1
0

drop signing

This commit is contained in:
Konstantin Demin 2024-10-29 05:12:06 +03:00
parent 3a08f39a8b
commit f63f36de4f
35 changed files with 8 additions and 377 deletions

1
debian/.gitignore vendored
View File

@ -10,7 +10,6 @@
!/lib/
!/patches*/
!/rules.d/
!/signing_templates/
!/source/
!/templates/
!/upstream/

27
debian/README.source vendored
View File

@ -267,30 +267,3 @@ linux-source-<version> binary package. Currently kernel builds use
debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
debian/build/build-tools/<source-dir> and documentation uses
debian/build/build-doc.
Code signing
============
The kernel image and modules may be signed after building, to support
a Secure Boot or Trusted Boot policy. In Debian, this is performed by
a "code signing service" that is separate from the normal package
build process.
The initial package build generates binary packages named
linux-image-<arch>-signed-template, that contain a source package
template and metadata about the files to be signed. The code signing
service will download this and the linux-image packages to be signed.
It will add detached signatures to the source package, then upload it
(without ever running debian/rules).
The source package template is generated by
debian/bin/gencontrol_signed.py and debian/rules.real with files from
debian/signing_templates and debian/templates. To test changes to
these:
1. Build the linux source package.
2. Generate the signed source package by running the script
"debian-test-sign" from the kernel-team.git repository. It is
also possible to set up a development configuration of the
official code signing service, but this is more complicated.
3. Build the signed source package.

View File

@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
class Gencontrol(Base):
disable_signed: bool
env_flags = [
('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'),
]
def __init__(
@ -187,34 +184,6 @@ class Gencontrol(Base):
) -> None:
arch = config.name
if not self.disable_signed:
build_signed = config.build.enable_signed
else:
build_signed = False
if build_signed:
# Make sure variables remain
vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@'
vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@'
self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch)
bundle_signed = self.bundles[f'signed-{arch}'] = \
PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates)
with bundle_signed.open('source/lintian-overrides', 'w') as f:
f.write(self.substitute(
self.templates.get('signed.source.lintian-overrides'), vars))
with bundle_signed.open('changelog.head', 'w') as f:
dist = self.changelog[0].distribution
urgency = self.changelog[0].urgency
f.write(f'''\
linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency}
* Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@
''')
if config.packages.source and list(config.featuresets):
self.bundle.add('config', (arch, ), makeflags, vars)
@ -329,30 +298,10 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
packages_own = []
if not self.disable_signed:
build_signed = config.build.enable_signed
else:
build_signed = False
if build_signed:
bundle_signed = self.bundles[f'signed-{arch}']
else:
bundle_signed = self.bundle
vars.setdefault('desc', '')
if build_signed:
packages_image_unsigned = (
self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch)
)
packages_image = packages_image_unsigned[:]
packages_image.extend(
bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch)
)
else:
packages_image = packages_image_unsigned = (
bundle_signed.add('image', ruleid, makeflags, vars, arch=arch)
packages_image = (
self.bundle.add('image', ruleid, makeflags, vars, arch=arch)
)
for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
packages_own.extend(packages_image)
packages_own.extend(packages_headers)
# The image meta-packages will depend on signed linux-image
# packages where applicable, so should be built from the
# signed source packages The header meta-packages will also be
# built along with the signed packages, to create a dependency
# relationship that ensures src:linux and src:linux-signed-*
# transition to testing together.
if do_meta:
packages_meta = (
bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch)
self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch)
)
assert len(packages_meta) == 1
packages_meta += (
bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta',
self.bundle.add('headers.meta',
ruleid, makeflags, vars, arch=arch)
)
assert len(packages_meta) == 2
@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
def write(self) -> None:
super().write()
self.write_signed()
def write_signed(self) -> None:
for bundle in self.bundles.values():
pkg_sign_entries = {}
for p in bundle.packages.values():
if not isinstance(p, BinaryPackage):
continue
if pkg_sign_pkg := p.meta_sign_package:
pkg_sign_entries[pkg_sign_pkg] = {
'trusted_certs': [],
'files': [
{
'sig_type': e.split(':', 1)[-1],
'file': e.split(':', 1)[0],
}
for e in p.meta_sign_files
],
}
if pkg_sign_entries:
with bundle.path('files.json').open('w') as f:
json.dump({'packages': pkg_sign_entries}, f, indent=2)
if __name__ == '__main__':

