@@ -123,22 +123,36 @@ override_dh_auto_install:
echo "$$signed boot" >>"debian/$$package.install"; \
fi; \
\
- package="linux-image-$$verflav"; \
- echo "$$package: adding $$signed"; \
- echo "$$signed boot" >>"debian/$$package.install"; \
+ cvm_pkg="linux-image-$$verflav-fde"; \
+ if [ "$$instfile" = "kernel.efi" ]; then \
+ if grep -q "^Package: *$$cvm_pkg\$$" debian/control; then \
+ package=$$cvm_pkg; \
+ templates=cvm; \
+ echo "$$package: adding $$signed"; \
+ echo "$$signed usr/lib/linux/efi" >>"debian/$$package.install";\
+ else \
+ continue; \
+ fi; \
+ else \
+ package="linux-image-$$verflav"; \
+ templates=image; \
+ echo "$$package: adding $$signed"; \
+ echo "$$signed boot" >>"debian/$$package.install"; \
+ fi; \
\
./debian/scripts/generate-depends linux-image-unsigned-$$verflav $(unsigned_ver) \
- >>"debian/linux-image-$$verflav.substvars"; \
+ >>"debian/$$package.substvars"; \
\
for which in postinst postrm preinst prerm; do \
- template="debian/templates/image.$$which.in"; \
+ template="debian/templates/$$templates.$$which.in"; \
script="debian/$$package.$$which"; \
+ [ -e "$$template" ] && \
sed -e "s/@abiname@/$(abi)/g" \
-e "s/@localversion@/-$$flavour/g" \
-e "s/@image-stem@/$$instfile/g" \
<"$$template" >"$$script"; \
done; \
- echo "interest linux-update-$(abi)-$$flavour" \
+ echo "interest linux-update-$(abi)-$$flavour" \
>"debian/$$package.triggers"; \
done
dh_install
@@ -7,9 +7,14 @@ class Signing:
def add(self, arch, stype, binary, flavours, options):
for flavour in flavours:
- self._arch_flavour_data[(arch, flavour)] = (stype, binary)
+ self._arch_flavour_data.setdefault((arch, flavour), set()).add((stype, binary))
self._flavour_to_arch.setdefault(flavour, set()).add(arch)
+ # cvm is an exclusive option: no image paragraph, no further option flags
+ if "cvm" in options:
+ self._package_to_flavour_to_arch.setdefault("cvm", {}).setdefault(flavour, set()).add(arch)
+ continue
self._package_to_flavour_to_arch.setdefault("image", {}).setdefault(flavour, set()).add(arch)
+ # all other options are supplementary to the image
if "di" in options:
self._package_to_flavour_to_arch.setdefault("di", {}).setdefault(flavour, set()).add(arch)
if "hmac" in options:
@@ -26,7 +31,11 @@ class Signing:
@property
def arch_flavour_data(self):
- return sorted(self._arch_flavour_data.items())
+ # allow for more than one binary to be signed by an arch+flavour pair
+ # maintain backwards compatible API
+ for (arch, flavour), stypebins in sorted(self._arch_flavour_data.items()):
+ for (stype, binary) in sorted(stypebins):
+ yield (arch, flavour), (stype, binary)
@classmethod
def load(cls, config):
@@ -18,6 +18,12 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
for flavour, archs in signing.flavour_archs:
print(f' linux-image-unsigned-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd)
print(f' linux-buildinfo-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd)
+ # generate-only build-depends with a profile (activated by parameterise-ancillaries)
+ uci_archs = set()
+ for _, archs in signing.package_flavour_archs("cvm"):
+ uci_archs.update(archs)
+ if uci_archs:
+ print(f' ubuntu-core-initramfs [{" ".join(uci_archs)}] <generate>,', file=cfd)
print(f" {generate_name} (= {source_version}),", file=cfd)
else:
print(line, end='', file=cfd)
@@ -66,6 +72,22 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
This package contains the HMAC file for Linux kernel image for version
{abi_version}-{flavour}
""").rstrip(), file=cfd)
+ for flavour, archs in signing.package_flavour_archs("cvm"):
+ # Mostly similar to image, but we don't have recommands nor conflicts
+ print(dedent(f"""\
+
+ Package: linux-image-{abi_version}-{flavour}-fde
+ Architecture: {" ".join(archs)}
+ Depends: ${{unsigned:Depends}}
+ Recommends: ${{cvm:Recommends}}
+ Suggests: ${{unsigned:Suggests}}
+ Conflicts: ${{cvm:Conflicts}}
+ Provides: ${{unsigned:Provides}}
+ Built-Using: {unsigned_name} (= {unsigned_version})
+ Description: Signed kernel image {flavour} for CVM
+ A kernel image for {flavour}. This version of it is signed with
+ Canonical's signing key.
+ """).rstrip(), file=cfd)
# XXX: all dbgsym packages _must_ be at the end of debian/control else the
# build will hang forever on the builder.
for flavour, archs in signing.package_flavour_archs("image"):
@@ -78,3 +100,13 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
Description: Signed kernel image {flavour}
A link to the debugging symbols for the {flavour} signed kernel.
""").rstrip(), file=cfd)
+ for flavour, archs in signing.package_flavour_archs("cvm"):
+ print(dedent(f"""\
+
+ Package: linux-image-{abi_version}-{flavour}-fde-dbgsym
+ Section: devel
+ Architecture: {" ".join(archs)}
+ Depends: linux-image-unsigned-{abi_version}-{flavour}-dbgsym
+ Description: Signed kernel image {flavour} for CVM (debug)
+ A link to the debugging symbols for the {flavour} signed kernel.
+ """).rstrip(), file=cfd)
@@ -58,6 +58,8 @@ def build_ancillary(package):
line = f"Source: {package}"
elif package and package in line:
continue
+ # Activate generate-only build-profile depends
+ line = line.replace(" <generate>","")
print(line, file=ofd)
# Also dump out the files.json for -generate et al.
new file mode 100755
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+version=@abiname@@localversion@
+
+if [ "$1" = purge ]; then
+ for extra_file in modules.dep modules.isapnpmap modules.pcimap \
+ modules.usbmap modules.parportmap \
+ modules.generic_string modules.ieee1394map \
+ modules.ieee1394map modules.pnpbiosmap \
+ modules.alias modules.ccwmap modules.inputmap \
+ modules.symbols modules.ofmap \
+ modules.seriomap modules.\*.bin \
+ modules.softdep modules.devname; do
+ eval rm -f /lib/modules/$version/$extra_file
+ done
+ rmdir /lib/modules/$version || true
+fi
+
+exit 0
new file mode 100755
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+version=@abiname@@localversion@
+
+if [ "$1" != remove ]; then
+ exit 0
+fi
+
+linux-check-removal $version
+
+exit 0
BugLink: https://bugs.launchpad.net/bugs/2017571 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- debian/rules | 26 +++++++++++++++----- debian/scripts/config.py | 13 ++++++++-- debian/scripts/generate-control | 32 +++++++++++++++++++++++++ debian/scripts/parameterise-ancillaries | 2 ++ debian/templates/cvm.postinst.in | 20 ++++++++++++++++ debian/templates/cvm.prerm.in | 12 ++++++++++ 6 files changed, 97 insertions(+), 8 deletions(-) create mode 100755 debian/templates/cvm.postinst.in create mode 100755 debian/templates/cvm.prerm.in