diff --git a/kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch b/kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch new file mode 100644 index 00000000..ba54ce1e --- /dev/null +++ b/kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch @@ -0,0 +1,34 @@ +From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001 +From: Li Zhou +Date: Wed, 20 Apr 2022 11:29:54 +0800 +Subject: [PATCH] linux-signed: adapt signing according to LAT + +STX debian project's secure boot process doesn't follow DEBIAN +process and follows LAT (wrlinux) process. It use gpg to sign +kernel image instead of sbsign. So replace the sbsign in rules.real +with installing vmlinuz.sig onto rootfs. That is because DEBIAN +secure boot use the signed kernel image while LAT secure boot +use a separate sig file for gpg verification of kernel image. + +Signed-off-by: Li Zhou +--- + debian/rules.real | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/debian/rules.real b/debian/rules.real +index 23df05c..f6bb8ac 100644 +--- a/debian/rules.real ++++ b/debian/rules.real +@@ -14,8 +14,7 @@ install-signed: + rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \ + $(PACKAGE_DIR)/boot/ + if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ +- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ +- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ ++ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \ + else \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \ +-- +2.17.1 + diff --git a/kernel-signed/kernel-rt-signed/debian/deb_patches/series b/kernel-signed/kernel-rt-signed/debian/deb_patches/series new file mode 100644 index 00000000..41761966 --- /dev/null +++ b/kernel-signed/kernel-rt-signed/debian/deb_patches/series @@ -0,0 +1 @@ +0001-linux-signed-adapt-signing-according-to-LAT.patch diff --git a/kernel-signed/kernel-rt-signed/debian/dl_hook b/kernel-signed/kernel-rt-signed/debian/dl_hook new file mode 100755 index 00000000..98cd0308 --- /dev/null +++ b/kernel-signed/kernel-rt-signed/debian/dl_hook @@ -0,0 +1,52 @@ +#!/bin/bash +# +# Copyright (c) 2022 Wind River Systems, Inc. +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. The ASF licenses this +# file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# The only parameter is the name of the folder where the source code +# is extracted to. Pay attention to that the extracted package should +# be put at the same path where this script is located. +# Tools needed: tar/sed + +mkdir "$1" +cd "$1" || exit 1 + +file_debian=(../../linux-rt/linux-signed-*.tar.xz) +if [ ! -f "${file_debian}" ] +then + echo "Please create signatures first (e.g. use debian-test-sign)!" + exit 1 +fi +cp "${file_debian}" ./ + +if ! tar xvf linux-signed-*.tar.xz; +then + echo "Tar failed to decompress the source code for this pkg!" + exit 1 +fi + +mv ./source-template/debian ./debian +rmdir source-template + +# Add extra functions in image pkg's postinst to follow LAT secure boot +cd debian || exit 1 +cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\ +kernel-rt-signed/debian/linux-rt-image.postinst.extra ./ +# Remove the end line ( "exit 0" ) in the init script +sed -i '$d' linux-rt-image-*.postinst +cat linux-rt-image.postinst.extra >> linux-rt-image-*.postinst diff --git a/kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra b/kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra new file mode 100644 index 00000000..df7e6921 --- /dev/null +++ b/kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra @@ -0,0 +1,47 @@ +# +# Copyright (c) 2022 Wind River Systems, Inc. +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. The ASF licenses this +# file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +echo "Signed kernel package: ${change}" + +# LAT will deal with below when install. +if [ "${change}" = "install" ] +then + exit 0 +fi + +# Update image/sig to the right path when upgrade. +cmdline=$(cat /proc/cmdline) +cmdline=${cmdline#*BOOT_IMAGE=} +boot_image=$(echo "${cmdline}" | cut -d' ' -f 1) +boot_image_path=${boot_image%/*} + +if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}"; +then + echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}" + exit 1 +fi + +if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig; +then + echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig" + exit 1 +fi + +echo "Updated vmlinuz and vmlinuz.sig!" +exit 0 diff --git a/kernel-signed/kernel-rt-signed/debian/meta_data.yaml b/kernel-signed/kernel-rt-signed/debian/meta_data.yaml new file mode 100644 index 00000000..cd1d9250 --- /dev/null +++ b/kernel-signed/kernel-rt-signed/debian/meta_data.yaml @@ -0,0 +1,7 @@ +--- +debver: 5.10.99 +debname: kernel-rt-signed +dl_hook: dl_hook +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true