From patchwork Thu Feb 18 15:08:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 1441692 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DhJ5S2F46z9sRf; Fri, 19 Feb 2021 02:09:16 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lCkvX-0004H8-FL; Thu, 18 Feb 2021 15:09:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvU-0004Eq-U2 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:08 +0000 Received: from mail-wr1-f71.google.com ([209.85.221.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lCkvU-00054A-Kj for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 15:09:08 +0000 Received: by mail-wr1-f71.google.com with SMTP id o16so1136380wrn.1 for ; Thu, 18 Feb 2021 07:09:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zVq5vjWgZgm1rG9orOddh2DlplnJEi+1+2agfUjnckA=; b=gO/onx+VNAYZ2HViWz2LJ+7Gq6sh4a+3zMksOh3RQZpoYRqEjyUSZE/Y4iZt1nggGT Mw2WD7zp8AZ01Q/514QJyA4sBzG7vV2YCYQ/jPqGIWvD+lWNSOgUWmqRUPRph2EmCBn3 SY38+d8udqiRGA2epXIWecGDqHM2WFdal6c69gwskUbuo0PmRlOHgW2B7Giqn/yzu+MY hb/Gm4QFU+Jd+GNPh8i/chCoGGR7iZIEwvhMLsJHSw8rvmkonGKolZANN/jYrnxu6Gd0 j8RhgQMM0WNN0UbQezI6m9+hnR+1YsvnUP1Br11O9XL6an0bnbwe1qNSfIFE6DKCdCYK CbyA== X-Gm-Message-State: AOAM531C1lSflrso/Ui58xYcThgND3FHN2qVQ9r84Waku655JwRt5Euw R3pxT5HfmqGicMnuJb1ihyfZ4xMuVF43ciSYV9nFqkKC2MeOzBjV07O99TjidxHtZpLTqN3EGBq pHiWuUiXiRch9HEibZhY2vgUqBx7glPbG8Hq4ZreX7Q== X-Received: by 2002:adf:f205:: with SMTP id p5mr4946112wro.413.1613660948027; Thu, 18 Feb 2021 07:09:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJzzcvW5HpOjt2Poa1vSmQPpLYd6RWChHo2u9M3WjGWJXy16dEJzE3Ae/kf8qcsrAcHto8D3ZA== X-Received: by 2002:adf:f205:: with SMTP id p5mr4946093wro.413.1613660947805; Thu, 18 Feb 2021 07:09:07 -0800 (PST) Received: from localhost ([2001:470:6973:2:7265:4c61:1a73:4148]) by smtp.gmail.com with ESMTPSA id w4sm7626563wmc.13.2021.02.18.07.09.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Feb 2021 07:09:07 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [groovy:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from branch/arch certs Date: Thu, 18 Feb 2021 15:08:54 +0000 Message-Id: <20210218150856.1807354-7-apw@canonical.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210218150856.1807354-1-apw@canonical.com> References: <20210218150856.1807354-1-apw@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andy Whitcroft Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Merge common, branch-specific, and arch-specific certs and form a certs database for inclusion in the kernel keyring. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft --- debian.master/config/annotations | 2 +- debian.master/config/config.common.ubuntu | 2 +- debian/rules | 14 +++++++++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index f025f78dfb11..7cce122fbfd2 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -359,7 +359,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING mark # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}> +CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 80ed0bdb1f15..66710b9bfaeb 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -10192,7 +10192,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y CONFIG_SYSVIPC_COMPAT=y CONFIG_SYSVIPC_SYSCTL=y diff --git a/debian/rules b/debian/rules index 4f64f55b8d8f..636f1e876d26 100755 --- a/debian/rules +++ b/debian/rules @@ -127,7 +127,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control +clean: debian/control debian/canonical-certs.pem dh_testdir dh_testroot dh_clean @@ -225,3 +225,15 @@ debian/control: $(DEBIAN)/control.stub LANG=C kernel-wedge gen-control $(release)-$(abinum) | \ perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \ >>$(CURDIR)/debian/control + +debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/cert/*-all.pem) $(wildcard $(DEBIAN)/cert/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/certs/$$cert" ]; then \ + cat "$$dir/certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@"