| Message ID | 20190508214620.15808-2-dann.frazier@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Recompress signed kernels | expand |
On 5/8/19 11:46 PM, dann frazier wrote: > From: Seth Forshee <seth.forshee@canonical.com> > > BugLink: https://bugs.launchpad.net/bugs/1804481 > > Our arm64 generic kernels are compressed, but they must be > decompressed for signing. The kernel build will indicate that a > signed kernel image should be recompressed by adding GZIP=1 into > a <kernel-image>.vars file in the signing tarball. Add support > for reading the contents of this file and compressing the kernel > image when GZIP=1. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [ dannf: Use maximum gzip compression to match unsigned build ] > Signed-off-by: dann frazier <dann.frazier@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > debian/rules | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 926c4ae..0fbd900 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -44,8 +44,16 @@ override_dh_auto_build: > cd "$(src_version)" || exit 1; \ > for s in *.efi.signed; do \ > [ ! -f "$$s" ] && continue; \ > - chmod 600 "$$s"; \ > base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ > + ( \ > + vars="$${base}.efi.vars"; \ > + [ -f "$$vars" ] && . "./$$vars"; \ > + if [ "$$GZIP" = "1" ]; then \ > + gzip -9 "$$s"; \ > + mv "$${s}.gz" "$$s"; \ > + fi; \ > + ); \ > + chmod 600 "$$s"; \ > ln "$$s" "../SIGNED/$$base"; \ > done; \ > for s in *.opal.sig; do \ >
On 08.05.19 23:46, dann frazier wrote: > From: Seth Forshee <seth.forshee@canonical.com> > > BugLink: https://bugs.launchpad.net/bugs/1804481 > > Our arm64 generic kernels are compressed, but they must be > decompressed for signing. The kernel build will indicate that a > signed kernel image should be recompressed by adding GZIP=1 into > a <kernel-image>.vars file in the signing tarball. Add support > for reading the contents of this file and compressing the kernel > image when GZIP=1. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [ dannf: Use maximum gzip compression to match unsigned build ] > Signed-off-by: dann frazier <dann.frazier@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- Since that can take effect by doing a quick rebuild of the signed source package only, it might be slipped in as a quick re-build before the actual cycle. But I want to confirm with Andy on that. -Stefan > debian/rules | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 926c4ae..0fbd900 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -44,8 +44,16 @@ override_dh_auto_build: > cd "$(src_version)" || exit 1; \ > for s in *.efi.signed; do \ > [ ! -f "$$s" ] && continue; \ > - chmod 600 "$$s"; \ > base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ > + ( \ > + vars="$${base}.efi.vars"; \ > + [ -f "$$vars" ] && . "./$$vars"; \ > + if [ "$$GZIP" = "1" ]; then \ > + gzip -9 "$$s"; \ > + mv "$${s}.gz" "$$s"; \ > + fi; \ > + ); \ > + chmod 600 "$$s"; \ > ln "$$s" "../SIGNED/$$base"; \ > done; \ > for s in *.opal.sig; do \ >
On Wed, May 8, 2019 at 3:46 PM dann frazier <dann.frazier@canonical.com> wrote: > > From: Seth Forshee <seth.forshee@canonical.com> > > BugLink: https://bugs.launchpad.net/bugs/1804481 fyi, it may make sense to change this buglink. We tagged this one with LP: #1804481 in disco because it was part of a series that enabled signing. But, in bionic the actual arm64 *signing* bits already landed. Since I submitted this, the regression *this* patch fixes was reported as LP: #1828553. So, it may make sense to just consider LP: #1804481 closed and reference LP: #1828553 in the commit. -dann > Our arm64 generic kernels are compressed, but they must be > decompressed for signing. The kernel build will indicate that a > signed kernel image should be recompressed by adding GZIP=1 into > a <kernel-image>.vars file in the signing tarball. Add support > for reading the contents of this file and compressing the kernel > image when GZIP=1. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [ dannf: Use maximum gzip compression to match unsigned build ] > Signed-off-by: dann frazier <dann.frazier@canonical.com> > --- > debian/rules | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 926c4ae..0fbd900 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -44,8 +44,16 @@ override_dh_auto_build: > cd "$(src_version)" || exit 1; \ > for s in *.efi.signed; do \ > [ ! -f "$$s" ] && continue; \ > - chmod 600 "$$s"; \ > base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ > + ( \ > + vars="$${base}.efi.vars"; \ > + [ -f "$$vars" ] && . "./$$vars"; \ > + if [ "$$GZIP" = "1" ]; then \ > + gzip -9 "$$s"; \ > + mv "$${s}.gz" "$$s"; \ > + fi; \ > + ); \ > + chmod 600 "$$s"; \ > ln "$$s" "../SIGNED/$$base"; \ > done; \ > for s in *.opal.sig; do \ > -- > 2.20.1 >
On 14.05.19 15:04, dann frazier wrote: > On Wed, May 8, 2019 at 3:46 PM dann frazier <dann.frazier@canonical.com> wrote: >> >> From: Seth Forshee <seth.forshee@canonical.com> >> >> BugLink: https://bugs.launchpad.net/bugs/1804481 > > fyi, it may make sense to change this buglink. We tagged this one with > LP: #1804481 in disco because it was part of a series that enabled > signing. But, in bionic the actual arm64 *signing* bits already > landed. Since I submitted this, the regression *this* patch fixes was > reported as LP: #1828553. So, it may make sense to just consider LP: > #1804481 closed and reference LP: #1828553 in the commit. > You should have spoken up *before* things were committed -Stefan > -dann > >> Our arm64 generic kernels are compressed, but they must be >> decompressed for signing. The kernel build will indicate that a >> signed kernel image should be recompressed by adding GZIP=1 into >> a <kernel-image>.vars file in the signing tarball. Add support >> for reading the contents of this file and compressing the kernel >> image when GZIP=1. >> >> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> >> [ dannf: Use maximum gzip compression to match unsigned build ] >> Signed-off-by: dann frazier <dann.frazier@canonical.com> >> --- >> debian/rules | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> >> diff --git a/debian/rules b/debian/rules >> index 926c4ae..0fbd900 100755 >> --- a/debian/rules >> +++ b/debian/rules >> @@ -44,8 +44,16 @@ override_dh_auto_build: >> cd "$(src_version)" || exit 1; \ >> for s in *.efi.signed; do \ >> [ ! -f "$$s" ] && continue; \ >> - chmod 600 "$$s"; \ >> base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ >> + ( \ >> + vars="$${base}.efi.vars"; \ >> + [ -f "$$vars" ] && . "./$$vars"; \ >> + if [ "$$GZIP" = "1" ]; then \ >> + gzip -9 "$$s"; \ >> + mv "$${s}.gz" "$$s"; \ >> + fi; \ >> + ); \ >> + chmod 600 "$$s"; \ >> ln "$$s" "../SIGNED/$$base"; \ >> done; \ >> for s in *.opal.sig; do \ >> -- >> 2.20.1 >> >
diff --git a/debian/rules b/debian/rules index 926c4ae..0fbd900 100755 --- a/debian/rules +++ b/debian/rules @@ -44,8 +44,16 @@ override_dh_auto_build: cd "$(src_version)" || exit 1; \ for s in *.efi.signed; do \ [ ! -f "$$s" ] && continue; \ - chmod 600 "$$s"; \ base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ + ( \ + vars="$${base}.efi.vars"; \ + [ -f "$$vars" ] && . "./$$vars"; \ + if [ "$$GZIP" = "1" ]; then \ + gzip -9 "$$s"; \ + mv "$${s}.gz" "$$s"; \ + fi; \ + ); \ + chmod 600 "$$s"; \ ln "$$s" "../SIGNED/$$base"; \ done; \ for s in *.opal.sig; do \