Merge "Debian: sign kernel-modules"

2022-04-01 19:37:52 +00:00
parent b940d3de6a 1808e2bb1c
commit db74d9176f
11 changed files with 128 additions and 22 deletions
--- a/kernel-modules/intel-i40e/debian/deb_folder/rules
+++ b/kernel-modules/intel-i40e/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KSRC=/usr/src/$(kheaders_name)
@@ -42,7 +42,7 @@ _mandir=/usr/share/man

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kversion)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

@@ -59,7 +59,7 @@ override_dh_strip:
 ifeq ($(WITH_MOD_SIGN),1)
 	@echo "Sign the modules!"
 	/usr/lib/linux@KERNEL_TYPE@-kbuild-*/scripts/sign-file sha256 $(privkey) $(pubkey) \
-		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/*.ko
+		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/$(kmod_name).ko
 endif

 override_dh_auto_build:
--- a/kernel-modules/intel-iavf/debian/deb_folder/rules
+++ b/kernel-modules/intel-iavf/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KSRC=/usr/src/$(kheaders_name)
@@ -42,7 +42,7 @@ _mandir=/usr/share/man

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kversion)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

@@ -59,7 +59,7 @@ override_dh_strip:
 ifeq ($(WITH_MOD_SIGN),1)
 	@echo "Sign the modules!"
 	/usr/lib/linux@KERNEL_TYPE@-kbuild-*/scripts/sign-file sha256 $(privkey) $(pubkey) \
-		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/*.ko
+		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/$(kmod_name).ko
 endif

 override_dh_auto_build:
--- a/kernel-modules/intel-ice/debian/deb_folder/rules
+++ b/kernel-modules/intel-ice/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KSRC=/usr/src/$(kheaders_name)
@@ -39,7 +39,7 @@ _mandir=/usr/share/man

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kversion)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

@@ -61,7 +61,10 @@ override_dh_strip:
 ifeq ($(WITH_MOD_SIGN),1)
 	@echo "Sign the modules!"
 	/usr/lib/linux@KERNEL_TYPE@-kbuild-*/scripts/sign-file sha256 $(privkey) $(pubkey) \
-		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/*.ko
+		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/$(kmod_name).ko
+
+	/usr/lib/linux@KERNEL_TYPE@-kbuild-*/scripts/sign-file sha256 $(privkey) $(pubkey) \
+		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/auxiliary.ko
 endif

 override_dh_auto_build:
--- a/kernel-modules/intel-igb_uio/debian/deb_folder/rules
+++ b/kernel-modules/intel-igb_uio/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KSRC=/usr/src/$(kheaders_name)
@@ -39,7 +39,7 @@ _defaultdocdir=/usr/share/doc/

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kversion)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

@@ -55,7 +55,7 @@ override_dh_strip:
 ifeq ($(WITH_MOD_SIGN),1)
 	@echo "Sign the modules!"
 	/usr/lib/linux@KERNEL_TYPE@-kbuild-*/scripts/sign-file sha256 $(privkey) $(pubkey) \
-		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/*.ko
+		./debian/$(pkg_name)/lib/modules/$(kversion)/extra/$(kmod_name)/$(kmod_name).ko
 endif

 override_dh_auto_build:
--- a/kernel-modules/intel-opae-fpga/debian/deb_folder/rules
+++ b/kernel-modules/intel-opae-fpga/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KERNELDIR=/usr/src/$(kheaders_name)
@@ -39,7 +39,7 @@ _defaultdocdir=/usr/share/doc

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kversion)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

