| Message ID | 20191023040725.9811-2-shrirang.bagul@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels | expand |
On Wed, Oct 23, 2019 at 12:07:24PM +0800, Shrirang Bagul wrote: > BugLink: https://bugs.launchpad.net/bugs/1847969 > > Add a fit_signed option and a script so we can build FIT images that > will be eventually signed. > > Based on commit (in Bionic): > 44efa9e736 UBUNTU: [Packaging] add rules to build FIT image > > Signed-off-by: Alfonso Sánchez-Beato <alfonso.sanchez-beato@canonical.com> > Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> > --- > debian/rules | 2 +- > debian/rules.d/1-maintainer.mk | 1 + > debian/rules.d/2-binary-arch.mk | 14 ++++++++++++ > debian/scripts/build-fit | 40 +++++++++++++++++++++++++++++++++ > 4 files changed, 56 insertions(+), 1 deletion(-) > create mode 100755 debian/scripts/build-fit > > diff --git a/debian/rules b/debian/rules > index 8cb6604e18db..9281de598b03 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) > endif > > # Are any of the kernel signing options enabled. > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed))) > ifeq ($(any_signed),true) > bin_pkg_name=$(bin_pkg_name_unsigned) > else > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk > index 6b4e0901c288..f20f537e1364 100644 > --- a/debian/rules.d/1-maintainer.mk > +++ b/debian/rules.d/1-maintainer.mk > @@ -94,6 +94,7 @@ printenv: > @echo " uefi_signed = $(uefi_signed)" > @echo " opal_signed = $(opal_signed)" > @echo " sipl_signed = $(sipl_signed)" > + @echo " fit_signed = $(fit_signed)" > @echo "full_build = $(full_build)" > @echo "libc_dev_version = $(libc_dev_version)" > @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > index 82e4d80e469f..f3279369c3a7 100644 > --- a/debian/rules.d/2-binary-arch.mk > +++ b/debian/rules.d/2-binary-arch.mk > @@ -478,6 +478,20 @@ endif > install -m644 $(abidir)/$*.compiler \ > $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler > > +ifeq ($(fit_signed),true) > + install -d $(signingv) > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > + $(signingv)/$(instfile)-$(abi_release)-$*; It seems odd to me that you're putting both the vmlinuz and the fit image into the signing tarball. Is there a reason for this other than the fact that build-fit expects to find it there? If not, I think it would be preferable to leave it out and pass the path to the vmlinuz to build-fit. > + # Build FIT image now that the modules folder exists > + $(SHELL) $(DROOT)/scripts/build-fit \ > + $(CURDIR)/$(DEBIAN)/$(fit_its) \ I assume fit_its will be defined in an <arch>.mk file? > + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \ > + $(abi_release)-$(target_flavour) \ > + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \ > + $(signingv) > + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/ > +endif > + > headers_tmp := $(CURDIR)/debian/tmp-headers > headers_dir := $(CURDIR)/debian/linux-libc-dev > > diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit > new file mode 100755 > index 000000000000..09292611e39d > --- /dev/null > +++ b/debian/scripts/build-fit > @@ -0,0 +1,40 @@ > +#!/bin/sh -e > +# Creates a FIT image > +# $1: ITS file (FIT components description) > +# $2: list of space-separated dtb files > +# $3: kernel version > +# $4: kernel modules directory > +# $5: destination directory > + > +. debian/debian.env > + > +echo "Creating FIT image" > +fit_its="$1" > +dtb_files="$2" > +KERNEL_VERSION="$3" > +KERNEL_MODULES_D="$4" > +dest_d="$5" > + > +set -x > +fit_d=$dest_d > +mkdir -p "$fit_d" > +# Export variables to be used by hooks > +export KERNEL_VERSION > +export KERNEL_MODULES_D > +initrd_f=initrd.img > +mkinitramfs -o "$initrd_f" > +mv "$initrd_f" "$fit_d" Can we assume mkinitramfs will always be installed, or do we need to add a build dependency? And why not just generate the initramfs at its final location? > +mkdir -p "$fit_d"/dtbs/ > +for dtb in $dtb_files; do > + cp -f "$dtb" "$fit_d"/dtbs/ > +done > + > +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage Note that there's an assumption here that the kernel image will be named vmlinuz-*, whereas