diff --git a/kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch b/kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch new file mode 100644 index 00000000..ba54ce1e --- /dev/null +++ b/kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch @@ -0,0 +1,34 @@ +From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001 +From: Li Zhou +Date: Wed, 20 Apr 2022 11:29:54 +0800 +Subject: [PATCH] linux-signed: adapt signing according to LAT + +STX debian project's secure boot process doesn't follow DEBIAN +process and follows LAT (wrlinux) process. It use gpg to sign +kernel image instead of sbsign. So replace the sbsign in rules.real +with installing vmlinuz.sig onto rootfs. That is because DEBIAN +secure boot use the signed kernel image while LAT secure boot +use a separate sig file for gpg verification of kernel image. + +Signed-off-by: Li Zhou +--- + debian/rules.real | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/debian/rules.real b/debian/rules.real +index 23df05c..f6bb8ac 100644 +--- a/debian/rules.real ++++ b/debian/rules.real +@@ -14,8 +14,7 @@ install-signed: + rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \ + $(PACKAGE_DIR)/boot/ + if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ +- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ +- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ ++ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \ + else \ + echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \ +-- +2.17.1 + diff --git a/kernel-signed/kernel-std-signed/debian/deb_patches/series b/kernel-signed/kernel-std-signed/debian/deb_patches/series new file mode 100644 index 00000000..41761966 --- /dev/null +++ b/kernel-signed/kernel-std-signed/debian/deb_patches/series @@ -0,0 +1 @@ +0001-linux-signed-adapt-signing-according-to-LAT.patch diff --git a/kernel-signed/kernel-std-signed/debian/dl_hook b/kernel-signed/kernel-std-signed/debian/dl_hook new file mode 100755 index 00000000..ba75e6a4 --- /dev/null +++ b/kernel-signed/kernel-std-signed/debian/dl_hook @@ -0,0 +1,52 @@ +#!/bin/bash +# +# Copyright (c) 2022 Wind River Systems, Inc. +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. The ASF licenses this +# file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# The only parameter is the name of the folder where the source code +# is extracted to. Pay attention to that the extracted package should +# be put at the same path where this script is located. +# Tools needed: tar/sed + +mkdir "$1" +cd "$1" || exit 1 + +file_debian=(../../linux/linux-signed-*.tar.xz) +if [ ! -f "${file_debian}" ] +then + echo "Please create signatures first (e.g. use debian-test-sign)!" + exit 1 +fi +cp "${file_debian}" ./ + +if ! tar xvf linux-signed-*.tar.xz; +then + echo "Tar failed to decompress the source code for this pkg!" + exit 1 +fi + +mv ./source-template/debian ./debian +rmdir source-template + +# Add extra functions in image pkg's postinst to follow LAT secure boot +cd debian || exit 1 +cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\ +kernel-std-signed/debian/linux-image.postinst.extra ./ +# Remove the end line ( "exit 0" ) in the init script +sed -i '$d' linux-image-*.postinst +cat linux-image.postinst.extra >> linux-image-*.postinst diff --git a/kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra b/kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra new file mode 100644 index 00000000..df7e6921 --- /dev/null +++ b/kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra @@ -0,0 +1,47 @@ +# +# Copyright (c) 2022 Wind River Systems, Inc. +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. The ASF licenses this +# file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +echo "Signed kernel package: ${change}" + +# LAT will deal with below when install. +if [ "${change}" = "install" ] +then + exit 0 +fi + +# Update image/sig to the right path when upgrade. +cmdline=$(cat /proc/cmdline) +cmdline=${cmdline#*BOOT_IMAGE=} +boot_image=$(echo "${cmdline}" | cut -d' ' -f 1) +boot_image_path=${boot_image%/*} + +if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}"; +then + echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}" + exit 1 +fi + +if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig; +then + echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig" + exit 1 +fi + +echo "Updated vmlinuz and vmlinuz.sig!" +exit 0 diff --git a/kernel-signed/kernel-std-signed/debian/meta_data.yaml b/kernel-signed/kernel-std-signed/debian/meta_data.yaml new file mode 100644 index 00000000..ab17ce51 --- /dev/null +++ b/kernel-signed/kernel-std-signed/debian/meta_data.yaml @@ -0,0 +1,7 @@ +--- +debver: 5.10.99 +debname: kernel-std-signed +dl_hook: dl_hook +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true