From patchwork Thu Feb 18 15:08:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1441690
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DhJ5L5nKvz9sVX;
	Fri, 19 Feb 2021 02:09:10 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lCkvT-0004DX-Je; Thu, 18 Feb 2021 15:09:07 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCkvR-0004Bs-2w
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:05 +0000
Received: from mail-wr1-f72.google.com ([209.85.221.72])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCkvQ-00053a-Qu
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:04 +0000
Received: by mail-wr1-f72.google.com with SMTP id f5so1122747wro.7
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Feb 2021 07:09:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=etrcTXBD9z81e2Wlak0uKw5+n64xlDDwsPvjSixELlg=;
 b=N+GvKDbClw4Lx6wnHB/adnKQ6evXe3+JctuMzROLATvQv6FR69mLb8n71NeC9MhKYh
 Brap9wUNgqn+16VjUKnlnf4DOmErUuakVXNgI3vXnHxPfh/QmNCJzl2PtN5Dmn1OG+gg
 qjWhVinQI6lGJbUML5CiDPHXTGmxCwDzH9SYNLVED+0ymnSGnRZ98dNewAgoZPjFXfVp
 uFF9HjCGpFoYjb5lm8mF88HER9OK3HcUjfI8CmoBMl09XyMyBl0AVkOSkV+i0i5j6lNt
 POCcvnHP7wjiN89uZR656tWniSDYrBu4M2hxJcWj3VqwrGMebBkmAe4eAXF8M9sQiK7M
 ZRLw==
X-Gm-Message-State: AOAM531h+mUTjoECDnULtQOZiPeaGnpIce8ZrF0XzlctU75AYQxKH8ma
 9t51dH3VSK6j/ZV5ejiRYAl2sb8kgbsf9Oh9BVb0xCcIsIsyBZbo+moORiaTi/HJZw6XjPLrcb/
 xFCp+roqZu3LVWyt5F0g8SKs7gdPbxd1QeEeWFVrfBw==
X-Received: by 2002:adf:a31b:: with SMTP id c27mr4591840wrb.188.1613660944152;
 Thu, 18 Feb 2021 07:09:04 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJywKYypIzYqZdcoUTsLktam+/s8TwXgDTklBKE4o31tEOXHC9bo0O/4bagXop35ht5TA0SqBw==
X-Received: by 2002:adf:a31b:: with SMTP id c27mr4591821wrb.188.1613660943889;
 Thu, 18 Feb 2021 07:09:03 -0800 (PST)
Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148])
 by smtp.gmail.com with ESMTPSA id d5sm9814762wrb.14.2021.02.18.07.09.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Feb 2021 07:09:03 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [focal:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from
 branch/arch certs
Date: Thu, 18 Feb 2021 15:08:52 +0000
Message-Id: <20210218150856.1807354-5-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210218150856.1807354-1-apw@canonical.com>
References: <20210218150856.1807354-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Merge common, branch-specific, and arch-specific certs and form
a certs database for inclusion in the kernel keyring.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          |  2 +-
 debian.master/config/config.common.ubuntu |  2 +-
 debian/rules                              | 14 +++++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 9ab7828ccdd7..7dacf2164531 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -351,7 +351,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 0d2f337b2010..4625768cba78 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -9924,7 +9924,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y
diff --git a/debian/rules b/debian/rules
index e490836b813d..44eb5873925f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -137,7 +137,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
 	dh_testdir
 	dh_testroot
 	dh_clean
@@ -235,3 +235,15 @@ debian/control: $(DEBIAN)/control.stub
 	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
 		perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
 		>>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/cert/*-all.pem) $(wildcard $(DEBIAN)/cert/*-$(arch).pem)
+	for cert in $(sort $(notdir $^));					\
+	do									\
+		for dir in $(DEBIAN) $(DROOT);					\
+		do								\
+			if [ -f "$$dir/certs/$$cert" ]; then			\
+				cat "$$dir/certs/$$cert";			\
+				break;						\
+			fi;							\
+		done;								\
+	done >"$@"