From patchwork Thu Apr 27 17:32:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1774576 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=E1YxOWwY; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Q6jW933Bgz23vC for ; Fri, 28 Apr 2023 03:33:09 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ps5UN-0001LO-BB; Thu, 27 Apr 2023 17:33:03 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ps5UL-0001KM-NT for kernel-team@lists.ubuntu.com; Thu, 27 Apr 2023 17:33:01 +0000 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 944444429F for ; Thu, 27 Apr 2023 17:33:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1682616780; bh=RT+HxkyK2Ij2U95r6mSste9cZp6qijZka7hXapzUm6E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=E1YxOWwY+SIGrNQUEa3wwqVf4ql62f+nQPUVmERTmpknQ15+pTDHg0XO8QEDpjjVt gi/iiazIeZWO+58e0Azt1MOjio70VVsqCC4h01KtNqOyeLx56Tcm+9E5tPnDKSVQj4 hQylApqytqzPzpzsS3WMTItvu/hh0LzViK4g4Z2aipLcGnye6kGcJ2fHSL8Z0vCFLr pOPW4VzyqNb+fhb7Oen+XroRNpqLFlGdIwHzTHtLx2B30+9U223t1jqvFYqWJm4LLx q2ysAc9sDOfPl6buGTMigytmEo7/7a8dUUB0HS4D6Bqx97rHCf2KnjyX1nGxz/UQf7 9KNsSl2i7JT/g== Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-302cdf5d034so4629344f8f.0 for ; Thu, 27 Apr 2023 10:33:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682616779; x=1685208779; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RT+HxkyK2Ij2U95r6mSste9cZp6qijZka7hXapzUm6E=; b=cRrvc04nAj/d/KcwbZhWreiS/kZH1ivd45d1UhDUfp0xAskFpbcG/yBpoXbrAaqLMX +HfKCS6bMfmBAOik8AgbEhajvpisRRQWccG3DdZxg7l9WRqdIPAelA4EeyiWQ4xphCjW 6J/qE2k41Xz2rqAlVRemgiGpdfSHQ+U3cM9aocsZXlz2PjMBr1yDlHQqAan5B1bvuIxq P+1hRPjJ+LDUTOqZweb1AtD4uVAnVCKb6j8s1Gazf5qPdi/L2WgzdLDzWWICbrxzLNAb /H+eWqX7xNV7s8sHFsXLPoAXbc+IK4Kh2+cfK8dPKDbqyV3NPZOipXmGx1hk8NeiTPF7 tP3A== X-Gm-Message-State: AC+VfDwQxuvldgm6kggNRWNRTf9j4ncTTER1NbRmlgpxLPtGvcBbWde0 VORL4IL20KqfL+duGaUT0QwSiziGnggRKepjtQe53jDR/KjJpy0FXjH6Cw6uHgmaSbbhqCw/XNd O2uaugRAohjYpCaqW7tkwIYmv+2kv2B/pLEUR8OHEX3uHjCxuow== X-Received: by 2002:adf:f009:0:b0:304:794c:732e with SMTP id j9-20020adff009000000b00304794c732emr1702186wro.41.1682616779243; Thu, 27 Apr 2023 10:32:59 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4ueqELCkKI146JK5dnCNdZR+Y6OA4PJQV5a31cXYG/vySKKquSKlAJ1wkJE/0BjeU0fS+QLQ== X-Received: by 2002:adf:f009:0:b0:304:794c:732e with SMTP id j9-20020adff009000000b00304794c732emr1702173wro.41.1682616778836; Thu, 27 Apr 2023 10:32:58 -0700 (PDT) Received: from localhost ([137.220.91.195]) by smtp.gmail.com with ESMTPSA id c10-20020a7bc2aa000000b003f080b2f9f4sm25065537wmk.27.2023.04.27.10.32.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Apr 2023 10:32:58 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [focal, jammy, devel:linux-signed ANY][STEP 2] UBUNTU: [Packaging] Add Azure CVM support to linux-generate Date: Thu, 27 Apr 2023 18:32:44 +0100 Message-Id: <20230427173246.115429-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230427173246.115429-1-dimitri.ledkov@canonical.com> References: <20230427173246.115429-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: apw@canonical.com Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2017571 Signed-off-by: Dimitri John Ledkov --- debian/rules | 26 +++++++++++++++----- debian/scripts/config.py | 13 ++++++++-- debian/scripts/generate-control | 32 +++++++++++++++++++++++++ debian/scripts/parameterise-ancillaries | 2 ++ debian/templates/cvm.postinst.in | 20 ++++++++++++++++ debian/templates/cvm.prerm.in | 12 ++++++++++ 6 files changed, 97 insertions(+), 8 deletions(-) create mode 100755 debian/templates/cvm.postinst.in