--- a/kernel-modules/mlnx-ofa_kernel/debian/deb_patches/0001-mlnx-ofa_kernel-adapt-the-debian-folder-for-starling.patch
+++ b/kernel-modules/mlnx-ofa_kernel/debian/deb_patches/0001-mlnx-ofa_kernel-adapt-the-debian-folder-for-starling.patch
@@ -1,4 +1,4 @@
-From 01c5670a853dcadd67722c737455c623a0471813 Mon Sep 17 00:00:00 2001
+From 03f743455b29b3be08d5158ab7358dff524644aa Mon Sep 17 00:00:00 2001
 From: Li Zhou <li.zhou@windriver.com>
 Date: Sun, 26 Sep 2021 06:22:38 +0000
 Subject: [PATCH] mlnx-ofa_kernel: adapt the debian folder for starlingX
@@ -14,8 +14,8 @@ Signed-off-by: Li Zhou <li.zhou@windriver.com>
 ---
 debian/control         | 21 ++++++---------------
 debian/extra/mlnx.conf | 19 +++++++++++++++++++
- debian/rules           | 20 +++++++++++++++++---
- 3 files changed, 42 insertions(+), 18 deletions(-)
+ debian/rules           | 22 ++++++++++++++++++----
+ 3 files changed, 43 insertions(+), 19 deletions(-)
 create mode 100644 debian/extra/mlnx.conf

 diff --git a/debian/control b/debian/control
@@ -81,7 +81,7 @@ index 0000000..d6ced47
 +svcrdma
 +xprtrdma
 diff --git a/debian/rules b/debian/rules
-index cd95a6b..82fddfb 100755
+index cd95a6b..3c0727c 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -15,8 +15,20 @@
@@ -89,8 +89,9 @@ index cd95a6b..82fddfb 100755
 #export DH_VERBOSE=1
 
 -WITH_DKMS ?= 1
+-WITH_MOD_SIGN ?= 0
 +WITH_DKMS ?= 0
- WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1
 +
 +#Here kernelver should be the one this package depends on,
 +#while "uname -r" got the building machine's os release number.
@@ -99,7 +100,7 @@ index cd95a6b..82fddfb 100755
 +
 +ifeq ($(WITH_MOD_SIGN),1)
 +_keydir ?= /usr/src/kernels/$(kernelver)/
-+export MODULE_SIGN_PRIV_KEY=$(_keydir)/signing_key.priv
+export MODULE_SIGN_PRIV_KEY=$(_keydir)/signing_key.pem
 +export MODULE_SIGN_PUB_KEY=$(_keydir)/signing_key.x509
 +endif
 +
--- a/kernel-modules/qat17/debian/deb_folder/rules
+++ b/kernel-modules/qat17/debian/deb_folder/rules
@@ -24,7 +24,7 @@
 %:
 	dh $@

-WITH_MOD_SIGN ?= 0
+WITH_MOD_SIGN ?= 1

 kheaders_name=$(shell ls /usr/src | grep linux@KERNEL_TYPE@-headers | grep amd64)
 export KERNEL_SOURCE_ROOT=/usr/src/$(kheaders_name)
@@ -39,7 +39,7 @@ buildroot=./debian/$(pkg_name)/

 ifeq ($(WITH_MOD_SIGN),1)
 _keydir ?= /usr/src/kernels/$(kernel_version)/
-privkey ?= $(_keydir)/signing_key.priv
+privkey ?= $(_keydir)/signing_key.pem
 pubkey ?= $(_keydir)/signing_key.x509
 endif