View File

@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog
name = 'none'
[build]
enable_signed = true
enable_vdso = true
kernel_file = 'arch/x86/boot/bzImage'
kernel_stem = 'vmlinuz'

View File

@ -27,7 +27,6 @@ name = 'none'
[build]
compiler_gnutype_compat = 'arm-linux-gnueabihf'
enable_signed = true
enable_vdso = true
kernel_file = 'arch/arm64/boot/Image'
kernel_stem = 'vmlinuz'

View File

@ -37,7 +37,6 @@ class ConfigBuild:
compiler_gnutype_compat: Optional[str] = None
config: list[Path] = dataclasses.field(default_factory=list)
config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
enable_signed: Optional[bool] = None
enable_vdso: Optional[bool] = None
kernel_file: Optional[str] = None
kernel_stem: Optional[str] = None

View File

@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage):
default=None,
deb822_dump=None,
)
meta_sign_package: Optional[str] = field_deb822(
'Meta-Sign-Package',
default=None,
deb822_dump=None,
)
meta_sign_files: list[str] = field_deb822(
'Meta-Sign-Files',
default_factory=list,
deb822_load=lambda v: v.split(),
deb822_dump=None,
)

30
debian/rules.real vendored
View File

@ -481,36 +481,6 @@ endif
ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
$(dh_binary_post)
build_signed-template:
binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH)
binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME)
binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian
binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g')
binary_signed-template:
$(dh_binary_pre)
rm -rf $(CODE_SIGNING_DIR)
mkdir -p $(DEBIAN_DIR)/source
for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \
sed -E \
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
$(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \
done
for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \
sed -E \
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \
done
mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog
tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog
mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/
chmod 755 $(DEBIAN_DIR)/rules
cp -R debian/copyright \
$(CODE_SIGNING_DIR)/source-template/debian/
$(dh_binary_post)
build_source:
binary_source: BUILDDEB_ARGS = -Zxz -z0

View File

@ -1,4 +0,0 @@
This source package is generated by the Debian signing service from a
template built by the linux package. It should never be updated directly.
-- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Apr 2018 10:23:29 +0100

View File

@ -1,24 +0,0 @@
#!/usr/bin/make -f
include /usr/share/dpkg/architecture.mk
SHELL := sh -e
include debian/rules.defs
build: build-arch build-indep
build-arch:
build-indep:
clean:
dh_testdir
rm -rf $(BUILD_DIR) $(STAMPS_DIR)
dh_clean
binary: binary-arch binary-indep
binary-arch: debian/control
dh_testdir
$(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
binary-indep:
.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

View File

@ -1,2 +0,0 @@
BUILD_DIR = debian/build
STAMPS_DIR = debian/stamps

View File

@ -1,108 +0,0 @@
include /usr/share/dpkg/default.mk
SHELL := bash -e
include debian/rules.defs
export DH_OPTIONS
export DEB_RULES_REQUIRES_ROOT ?= no
GENCONTROL_ARGS := -v@signedtemplate_binaryversion@
BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@
define dh_binary_pre
dh_testroot
dh_prep
dh_installdirs
endef
define dh_binary_post
dh_install $(DH_INSTALL_ARGS)
# Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package
# is permitted to be a symbolic link to another directory in /usr/share/doc only if the two
# packages come from the same source package. The package build will fail with the new debhelper
# version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco-
# system, make the workaround to fallback to the old behaviour until it is agreed on how to
# resolve the situation policy conformant.
# https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information
$(if $(INSTALLDOCS_LINK_DOC),
mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME),
dh_installdocs)
dh_installchangelogs
dh_installexamples
dh_installman
dh_installudev
dh_bugfiles
dh_ucf
dh_lintian
dh_icons
dh_link
dh_compress
dh_fixperms
dh_missing
dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
dh_makeshlibs -Xvmlinux -Xvmlinuz
dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
dh_installdeb
if command -v dh_movetousr >/dev/null; then dh_movetousr; fi
dh_gencontrol -- $(GENCONTROL_ARGS)
dh_md5sums
dh_builddeb -- $(BUILDDEB_ARGS)
endef
build-indep:
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION)
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
mkdir -p $(INSTALL_DIR)/boot
rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
$(INSTALL_DIR)/boot/
sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \
$(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION)
mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)
rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \
$(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/
# Copy any device tree files
if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \
mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \
rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \
$(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \
fi
$(stamp)
build_image:
binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym
binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION)
binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
binary_image:
$(dh_binary_pre)
dh_install --sourcedir=$(DIR2) boot
dh_install --sourcedir=$(DIR2) lib
if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi
# Copy bug scripts but change the info file to refer to the right package
mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
-e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
$(dh_binary_post)
build_meta:
binary_meta:
$(dh_binary_pre)
$(dh_binary_post)
.PHONY: build_% binary_%

