Merge "Debian: add init version for kernel-std/rt-signed"

2022-05-11 15:36:28 +00:00 · 2022-05-11 15:36:28 +00:00 · fcf11340b0
parent 17312d2394 4f3e32ce75
commit fcf11340b0
10 changed files with 282 additions and 0 deletions
--- a/kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch
+++ b/kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch
@ -0,0 +1,34 @@
+From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Wed, 20 Apr 2022 11:29:54 +0800
+Subject: [PATCH] linux-signed: adapt signing according to LAT
+
+STX debian project's secure boot process doesn't follow DEBIAN
+process and follows LAT (wrlinux) process. It use gpg to sign
+kernel image instead of sbsign. So replace the sbsign in rules.real
+with installing vmlinuz.sig onto rootfs. That is because DEBIAN
+secure boot use the signed kernel image while LAT secure boot
+use a separate sig file for gpg verification of kernel image.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules.real | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/debian/rules.real b/debian/rules.real
+index 23df05c..f6bb8ac 100644
+--- a/debian/rules.real
+++ b/debian/rules.real
+@@ -14,8 +14,7 @@ install-signed:
+ 	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ 		$(PACKAGE_DIR)/boot/
+ 	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+		dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
+ 	else \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
+-- 
+2.17.1
+
--- a/kernel-signed/kernel-rt-signed/debian/deb_patches/series
+++ b/kernel-signed/kernel-rt-signed/debian/deb_patches/series
@ -0,0 +1 @@
+0001-linux-signed-adapt-signing-according-to-LAT.patch
--- a/kernel-signed/kernel-rt-signed/debian/dl_hook
+++ b/kernel-signed/kernel-rt-signed/debian/dl_hook
@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# The only parameter is the name of the folder where the source code
+# is extracted to. Pay attention to that the extracted package should
+# be put at the same path where this script is located.
+# Tools needed: tar/sed
+
+mkdir "$1"
+cd "$1" || exit 1
+
+file_debian=(../../linux-rt/linux-signed-*.tar.xz)
+if [ ! -f "${file_debian}" ]
+then
+    echo "Please create signatures first (e.g. use debian-test-sign)!"
+    exit 1
+fi
+cp "${file_debian}" ./
+
+if ! tar xvf linux-signed-*.tar.xz;
+then
+    echo "Tar failed to decompress the source code for this pkg!"
+    exit 1
+fi
+
+mv ./source-template/debian ./debian
+rmdir source-template
+
+# Add extra functions in image pkg's postinst to follow LAT secure boot
+cd debian || exit 1
+cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
+kernel-rt-signed/debian/linux-rt-image.postinst.extra ./
+# Remove the end line ( "exit 0" ) in the init script
+sed -i '$d' linux-rt-image-*.postinst
+cat linux-rt-image.postinst.extra >> linux-rt-image-*.postinst
--- a/kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra
+++ b/kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra
@ -0,0 +1,47 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+echo "Signed kernel package: ${change}"
+
+# LAT will deal with below when install.
+if [ "${change}" = "install" ]
+then
+    exit 0
+fi
+
+# Update image/sig to the right path when upgrade.
+cmdline=$(cat /proc/cmdline)
+cmdline=${cmdline#*BOOT_IMAGE=}
+boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
+boot_image_path=${boot_image%/*}
+
+if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
+then
+    echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
+    exit 1
+fi
+
+if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
+then
+    echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
+    exit 1
+fi
+
+echo "Updated vmlinuz and vmlinuz.sig!"
+exit 0
--- a/kernel-signed/kernel-rt-signed/debian/meta_data.yaml
+++ b/kernel-signed/kernel-rt-signed/debian/meta_data.yaml
@ -0,0 +1,7 @@
+---
+debver: 5.10.99
+debname: kernel-rt-signed
+dl_hook: dl_hook
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
--- a/kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch
+++ b/kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch
@ -0,0 +1,34 @@
+From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Wed, 20 Apr 2022 11:29:54 +0800
+Subject: [PATCH] linux-signed: adapt signing according to LAT
+
+STX debian project's secure boot process doesn't follow DEBIAN
+process and follows LAT (wrlinux) process. It use gpg to sign
+kernel image instead of sbsign. So replace the sbsign in rules.real
+with installing vmlinuz.sig onto rootfs. That is because DEBIAN
+secure boot use the signed kernel image while LAT secure boot
+use a separate sig file for gpg verification of kernel image.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules.real | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/debian/rules.real b/debian/rules.real
+index 23df05c..f6bb8ac 100644
+--- a/debian/rules.real
+++ b/debian/rules.real
+@@ -14,8 +14,7 @@ install-signed:
+ 	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ 		$(PACKAGE_DIR)/boot/
+ 	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+		dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
+ 	else \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
+-- 
+2.17.1
+
--- a/kernel-signed/kernel-std-signed/debian/deb_patches/series
+++ b/kernel-signed/kernel-std-signed/debian/deb_patches/series
@ -0,0 +1 @@
+0001-linux-signed-adapt-signing-according-to-LAT.patch
--- a/kernel-signed/kernel-std-signed/debian/dl_hook
+++ b/kernel-signed/kernel-std-signed/debian/dl_hook
@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# The only parameter is the name of the folder where the source code
+# is extracted to. Pay attention to that the extracted package should
+# be put at the same path where this script is located.
+# Tools needed: tar/sed
+
+mkdir "$1"
+cd "$1" || exit 1
+
+file_debian=(../../linux/linux-signed-*.tar.xz)
+if [ ! -f "${file_debian}" ]
+then
+    echo "Please create signatures first (e.g. use debian-test-sign)!"
+    exit 1
+fi
+cp "${file_debian}" ./
+
+if ! tar xvf linux-signed-*.tar.xz;
+then
+    echo "Tar failed to decompress the source code for this pkg!"
+    exit 1
+fi
+
+mv ./source-template/debian ./debian
+rmdir source-template
+
+# Add extra functions in image pkg's postinst to follow LAT secure boot
+cd debian || exit 1
+cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
+kernel-std-signed/debian/linux-image.postinst.extra ./
+# Remove the end line ( "exit 0" ) in the init script
+sed -i '$d' linux-image-*.postinst
+cat linux-image.postinst.extra >> linux-image-*.postinst
--- a/kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra
+++ b/kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra
@ -0,0 +1,47 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+echo "Signed kernel package: ${change}"
+
+# LAT will deal with below when install.
+if [ "${change}" = "install" ]
+then
+    exit 0
+fi
+
+# Update image/sig to the right path when upgrade.
+cmdline=$(cat /proc/cmdline)
+cmdline=${cmdline#*BOOT_IMAGE=}
+boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
+boot_image_path=${boot_image%/*}
+
+if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
+then
+    echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
+    exit 1
+fi
+
+if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
+then
+    echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
+    exit 1
+fi
+
+echo "Updated vmlinuz and vmlinuz.sig!"
+exit 0
--- a/kernel-signed/kernel-std-signed/debian/meta_data.yaml
+++ b/kernel-signed/kernel-std-signed/debian/meta_data.yaml
@ -0,0 +1,7 @@
+---
+debver: 5.10.99
+debname: kernel-std-signed
+dl_hook: dl_hook
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
				`@ -0,0 +1 @@`
				`0001-linux-signed-adapt-signing-according-to-LAT.patch`