create mode 100755 debian/templates/cvm.prerm.in diff --git a/debian/rules b/debian/rules index 61dd81c7dc..c78ca3dde8 100755 --- a/debian/rules +++ b/debian/rules @@ -123,22 +123,36 @@ override_dh_auto_install: echo "$$signed boot" >>"debian/$$package.install"; \ fi; \ \ - package="linux-image-$$verflav"; \ - echo "$$package: adding $$signed"; \ - echo "$$signed boot" >>"debian/$$package.install"; \ + cvm_pkg="linux-image-$$verflav-fde"; \ + if [ "$$instfile" = "kernel.efi" ]; then \ + if grep -q "^Package: *$$cvm_pkg\$$" debian/control; then \ + package=$$cvm_pkg; \ + templates=cvm; \ + echo "$$package: adding $$signed"; \ + echo "$$signed usr/lib/linux/efi" >>"debian/$$package.install";\ + else \ + continue; \ + fi; \ + else \ + package="linux-image-$$verflav"; \ + templates=image; \ + echo "$$package: adding $$signed"; \ + echo "$$signed boot" >>"debian/$$package.install"; \ + fi; \ \ ./debian/scripts/generate-depends linux-image-unsigned-$$verflav $(unsigned_ver) \ - >>"debian/linux-image-$$verflav.substvars"; \ + >>"debian/$$package.substvars"; \ \ for which in postinst postrm preinst prerm; do \ - template="debian/templates/image.$$which.in"; \ + template="debian/templates/$$templates.$$which.in"; \ script="debian/$$package.$$which"; \ + [ -e "$$template" ] && \ sed -e "s/@abiname@/$(abi)/g" \ -e "s/@localversion@/-$$flavour/g" \ -e "s/@image-stem@/$$instfile/g" \ <"$$template" >"$$script"; \ done; \ - echo "interest linux-update-$(abi)-$$flavour" \ + echo "interest linux-update-$(abi)-$$flavour" \ >"debian/$$package.triggers"; \ done dh_install diff --git a/debian/scripts/config.py b/debian/scripts/config.py index f937150bd7..d2693051bf 100644 --- a/debian/scripts/config.py +++ b/debian/scripts/config.py @@ -7,9 +7,14 @@ class Signing: def add(self, arch, stype, binary, flavours, options): for flavour in flavours: - self._arch_flavour_data[(arch, flavour)] = (stype, binary) + self._arch_flavour_data.setdefault((arch, flavour), set()).add((stype, binary)) self._flavour_to_arch.setdefault(flavour, set()).add(arch) + # cvm is an exclusive option: no image paragraph, no further option flags + if "cvm" in options: + self._package_to_flavour_to_arch.setdefault("cvm", {}).setdefault(flavour, set()).add(arch) + continue self._package_to_flavour_to_arch.setdefault("image", {}).setdefault(flavour, set()).add(arch) + # all other options are supplementary to the image if "di" in options: self._package_to_flavour_to_arch.setdefault("di", {}).setdefault(flavour, set()).add(arch) if "hmac" in options: @@ -26,7 +31,11 @@ class Signing: @property def arch_flavour_data(self): - return sorted(self._arch_flavour_data.items()) + # allow for more than one binary to be signed by an arch+flavour pair + # maintain backwards compatible API + for (arch, flavour), stypebins in sorted(self._arch_flavour_data.items()): + for (stype, binary) in sorted(stypebins): + yield (arch, flavour), (stype, binary) @classmethod def load(cls, config): diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control index ef61cd7fca..181b7c8f51 100755 --- a/debian/scripts/generate-control +++ b/debian/scripts/generate-control @@ -18,6 +18,12 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd: for flavour, archs in signing.flavour_archs: print(f' linux-image-unsigned-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd) print(f' linux-buildinfo-{abi_version}-{flavour} (= {unsigned_version}) [{" ".join(archs)}],', file=cfd) + # generate-only build-depends with a profile (activated by