From patchwork Thu Feb 18 15:08:50 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1441687
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DhJ5H5pRWz9sCD;
	Fri, 19 Feb 2021 02:09:07 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lCkvQ-0004B6-4B; Thu, 18 Feb 2021 15:09:04 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtp (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCkvO-00049n-87
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:02 +0000
Received: from mail-wr1-f72.google.com ([209.85.221.72])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCkvN-000537-Vi
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:02 +0000
Received: by mail-wr1-f72.google.com with SMTP id e11so1064329wro.19
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Feb 2021 07:09:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=tKxIEcw3QPfScyAJvzXWrVNqjEduye/VFhXbBjYxS4w=;
 b=shW0P7RHgYmX0CdG23+2Mr+6XlE+SUp43N6CYqqnxKQjRuvfiXU2QGTvXftH/VPaxy
 GKLxW/W3SkpMtOFqH+MT53E6V+C6o8CpyVhXng3XNDNxc5MYO/36Uld5pD6Cak5q1RRA
 vqooQw8O3BCi8Iw7zTA6Ja2zy+t9Dq6vADX5ZcY2b5jRScoxJJiIawYZQbsj3AAlCMES
 QHk8G5tQFKEOQgUynuUBHUC6YQJ/4XW7DBS3kwOR9UhZ+KHlKVyWO8xNUXHkg+Npq/Xn
 MOj6R8qbc/hAXiLIx0AOFAV7WSAPoZmHJ+RDtP2q9wTrzR1G5yT4aKCBpF7Vmkgo7ePs
 Gj/Q==
X-Gm-Message-State: AOAM532jGagWCQE2/5bLMYfTIEM5BlupmmH9Jk6k8rORnv03DnGOcCU+
 /QaJy1qOhUhxcF+fQjdl3b26aHYWxHNEw/paXxlWzV2z2o3cg5HjqdOTbLXC8wYgcNFJ//RYS+u
 ZjXlYechOPIVsrLVLWCMkhdZuapskGrcJJAJDCSMSgQ==
X-Received: by 2002:adf:ee84:: with SMTP id b4mr4665723wro.339.1613660941354;
 Thu, 18 Feb 2021 07:09:01 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJwiczwKt83VmnIbkZP2Q7+N7l0IvhJHJbDbHLaUIULgTcsbbF2SWvYU10O56BGTxDu+L/izSg==
X-Received: by 2002:adf:ee84:: with SMTP id b4mr4665702wro.339.1613660941086;
 Thu, 18 Feb 2021 07:09:01 -0800 (PST)
Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148])
 by smtp.gmail.com with ESMTPSA id l1sm7926396wmi.48.2021.02.18.07.09.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Feb 2021 07:09:00 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [bionic:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from
 branch/arch certs
Date: Thu, 18 Feb 2021 15:08:50 +0000
Message-Id: <20210218150856.1807354-3-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210218150856.1807354-1-apw@canonical.com>
References: <20210218150856.1807354-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Merge common, branch-specific, and arch-specific certs and form
a certs database for inclusion in the kernel keyring.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          |  2 +-
 debian.master/config/config.common.ubuntu |  2 +-
 debian/rules                              | 14 +++++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 4f2972daee7e..3315e1e9abe5 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -493,7 +493,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index f2a8b2e49b53..f58c2b343ceb 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -9018,7 +9018,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y
diff --git a/debian/rules b/debian/rules
index 00a5348f1c7a..bb8b4e81360b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -126,7 +126,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
 	dh_testdir
 	dh_testroot
 	dh_clean
@@ -210,3 +210,15 @@ debian/control: $(DEBIAN)/control.stub
 	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
 		perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
 		>>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/cert/*-all.pem) $(wildcard $(DEBIAN)/cert/*-$(arch).pem)
+	for cert in $(sort $(notdir $^));					\
+	do									\
+		for dir in $(DEBIAN) $(DROOT);					\
+		do								\
+			if [ -f "$$dir/certs/$$cert" ]; then			\
+				cat "$$dir/certs/$$cert";			\
+				break;						\
+			fi;							\
+		done;								\
+	done >"$@"