Merge "Debian: add init version for kernel-std/rt-signed"
This commit is contained in:
commit
fcf11340b0
|
@ -0,0 +1,34 @@
|
|||
From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
|
||||
From: Li Zhou <li.zhou@windriver.com>
|
||||
Date: Wed, 20 Apr 2022 11:29:54 +0800
|
||||
Subject: [PATCH] linux-signed: adapt signing according to LAT
|
||||
|
||||
STX debian project's secure boot process doesn't follow DEBIAN
|
||||
process and follows LAT (wrlinux) process. It use gpg to sign
|
||||
kernel image instead of sbsign. So replace the sbsign in rules.real
|
||||
with installing vmlinuz.sig onto rootfs. That is because DEBIAN
|
||||
secure boot use the signed kernel image while LAT secure boot
|
||||
use a separate sig file for gpg verification of kernel image.
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
debian/rules.real | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/debian/rules.real b/debian/rules.real
|
||||
index 23df05c..f6bb8ac 100644
|
||||
--- a/debian/rules.real
|
||||
+++ b/debian/rules.real
|
||||
@@ -14,8 +14,7 @@ install-signed:
|
||||
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
|
||||
$(PACKAGE_DIR)/boot/
|
||||
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
|
||||
- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
|
||||
- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
|
||||
+ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
|
||||
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
|
||||
else \
|
||||
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1 @@
|
|||
0001-linux-signed-adapt-signing-according-to-LAT.patch
|
|
@ -0,0 +1,52 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. The ASF licenses this
|
||||
# file to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
# The only parameter is the name of the folder where the source code
|
||||
# is extracted to. Pay attention to that the extracted package should
|
||||
# be put at the same path where this script is located.
|
||||
# Tools needed: tar/sed
|
||||
|
||||
mkdir "$1"
|
||||
cd "$1" || exit 1
|
||||
|
||||
file_debian=(../../linux-rt/linux-signed-*.tar.xz)
|
||||
if [ ! -f "${file_debian}" ]
|
||||
then
|
||||
echo "Please create signatures first (e.g. use debian-test-sign)!"
|
||||
exit 1
|
||||
fi
|
||||
cp "${file_debian}" ./
|
||||
|
||||
if ! tar xvf linux-signed-*.tar.xz;
|
||||
then
|
||||
echo "Tar failed to decompress the source code for this pkg!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mv ./source-template/debian ./debian
|
||||
rmdir source-template
|
||||
|
||||
# Add extra functions in image pkg's postinst to follow LAT secure boot
|
||||
cd debian || exit 1
|
||||
cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
|
||||
kernel-rt-signed/debian/linux-rt-image.postinst.extra ./
|
||||
# Remove the end line ( "exit 0" ) in the init script
|
||||
sed -i '$d' linux-rt-image-*.postinst
|
||||
cat linux-rt-image.postinst.extra >> linux-rt-image-*.postinst
|
|
@ -0,0 +1,47 @@
|
|||
#
|
||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. The ASF licenses this
|
||||
# file to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
echo "Signed kernel package: ${change}"
|
||||
|
||||
# LAT will deal with below when install.
|
||||
if [ "${change}" = "install" ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Update image/sig to the right path when upgrade.
|
||||
cmdline=$(cat /proc/cmdline)
|
||||
cmdline=${cmdline#*BOOT_IMAGE=}
|
||||
boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
|
||||
boot_image_path=${boot_image%/*}
|
||||
|
||||
if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
|
||||
then
|
||||
echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
|
||||
then
|
||||
echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Updated vmlinuz and vmlinuz.sig!"
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
debver: 5.10.99
|
||||
debname: kernel-rt-signed
|
||||
dl_hook: dl_hook
|
||||
revision:
|
||||
dist: $STX_DIST
|
||||
PKG_GITREVCOUNT: true
|
|
@ -0,0 +1,34 @@
|
|||
From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
|
||||
From: Li Zhou <li.zhou@windriver.com>
|
||||
Date: Wed, 20 Apr 2022 11:29:54 +0800
|
||||
Subject: [PATCH] linux-signed: adapt signing according to LAT
|
||||
|
||||
STX debian project's secure boot process doesn't follow DEBIAN
|
||||
process and follows LAT (wrlinux) process. It use gpg to sign
|
||||
kernel image instead of sbsign. So replace the sbsign in rules.real
|
||||
with installing vmlinuz.sig onto rootfs. That is because DEBIAN
|
||||
secure boot use the signed kernel image while LAT secure boot
|
||||
use a separate sig file for gpg verification of kernel image.
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
debian/rules.real | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/debian/rules.real b/debian/rules.real
|
||||
index 23df05c..f6bb8ac 100644
|
||||
--- a/debian/rules.real
|
||||
+++ b/debian/rules.real
|
||||
@@ -14,8 +14,7 @@ install-signed:
|
||||
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
|
||||
$(PACKAGE_DIR)/boot/
|
||||
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
|
||||
- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
|
||||
- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
|
||||
+ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
|
||||
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
|
||||
else \
|
||||
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
|
||||
--
|
||||
2.17.1
|
||||
|
|
@ -0,0 +1 @@
|
|||
0001-linux-signed-adapt-signing-according-to-LAT.patch
|
|
@ -0,0 +1,52 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. The ASF licenses this
|
||||
# file to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
# The only parameter is the name of the folder where the source code
|
||||
# is extracted to. Pay attention to that the extracted package should
|
||||
# be put at the same path where this script is located.
|
||||
# Tools needed: tar/sed
|
||||
|
||||
mkdir "$1"
|
||||
cd "$1" || exit 1
|
||||
|
||||
file_debian=(../../linux/linux-signed-*.tar.xz)
|
||||
if [ ! -f "${file_debian}" ]
|
||||
then
|
||||
echo "Please create signatures first (e.g. use debian-test-sign)!"
|
||||
exit 1
|
||||
fi
|
||||
cp "${file_debian}" ./
|
||||
|
||||
if ! tar xvf linux-signed-*.tar.xz;
|
||||
then
|
||||
echo "Tar failed to decompress the source code for this pkg!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mv ./source-template/debian ./debian
|
||||
rmdir source-template
|
||||
|
||||
# Add extra functions in image pkg's postinst to follow LAT secure boot
|
||||
cd debian || exit 1
|
||||
cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
|
||||
kernel-std-signed/debian/linux-image.postinst.extra ./
|
||||
# Remove the end line ( "exit 0" ) in the init script
|
||||
sed -i '$d' linux-image-*.postinst
|
||||
cat linux-image.postinst.extra >> linux-image-*.postinst
|
|
@ -0,0 +1,47 @@
|
|||
#
|
||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. The ASF licenses this
|
||||
# file to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
echo "Signed kernel package: ${change}"
|
||||
|
||||
# LAT will deal with below when install.
|
||||
if [ "${change}" = "install" ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Update image/sig to the right path when upgrade.
|
||||
cmdline=$(cat /proc/cmdline)
|
||||
cmdline=${cmdline#*BOOT_IMAGE=}
|
||||
boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
|
||||
boot_image_path=${boot_image%/*}
|
||||
|
||||
if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
|
||||
then
|
||||
echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
|
||||
then
|
||||
echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Updated vmlinuz and vmlinuz.sig!"
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
debver: 5.10.99
|
||||
debname: kernel-std-signed
|
||||
dl_hook: dl_hook
|
||||
revision:
|
||||
dist: $STX_DIST
|
||||
PKG_GITREVCOUNT: true
|
Loading…
Reference in New Issue