the name is actually based on the install_file variable from the <arch>.mk file. If the path to the kernel image was passed as an argument then it would be unnecessary. Thanks, Seth > +cp -f "$fit_its" "$fit_d" > + > +cd "$fit_d" > +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit > +cd - > + > +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}" > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Thu, Oct 31, 2019 at 03:21:59PM -0500, Seth Forshee wrote: > On Wed, Oct 23, 2019 at 12:07:24PM +0800, Shrirang Bagul wrote: > > BugLink: https://bugs.launchpad.net/bugs/1847969 > > > > Add a fit_signed option and a script so we can build FIT images that > > will be eventually signed. > > > > Based on commit (in Bionic): > > 44efa9e736 UBUNTU: [Packaging] add rules to build FIT image > > > > Signed-off-by: Alfonso Sánchez-Beato <alfonso.sanchez-beato@canonical.com> > > Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com> > > --- > > debian/rules | 2 +- > > debian/rules.d/1-maintainer.mk | 1 + > > debian/rules.d/2-binary-arch.mk | 14 ++++++++++++ > > debian/scripts/build-fit | 40 +++++++++++++++++++++++++++++++++ > > 4 files changed, 56 insertions(+), 1 deletion(-) > > create mode 100755 debian/scripts/build-fit > > > > diff --git a/debian/rules b/debian/rules > > index 8cb6604e18db..9281de598b03 100755 > > --- a/debian/rules > > +++ b/debian/rules > > @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) > > endif > > > > # Are any of the kernel signing options enabled. > > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) > > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed))) > > ifeq ($(any_signed),true) > > bin_pkg_name=$(bin_pkg_name_unsigned) > > else > > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk > > index 6b4e0901c288..f20f537e1364 100644 > > --- a/debian/rules.d/1-maintainer.mk > > +++ b/debian/rules.d/1-maintainer.mk > > @@ -94,6 +94,7 @@ printenv: > > @echo " uefi_signed = $(uefi_signed)" > > @echo " opal_signed = $(opal_signed)" > > @echo " sipl_signed = $(sipl_signed)" > > + @echo " fit_signed = $(fit_signed)" > > @echo "full_build = $(full_build)" > > @echo "libc_dev_version = $(libc_dev_version)" > > @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" > > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > > index 82e4d80e469f..f3279369c3a7 100644 > > --- a/debian/rules.d/2-binary-arch.mk > > +++ b/debian/rules.d/2-binary-arch.mk > > @@ -478,6 +478,20 @@ endif > > install -m644 $(abidir)/$*.compiler \ > > $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler > > > > +ifeq ($(fit_signed),true) > > + install -d $(signingv) > > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > > + $(signingv)/$(instfile)-$(abi_release)-$*; > > It seems odd to me that you're putting both the vmlinuz and the fit > image into the signing tarball. Is there a reason for this other than > the fact that build-fit expects to find it there? If not, I think it > would be preferable to leave it out and pass the path to the vmlinuz to > build-fit. > > > + # Build FIT image now that the modules folder exists > > + $(SHELL) $(DROOT)/scripts/build-fit \ > > + $(CURDIR)/$(DEBIAN)/$(fit_its) \ > > I assume fit_its will be defined in an <arch>.mk file? Ping. I just noticed that there was never any response to these questions, and we still don't have these patches applied in the devel series. > > > + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \ > > + $(abi_release)-$(target_flavour) \ > > + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \ > > + $(signingv) > > + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/ > > +endif > > + > > headers_tmp := $(CURDIR)/debian/tmp-headers > > headers_dir := $(CURDIR)/debian/linux-libc-dev > > > > diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit > > new file mode 100755 > > index 000000000000..09292611e39d > > --- /dev/null > > +++ b/debian/scripts/build-fit > > @@ -0,0 +1,40 @@ > > +#!