--- a/kernel-rt/debian/deb_patches/0005-kernel-modules-sign-kernel-modules.patch
+++ b/kernel-rt/debian/deb_patches/0005-kernel-modules-sign-kernel-modules.patch
@@ -0,0 +1,50 @@
+From f581d6bf42a2f71f5026992bce921291f696b009 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Fri, 18 Mar 2022 16:57:42 +0800
+Subject: [PATCH] kernel-modules: sign kernel-modules
+
+Sign kernel-modules by the keys created by kernel-rt.
+Put the keys into linux-rt-kbuild-5.10 package and they will be used
+to sign the out of tree kernel modules for kernel-rt.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/config/amd64/none/config | 11 +++++++++++
+ debian/rules.real               |  2 ++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
+index 7662fd5..e329ad0 100644
+--- a/debian/config/amd64/none/config
+++ b/debian/config/amd64/none/config
+@@ -6383,3 +6383,14 @@ CONFIG_RUNTIME_TESTING_MENU=y
+ # CONFIG_MEMTEST is not set
+ # end of Kernel Testing and Coverage
+ # end of Kernel hacking
+
+##
+## file: init/Kconfig
+##
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_FORCE is not set
+
+##
+## file: certs/Kconfig
+##
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+diff --git a/debian/rules.real b/debian/rules.real
+index 3304579..552fcf0 100644
+--- a/debian/rules.real
+++ b/debian/rules.real
+@@ -664,6 +664,8 @@ install-kbuild: build-kbuild
+ 	$(call make-tools,scripts) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
+ 	$(call make-tools,tools/objtool) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
+ 	dh_link $(PREFIX_DIR) /usr/src/$(PACKAGE_NAME)
+	dh_install $(BUILD_DIR)/*/certs/signing_key.pem /usr/src/kernels/$(ABINAME)-$(ARCH)/
+	dh_install $(BUILD_DIR)/*/certs/signing_key.x509 /usr/src/kernels/$(ABINAME)-$(ARCH)/
+ 	dh_installchangelogs
+ ifeq (,$(filter nodoc,$(DEB_BUILD_PROFILES)))
+ 	dh_installdocs
+-- 
+2.17.1
+
--- a/kernel-rt/debian/deb_patches/series
+++ b/kernel-rt/debian/deb_patches/series
@@ -2,3 +2,4 @@
 0002-kernel-rt-Add-a-new-changelog-file.patch
 0003-kernel-rt-Add-a-kernel-config-file-for-stx-debian.patch
 0004-kernel-rt-Adapt-the-debian-folder-for-new-source.patch
+0005-kernel-modules-sign-kernel-modules.patch
--- a/kernel-std/debian/deb_patches/0005-kernel-modules-sign-kernel-modules.patch
+++ b/kernel-std/debian/deb_patches/0005-kernel-modules-sign-kernel-modules.patch
@@ -0,0 +1,50 @@
+From d222b4474a1d8944b0b4d8978d8e9fe6b1ee80db Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Thu, 17 Feb 2022 10:08:13 +0800
+Subject: [PATCH] kernel-modules: sign kernel-modules
+
+Sign kernel-modules by the keys created by kernel.
+Put the keys into linux-kbuild-5.10 package and they will be used
+to sign the out of tree kernel modules.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/config/amd64/none/config | 11 +++++++++++
+ debian/rules.real               |  2 ++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
+index a12e291..771a68b 100644
+--- a/debian/config/amd64/none/config
+++ b/debian/config/amd64/none/config
+@@ -6497,3 +6497,14 @@ CONFIG_RUNTIME_TESTING_MENU=y
+ # CONFIG_HYPERV_TESTING is not set
+ # end of Kernel Testing and Coverage
+ # end of Kernel hacking
+
+##
+## file: init/Kconfig
+##
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_FORCE is not set
+
+##
+## file: certs/Kconfig
+##
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+diff --git a/debian/rules.real b/debian/rules.real
+index 3304579..552fcf0 100644
+--- a/debian/rules.real
+++ b/debian/rules.real
+@@ -664,6 +664,8 @@ install-kbuild: build-kbuild
+ 	$(call make-tools,scripts) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
+ 	$(call make-tools,tools/objtool) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
+ 	dh_link $(PREFIX_DIR) /usr/src/$(PACKAGE_NAME)
+	dh_install $(BUILD_DIR)/*/certs/signing_key.pem /usr/src/kernels/$(ABINAME)-$(ARCH)/
+	dh_install $(BUILD_DIR)/*/certs/signing_key.x509 /usr/src/kernels/$(ABINAME)-$(ARCH)/
+ 	dh_installchangelogs
+ ifeq (,$(filter nodoc,$(DEB_BUILD_PROFILES)))
+ 	dh_installdocs
+-- 
+2.17.1
+
--- a/kernel-std/debian/deb_patches/series
+++ b/kernel-std/debian/deb_patches/series
@@ -2,3 +2,4 @@
 0002-kernel-std-Add-a-new-changelog-file-for-linux-yocto-.patch
 0003-kernel-std-Add-a-kernel-config-file-for-stx-debian.patch
 0004-kernel-std-Adapt-the-debian-folder-for-building-linu.patch
+0005-kernel-modules-sign-kernel-modules.patch