9FrkCgYEAin/3RTg2V0v/36AR -YSMfZvfd+DCQ2Vm1WJQWfPJhdzb/L8DzFei0DDAbPFIiz5CFt9yyCIaag5XE0NqP -gHq3xaNmYqV2LLDX8lswmpeqUN0YpEKUwrT/CGuRLWMJYc2WwbGGgQIOc53nx+Ku -6DKedX7qLoifu/3fq69hNrMXsFs= ------END PRIVATE KEY----- diff --git a/debian/certs/ci-test-sign/ci-test-sign.pem b/debian/certs/ci-test-sign/ci-test-sign.pem deleted file mode 100644 index 7f2f4d0..0000000 --- a/debian/certs/ci-test-sign/ci-test-sign.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDEzCCAfugAwIBAgIUM0ot4Y+xMV7+tm0g9Yp70GPmizQwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAwwOVGVzdCBTaWduZXIgQ0EwHhcNMjIwMjA1MTgyOTIzWhcN -MjIwMzA3MTgyOTIzWjAZMRcwFQYDVQQDDA5UZXN0IFNpZ25lciBDQTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj9Hq2B/MWW+0BsZv1CLDIK6vUkHV5E -TZSZTy3f2OvRVFyvqnnm/vV9kT6fListmXdmJuwq3Vh4SGrECDtrtR++PNPQ9ZpF -Xsz9dzCdF8q3TfaVTI21ywSIxOnb30hqT9D+Ob0zTKJNjF5bUSxd+7VCs1J7Rmjw -Rmv1Dp7IWeOKUk2Aek6ULLEf/u6M7ve3M/zhwQNl6MUdiWjKkqyM7YhYtxCyycz6 -WU6UxhnibHprpPFyFIwrJiXo9Eu+KW2QrgcXoAPgPguChrTfykc8vaQk8Rb15vVx -GycWTMrh51jEY3qyLvbwdRj+tAVLN6FJoZeM9hHqSrY4LBBqbgtwKb8CAwEAAaNT -MFEwHQYDVR0OBBYEFJ2vFS8iN46NNzlnI73JPOXy+8ydMB8GA1UdIwQYMBaAFJ2v -FS8iN46NNzlnI73JPOXy+8ydMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADggEBAFRNfEbkBd0dKw7Ch4b9GMi4yDHFBN9d9KBe6Il92hojluBlQXTBvyKM -OPN12k7CTTHDN1RCLfHaPQl9lrZILgMLI3y5KdLYPhaaGuGwihIUObcNVetU+TGa -iMgdIsRSnF1LaYb5z56mJnnHSYA+5eq+Lnpy+jT7JhXrs0jL2JB7n36lYarpDE0Q -yby09tTHw8fJFONQ2UfUUJu52wcT8hrSygZR0msDz27/l0KmKgKtmM039hZW3Ssa -PZlVfQe3j7lZ0kPi/W9RhA+3LPDdHmjJYhTS2gtCLfeAaaXGj9sFEpMfGbF8Hgl4 -OjiEuTKPVoApKbpa6islqK3O6GR86WE= ------END CERTIFICATE----- diff --git a/debian/rules b/debian/rules index 2e7dcce..b8b0e6e 100755 --- a/debian/rules +++ b/debian/rules @@ -35,29 +35,6 @@ build: build-arch build-indep build-arch: debian/control dh_testdir - -# The perf-read-vdso* programs are built for different architectures, -# without standard flags, but are not exposed to untrusted input. - @printf '%s\n' 'blhc: ignore-line-regexp: .* -o *[^ ]*/perf-read-vdso.*' - -# Kernel code needs different hardening options that blhc doesn't know -# about. - @printf '%s\n' 'blhc: ignore-line-regexp: .* -D__KERNEL__ .*' - -# The tools/perf/tests/workloads/.* programs are deliberately compiled -# without -O2, so instruct blhc to ignore those - @printf '%s\n' 'blhc: ignore-line-regexp: .* -o .*tools/perf/tests/workloads/.*' - -# fixdep is not always built with the right flags but is also not packaged - @printf '%s\n' 'blhc: ignore-line-regexp: .* -o .*/tools/.*/fixdep.*' - -# We need to use terse builds in CI due to the log size limit. This -# mostly affects the output for builds of kernel code, which need -# different options for hardening anyway. -ifneq ($(filter terse,$(DEB_BUILD_OPTIONS)),) - @printf '%s\n' 'blhc: ignore-line-regexp: \s*(CC(LD)?|LD|LINK)\b.*' -endif - $(MAKE) -f debian/rules.gen build-arch_$(DEB_HOST_ARCH) build-indep: debian/control diff --git a/debian/rules.real b/debian/rules.real index 892380f..0890ffd 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -41,7 +41,7 @@ setup_env := env -u ABINAME -u ARCH -u FEATURESET -u FLAVOUR -u VERSION -u LOCAL # XXX: All the tools leak flags between host and build all the time, just don't care. See #1050991. setup_env += -u KBUILD_HOSTCFLAGS -u HOSTCFLAGS -u KBUILD_HOSTLDFLAGS setup_env += DISTRIBUTION_OFFICIAL_BUILD=1 DISTRIBUTOR="$(DEB_VENDOR)" DISTRIBUTION_VERSION="$(SOURCEVERSION)" KBUILD_BUILD_TIMESTAMP="@$(SOURCE_DATE_EPOCH)" KBUILD_BUILD_VERSION_TIMESTAMP="$(DEB_VENDOR) $(SOURCEVERSION) ($(SOURCE_DATE_UTC_ISO))" KBUILD_BUILD_USER="$(word 1,$(subst @, ,$(MAINTAINER)))" KBUILD_BUILD_HOST="$(word 2,$(subst @, ,$(MAINTAINER)))" -setup_env += KBUILD_VERBOSE=$(if $(filter terse,$(DEB_BUILD_OPTIONS)),0,1) +setup_env += KBUILD_VERBOSE=1 MAKE_CLEAN = $(setup_env) $(MAKE) KCFLAGS=-fdebug-prefix-map=$(CURDIR)/= KAFLAGS=-fdebug-prefix-map=$(CURDIR)/= MAKE_SELF := $(MAKE) -f debian/rules.real $(MAKEOVERRIDES) diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml deleted file mode 100644 index b9e49e8..0000000 --- a/debian/salsa-ci.yml +++ /dev/null @@ -1,353 +0,0 @@ -include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - -variables: - RELEASE: 'unstable' - # Make that build quicker - DEB_BUILD_PROFILES: pkg.linux.quick - # We have to bump the version in source preparation, not later - SALSA_CI_DISABLE_VERSION_BUMP: 'true' - # Currently broken in quick build - DEBIAN_KERNEL_DISABLE_INSTALLER: 'true' - # Output is limited to 4 MiB total, so use 'terse'. - # Current runners have 2 