View File

@ -1 +0,0 @@
3.0 (native)

View File

@ -6,8 +6,7 @@ Multi-Arch: same
Depends: ${misc:Depends}
Recommends: @source_basename@-source-@version@
Description: Debian kernel configurations for Linux @version@
This package contains the configuration files used to build the
official Debian kernel files, but without references to Debian's
signing certificates.
This package contains the configuration files used to build kernel
files.
.
These can be used as a basis for configuring custom kernels.

View File

@ -3,7 +3,7 @@ Meta-Rules-Target: headers
Build-Profiles: <!pkg.linux.nokernel>
Depends:
linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}),
linux-image-@abiname@@localversion@ (= ${binary:Version}),
linux-kbuild-@abiname@,
${misc:Depends}
Description: Header files for Linux @abiname@@localversion@

View File

@ -1 +0,0 @@
image.NEWS.j2

View File

@ -1,11 +0,0 @@
Package: linux-image-@abiname@@localversion@-unsigned
Meta-Rules-Target: image
Build-Profiles: <!pkg.linux.nokernel>
Build-Depends:
kmod,
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
Conflicts: linux-image-@abiname@@localversion@
Replaces: linux-image-@abiname@@localversion@
Description: Linux @upstreamversion@ for @class@
The Linux kernel @upstreamversion@ and modules for use on @longclass@.

View File

@ -1 +0,0 @@
image.lintian-overrides.j2

View File

@ -1 +0,0 @@
image.postinst.in

View File

@ -1 +0,0 @@
image.postrm.in

View File

@ -1 +0,0 @@
image.preinst.in

View File

@ -1 +0,0 @@
image.prerm.in

View File

@ -1,7 +0,0 @@
Package: linux-image@source_suffix@-@arch@-signed-template
Meta-Rules-Target: signed-template
Build-Profiles: <!pkg.linux.nokernel>
Depends: dpkg-dev, python3:any, ${misc:Depends}
Description: Template for signed linux-image packages for @arch@
This package is used to control code signing by the Debian signing
service.

View File

@ -1 +0,0 @@
linux-image@source_suffix@-@arch@-signed-template: script-not-executable

View File

@ -1 +0,0 @@
headers.meta.control.in

View File

@ -1,3 +0,0 @@
# linux-signed-* source packages are generated by the linux source
# package, so it is OK for their binaries to share documentation
@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@

View File

@ -1 +0,0 @@
headers.meta.maintscript.in

View File

@ -1 +0,0 @@
image.NEWS.j2

View File

@ -1,19 +0,0 @@
Package: linux-image-@abiname@@localversion@
Meta-Rules-Target: image
Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned
Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi
Build-Profiles: <!pkg.linux.nokernel>
Build-Depends:
linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@),
kmod,
# Used by debian/signing_templates/rules.real
rsync,
Built-Using: @source_basename@@source_suffix@ (= @version_complete@)
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
Conflicts: linux-image-@abiname@@localversion@-unsigned
Replaces: linux-image-@abiname@@localversion@-unsigned
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
Description: Linux @upstreamversion@ for @class@ (signed)
The Linux kernel @upstreamversion@ and modules for use on @longclass@.
.
The kernel image is signed for use with Secure Boot.

View File

@ -1 +0,0 @@
image.postinst.in

View File

@ -1 +0,0 @@
image.postrm.in

View File

@ -1 +0,0 @@
image.preinst.in

View File

@ -1 +0,0 @@
image.prerm.in

View File

@ -1,14 +0,0 @@
Source: linux-signed@source_suffix@-@arch@
Section: kernel
Priority: optional
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
Standards-Version: 4.2.0
Build-Depends:
debhelper-compat (= 13),
python3:any,
sbsigntool [amd64 arm64],
Rules-Requires-Root: no
Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
Vcs-Browser: https://salsa.debian.org/kernel-team/linux
Homepage: https://www.kernel.org/

View File

@ -1,7 +0,0 @@
# linux-signed-* source packages are generated by the linux source
# package, and produce binaries with the same versions, even in case
# of a binNMU of linux
linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
# The changelog is mostly copied from linux which is non-native
linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*