parameterise-ancillaries) + uci_archs = set() + for _, archs in signing.package_flavour_archs("cvm"): + uci_archs.update(archs) + if uci_archs: + print(f' ubuntu-core-initramfs [{" ".join(uci_archs)}] ,', file=cfd) print(f" {generate_name} (= {source_version}),", file=cfd) else: print(line, end='', file=cfd) @@ -66,6 +72,22 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd: This package contains the HMAC file for Linux kernel image for version {abi_version}-{flavour} """).rstrip(), file=cfd) + for flavour, archs in signing.package_flavour_archs("cvm"): + # Mostly similar to image, but we don't have recommands nor conflicts + print(dedent(f"""\ + + Package: linux-image-{abi_version}-{flavour}-fde + Architecture: {" ".join(archs)} + Depends: ${{unsigned:Depends}} + Recommends: ${{cvm:Recommends}} + Suggests: ${{unsigned:Suggests}} + Conflicts: ${{cvm:Conflicts}} + Provides: ${{unsigned:Provides}} + Built-Using: {unsigned_name} (= {unsigned_version}) + Description: Signed kernel image {flavour} for CVM + A kernel image for {flavour}. This version of it is signed with + Canonical's signing key. + """).rstrip(), file=cfd) # XXX: all dbgsym packages _must_ be at the end of debian/control else the # build will hang forever on the builder. for flavour, archs in signing.package_flavour_archs("image"): @@ -78,3 +100,13 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd: Description: Signed kernel image {flavour} A link to the debugging symbols for the {flavour} signed kernel. """).rstrip(), file=cfd) + for flavour, archs in signing.package_flavour_archs("cvm"): + print(dedent(f"""\ + + Package: linux-image-{abi_version}-{flavour}-fde-dbgsym + Section: devel + Architecture: {" ".join(archs)} + Depends: linux-image-unsigned-{abi_version}-{flavour}-dbgsym + Description: Signed kernel image {flavour} for CVM (debug) + A link to the debugging symbols for the {flavour} signed kernel. + """).rstrip(), file=cfd) diff --git a/debian/scripts/parameterise-ancillaries b/debian/scripts/parameterise-ancillaries index b6dea0cf48..d29f222e60 100755 --- a/debian/scripts/parameterise-ancillaries +++ b/debian/scripts/parameterise-ancillaries @@ -58,6 +58,8 @@ def build_ancillary(package): line = f"Source: {package}" elif package and package in line: continue + # Activate generate-only build-profile depends + line = line.replace(" ","") print(line, file=ofd) # Also dump out the files.json for -generate et al. diff --git a/debian/templates/cvm.postinst.in b/debian/templates/cvm.postinst.in new file mode 100755 index 0000000000..6ee0556d73 --- /dev/null +++ b/debian/templates/cvm.postinst.in @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +version=@abiname@@localversion@ + +if [ "$1" = purge ]; then + for extra_file in modules.dep modules.isapnpmap modules.pcimap \ + modules.usbmap modules.parportmap \ + modules.generic_string modules.ieee1394map \ + modules.ieee1394map modules.pnpbiosmap \ + modules.alias modules.ccwmap modules.inputmap \ + modules.symbols modules.ofmap \ + modules.seriomap modules.\*.bin \ + modules.softdep modules.devname; do + eval rm -f /lib/modules/$version/$extra_file + done + rmdir /lib/modules/$version || true +fi + +exit 0 diff --git a/debian/templates/cvm.prerm.in b/debian/templates/cvm.prerm.in new file mode 100755 index 0000000000..1a339a68ef --- /dev/null +++ b/debian/templates/cvm.prerm.in @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +version=@abiname@@localversion@ + +if [ "$1" != remove ]; then + exit 0 +fi + +linux-check-removal $version + +exit 0