CPUs but have slow I/O so 'parallel=4' is - # a bit faster. - DEB_BUILD_OPTIONS: 'terse parallel=4' - DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64: 0 - -# Add stages for signed packages -stages: - - provisioning - - build - - publish - - sign-code - - build-signed - - test - -# The common Salsa CI pipeline relies on keeping the unpacked source -# as an artifact, but in our case this is far too large for the -# current limits on Salsa (salsa-ci-team/pipeline#195). So we -# redefine the source extraction and build steps to use packed source. - -# Our modified extract-source and build jobs - -extract-source: - stage: provisioning - image: $SALSA_CI_IMAGES_BASE - cache: - key: "orig-${RELEASE}" - paths: - - orig - extends: - - .artifacts-default-expire - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - script: - # Move orig tarball cache - - | - if [ -d orig ]; then - mv orig/* .. - rmdir orig - fi - - # Install dependencies of gencontrol.py and debian/rules orig - # plus origtargz - - apt-get update - - | - eatmydata apt-get install --no-install-recommends -y \ - debhelper \ - devscripts \ - git \ - kernel-wedge \ - python3 \ - python3-dacite \ - python3-debian \ - python3-jinja2 \ - quilt \ - rsync - - - version=$(dpkg-parsechangelog -SVersion) - - upstream_version=$(echo $version | sed 's/-[^-]*$//') - - # Merge upstream source - - USCAN_VCS_EXPORT_UNCOMPRESSED=yes origtargz -dt - - debian/rules orig - - # Fudge source version and distribution *before* gencontrol.py - - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog - - version=${version}+salsaci - - # Run gencontrol.py - # - create temporary log - - log="$(mktemp)" - # - invoke debian/control-real rule and log output - - | - rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$? - - cat "$log" - # - check for success message and error code - - test $rc = 2 - - grep -q 'been generated SUCCESSFULLY' "$log" - - # Put packed source in artifacts - - dpkg-buildpackage -uc -us -S -sa -d - - mkdir -p ${WORKING_DIR} - - cp ../linux_${upstream_version}.orig.tar.xz ${WORKING_DIR} - - mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR} - - # Move orig tarballs back to where GitLab wants them - - mkdir orig - - mv ../*.orig.tar.* orig - -build: - stage: build - timeout: 3 hours - image: $SALSA_CI_IMAGES_BASE - cache: - key: "build-${BUILD_ARCH}_${HOST_ARCH}" - paths: - - .ccache - extends: - - .artifacts-default-expire - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - variables: - CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache - CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache - DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS} - DB_BUILD_TYPE: full - artifacts: - exclude: - - ${WORKING_DIR}/${SOURCE_DIR}/**/* - script: - # Unpack the source - - | - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - dpkg-dev - - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR} - - # Do the same as the common .build-definition script - - !reference [.build-before-script] - - !reference [.build-script] - - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR} - dependencies: - - extract-source - -build-arm64: - extends: build - image: $SALSA_CI_IMAGES_BASE_ARM64 - variables: - BUILD_ARCH: 'arm64' - tags: - - arm64 - rules: - - if: $DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/ - when: never - # Make it possible to override the rules below. E.g. when a project fork - # has an ARM64 runner available. - - if: $DEBIAN_KERNEL_ENABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/ - when: always - # While there isn't an ARM shared runner avilable, let's run this job - # manually in forks of the kernel-team/linux project, and in branches other - # than the default branch, and allow it to fail in that case - - if: $CI_PROJECT_NAMESPACE != "kernel-team" - allow_failure: true - when: manual - - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH - allow_failure: true - when: manual - - when: always - -# The folllowing jobs are the standard tests, excluding any that -# require building again - -lintian: - extends: .test-lintian - script: - - lintian --suppress-tags "${SALSA_CI_LINTIAN_SUPPRESS_TAGS}" --display-info --pedantic --fail-on error --allow-root ${SALSA_CI_LINTIAN_SHOW_OVERRIDES_ARG} ${SALSA_CI_LINTIAN_ARGS} ${WORKING_DIR}/*.changes | tee lintian.output || ECODE=$? - - lintian2junit.py --lintian-file lintian.output > ${WORKING_DIR}/lintian.xml - - exit ${ECODE-0} - needs: - - job: build - artifacts: true - - job: build-signed - artifacts: true - -autopkgtest: - extends: .test-autopkgtest - -blhc: - extends: .test-blhc - -piuparts: - extends: .test-piuparts - needs: - - job: build - artifacts: true - - job: build-signed - artifacts: true - -missing-breaks: - extends: .test-missing-breaks - -rc-bugs: - extends: .test-rc-bugs - -# Python static checkers - -python-static: - stage: test - image: $SALSA_CI_IMAGES_BASE - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - script: - - | - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - flake8 python3 python3-dacite python3-jinja2 python3-pytest - - # Check Python modules under debian/lib and Python scripts under - # debian/bin or debian/rules.d. - - sources="$(mktemp)" - - find debian/lib/python -name '*.py' > "$sources" - - | - find debian/bin debian/rules.d -type f -perm /111 | - while read script; do - if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then - echo "$script" - fi - done \ - >> "$sources" - - # Run both checkers and coalesce their results rather than exiting - # on first failure - - pass=true - - xargs flake8 --max-line-length=100 < "$sources" || pass=false - - py.test debian/lib/python || pass=false - - $pass - needs: [] - -# kconfig static check - -kconfig-static: - stage: test - image: $SALSA_CI_IMAGES_BASE - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - script: - # Unpack source and apply featureset patches - - | - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - debhelper dpkg-dev git python3 python3-dacite quilt - - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR} - - cd ${WORKING_DIR}/${SOURCE_DIR} - - debian/rules source - - # Fetch kernel-team repository - - kernel_team_dir="$(mktemp -d)" - - | - git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \ - "$kernel_team_dir" - - # Run process.py and treat any error output as a failure - - error_log="$(mktemp)" - - | - "$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \ - || true - - | - if [ -s "$error_log" ]; then cat "$error_log"; false; fi - needs: - - job: extract-source - artifacts: true - -# Sign code with the test key and certificate, build and test that - -sign-code: - stage: sign-code - image: $SALSA_CI_IMAGES_BASE - extends: - - .artifacts-default-expire - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - script: - - | - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - dpkg-dev git openssl python3 python3-debian sbsigntool - - # Fetch kernel-team repository - - kernel_team_dir="$(mktemp -d)" - - | - git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \ - "$kernel_team_dir" - - # Sign the code and build a source package - - | - "$kernel_team_dir"/scripts/debian-test-sign \ - ${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \ - debian/certs/ci-test-sign/ci-test-sign-key.pem \ - debian/certs/ci-test-sign/ci-test-sign.pem - artifacts: - paths: - - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_* - needs: - - job: build - artifacts: true - -build-signed: - stage: build-signed - image: $SALSA_CI_IMAGES_BASE - extends: - - .artifacts-default-expire - rules: - - if: $CI_COMMIT_TAG != null - when: never - - when: always - variables: - SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '' - CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache - CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache - DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS} - DB_BUILD_TYPE: full - script: - # Unpack the source - - | - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - dpkg-dev - - | - dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \ - ${WORKING_DIR}/${SOURCE_DIR} - - # Install build-dependencies produced by build job - - | - apt-get install --no-install-recommends -y \ - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb - - # Do the same as the common .build-definition script - - !reference [.build-before-script] - - !reference [.build-script] - - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR} - artifacts: - # This should include the linux-signed source package, its binary - # packages, and (for piuparts) the versioned dependencies produced - # by the build job - paths: - - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_* - - ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb - - ${WORKING_DIR}/linux-headers-*-common_*_all.deb - - ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb - - ${WORKING_DIR}/linux-kbuild-*_${BUILD_ARCH}.deb - exclude: - - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb - needs: - - job: build - artifacts: true - - job: sign-code - artifacts: true