/bin/sh -e > > +# Creates a FIT image > > +# $1: ITS file (FIT components description) > > +# $2: list of space-separated dtb files > > +# $3: kernel version > > +# $4: kernel modules directory > > +# $5: destination directory > > + > > +. debian/debian.env > > + > > +echo "Creating FIT image" > > +fit_its="$1" > > +dtb_files="$2" > > +KERNEL_VERSION="$3" > > +KERNEL_MODULES_D="$4" > > +dest_d="$5" > > + > > +set -x > > +fit_d=$dest_d > > +mkdir -p "$fit_d" > > +# Export variables to be used by hooks > > +export KERNEL_VERSION > > +export KERNEL_MODULES_D > > +initrd_f=initrd.img > > +mkinitramfs -o "$initrd_f" > > +mv "$initrd_f" "$fit_d" > > Can we assume mkinitramfs will always be installed, or do we need to add > a build dependency? And why not just generate the initramfs at its final > location? > > > +mkdir -p "$fit_d"/dtbs/ > > +for dtb in $dtb_files; do > > + cp -f "$dtb" "$fit_d"/dtbs/ > > +done > > + > > +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage > > Note that there's an assumption here that the kernel image will be named > vmlinuz-*, whereas the name is actually based on the install_file > variable from the <arch>.mk file. If the path to the kernel image was > passed as an argument then it would be unnecessary. > > Thanks, > Seth > > > +cp -f "$fit_its" "$fit_d" > > + > > +cd "$fit_d" > > +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit > > +cd - > > + > > +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}" > > -- > > 2.17.1 > > > > > > -- > > kernel-team mailing list > > kernel-team@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/debian/rules b/debian/rules index 8cb6604e18db..9281de598b03 100755 --- a/debian/rules +++ b/debian/rules @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) endif # Are any of the kernel signing options enabled. -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed))) ifeq ($(any_signed),true) bin_pkg_name=$(bin_pkg_name_unsigned) else diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk index 6b4e0901c288..f20f537e1364 100644 --- a/debian/rules.d/1-maintainer.mk +++ b/debian/rules.d/1-maintainer.mk @@ -94,6 +94,7 @@ printenv: @echo " uefi_signed = $(uefi_signed)" @echo " opal_signed = $(opal_signed)" @echo " sipl_signed = $(sipl_signed)" + @echo " fit_signed = $(fit_signed)" @echo "full_build = $(full_build)" @echo "libc_dev_version = $(libc_dev_version)" @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index 82e4d80e469f..f3279369c3a7 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -478,6 +478,20 @@ endif install -m644 $(abidir)/$*.compiler \ $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler +ifeq ($(fit_signed),true) + install -d $(signingv) + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ + $(signingv)/$(instfile)-$(abi_release)-$*; + # Build FIT image now that the modules folder exists + $(SHELL) $(DROOT)/scripts/build-fit \ + $(CURDIR)/$(DEBIAN)/$(fit_its) \ + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \ + $(abi_release)-$(target_flavour) \ + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \ + $(signingv) + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/ +endif + headers_tmp := $(CURDIR)/debian/tmp-headers headers_dir := $(CURDIR)/debian/linux-libc-dev diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit new file mode 100755 index 000000000000..09292611e39d --- /dev/null +++ b/debian/scripts/build-fit @@ -0,0 +1,40 @@ +#!/bin/sh -e +# Creates a FIT image +# $1: ITS file (FIT components description) +# $2: list of space-separated dtb files +# $3: kernel version +# $4: kernel modules directory +# $5: destination directory + +. debian/debian.env + +echo "Creating FIT image" +fit_its="$1" +dtb_files="$2" +KERNEL_VERSION="$3" +KERNEL_MODULES_D="$4" +dest_d="$5" + +set -x +fit_d=$dest_d +mkdir -p "$fit_d" +# Export variables to be used by hooks +export KERNEL_VERSION +export KERNEL_MODULES_D +initrd_f=initrd.img +mkinitramfs -o "$initrd_f" +mv "$initrd_f" "$fit_d" + +mkdir -p "$fit_d"/dtbs/ +for dtb in $dtb_files; do + cp -f "$dtb" "$fit_d"/dtbs/ +done + +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage +cp -f "$fit_its" "$fit_d" + +cd "$fit_d" +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit +cd - + +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"