From patchwork Mon Mar  8 15:00:03 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1449154
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DvM322NNcz9sWw;
	Tue,  9 Mar 2021 02:00:30 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lJHMv-00055C-K5; Mon, 08 Mar 2021 15:00:25 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lJHMq-00051W-Up
 for kernel-team@lists.ubuntu.com; Mon, 08 Mar 2021 15:00:20 +0000
Received: from mail-wr1-f70.google.com ([209.85.221.70])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lJHMq-00064v-9T
 for kernel-team@lists.ubuntu.com; Mon, 08 Mar 2021 15:00:20 +0000
Received: by mail-wr1-f70.google.com with SMTP id z6so4930868wrh.11
 for <kernel-team@lists.ubuntu.com>; Mon, 08 Mar 2021 07:00:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=BF2Ilc9rZmS9ARh0IVWtfqq3k1FCy2sVetC3Sj2dOQk=;
 b=GXunpLPmTfTLNPdNB23z2efRn8K6ZyXUQuMzFvxdKlZhUl8tFQCTNLJKv5n3pKtma/
 PoWttb4LgM22GwVh+5pT4v8XzEsBOtRmF8GqlVuVsxKnfwf1cIuaNGRCY/BG5a5n6D3i
 bNe+45bBy7A6eqY6nkgd3u2uGbW9Bti/QZCrb2pDrJEDNIGC4HpWlxeP6I1n3ndwurSK
 FI0uoGyGx2PwFEfpfC9ezV/BkOS7E84C1fVXh6qWsiHNvZZdL0CXwR2BjuwFUQYwuzgU
 Fp3QGDuI1q268kmeu7nf8cyWrgQvEBGdr+EZJ0lVIHkjvYnUDp7HybkmotTxN2o20sO+
 d3pw==
X-Gm-Message-State: AOAM530Ls7Cvo2Qx4gqIVto0r+aO8lA+dvvXUgtvlP+/hlWF0kB1gHHW
 /2cko2M30AWZyfLx6gCQiWWlH+G9+TMDvOZDW+cygAOsnkSQ0a2sXuIkiQ0PdOs2fP1FdPRZK0S
 L3tug2VunCMxy8T/r36msU3dL85InNYD0VBVEeBzvpA==
X-Received: by 2002:a5d:4523:: with SMTP id j3mr24071129wra.288.1615215618629;
 Mon, 08 Mar 2021 07:00:18 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJytWJuvN8jNEFnmd1t7qkpCRVZcPYM6LPvLFC18t+sNm5bxQ11q8lwWv7hB6AnazFwf3tA6VQ==
X-Received: by 2002:a5d:4523:: with SMTP id j3mr24071089wra.288.1615215618292;
 Mon, 08 Mar 2021 07:00:18 -0800 (PST)
Received: from localhost ([2001:470:6973:2:2843:61fd:9f2a:3b98])
 by smtp.gmail.com with ESMTPSA id u3sm19074559wrt.82.2021.03.08.07.00.17
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 08 Mar 2021 07:00:17 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 8/9] UBUNTU: [Packaging] linux-restricted-modules -- consume
 published signatures
Date: Mon,  8 Mar 2021 15:00:03 +0000
Message-Id: <20210308150004.1746089-9-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210308150004.1746089-1-apw@canonical.com>
References: <20210308150004.1746089-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Split our output into a pair of packages.  linux-objects-nvidia-* which
contain the raw .o files and associated helpers, and linux-modules-nvidia-*
which depend both the objects and the signatures packages and include
the control files to trigger construction and destruction of the final
signed kernel modules on the end-user system.

BugLink: https://bugs.launchpad.net/bugs/1918134
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/rules.in                     | 26 +++------
 debian/scripts/dkms-build--nvidia-N | 24 ++-------
 debian/scripts/gen-rules.lrm        | 83 +++++++++++++++++++++++------
 debian/source/options               |  2 +-
 4 files changed, 79 insertions(+), 56 deletions(-)

diff --git a/debian/rules.in b/debian/rules.in
index 16033cb..d61feca 100755
--- a/debian/rules.in
+++ b/debian/rules.in
@@ -1,18 +1,7 @@
-#! /usr/bin/make -f
-
 ##export DH_VERBOSE := 1
 
 arch = $(shell dpkg-architecture -qDEB_HOST_ARCH)
 
-# Work out the source package name and version. The version
-# is identical to this package less any rebuild suffix (+lrmN).
-src_package := $(shell LC_ALL=C dpkg-parsechangelog -SSource)
-src_fullversion = $(shell LC_ALL=C dpkg-parsechangelog -SVersion)
-src_abi = $(shell echo "$(src_fullversion)" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
-src_version = $(shell echo $(src_fullversion) | sed -e 's/+[0-9][0-9]*$$//')
-src_series = $(shell dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$$//')
-src_kernel = $(shell echo "$(src_package)" | sed -e 's/restricted-modules-//')
-
 # Get variants, assuming primary if debian/variants is not present
 variants = --
 ifneq (,$(wildcard debian/variants))
@@ -28,7 +17,7 @@ endif
 control_files += $(filter-out $(primary_control_files),$(shell LC_ALL=C ls -d debian/control.d/*))
 
 test::
-	echo "$(src_fullversion) $(src_version)"
+	echo "$(src_version) $(src_main_version)"
 
 # We build our control file.  This has to be done before dh runs otherwise
 # we have no binary files and we will not run the appropriate targets.
@@ -44,34 +33,31 @@ pre-clean: $(control_files)
 					-e "s/\$${variant:suffix}/$$variant/g"		\
 					-e "s/\(\$${$(tp_key)[^}]*}\)/$${variant_first:+\1}/g" \
 					<$$i;						\
-				echo "";						\
 				variant_first='';					\
 			done;								\
 		else									\
 			cat $$i;							\
-			echo "";							\
 		fi;									\
 	done | sed									\
 		-e "/@BUILD-INTERLOCK@/{"						\
-		-e " r debian/control.gen"						\
+		-e " r debian/control.interlock-up"					\
 		-e " d"									\
 		-e " }"									\
 	     | sed									\
-		-e "s/\(\$${$(tp_key)\([^}]*\)}\)/kernel-testing--$(src_kernel)-\1-\2,/g" \
+		-e "s/\(\$${$(tp_key)\([^}]*\)}\)/kernel-testing--$(src_main_package)-\1-\2,/g" \
 		-e "s/@SRCPKGNAME@/$(src_package)/g"					\
 		-e "s/@ABI@/$(src_abi)/g"						\
-		-e "s/@VERSION@/$(src_version)/g"					\
+		-e "s/@VERSION@/$(src_main_version)/g"					\
 		-e "s/@SERIES@/$(src_series)/g"						\
 	    >debian/control.tmp
 	rm -f debian/control
 	mv debian/control.tmp debian/control
-	rm -rf ./$(src_version) UNSIGNED SIGNED
+	rm -rf ./$(src_main_version) UNSIGNED SIGNED
 	rm -f 	debian/linux-modules-*.install						\
 		debian/linux-modules-*.preinst 						\
 		debian/linux-modules-*.prerm 						\
 		debian/linux-modules-*.postinst 					\
 		debian/linux-modules-*.postrm
-	rm -rf $(dkms_dir)
 
 .PHONY: pre-clean
 
@@ -79,6 +65,8 @@ debian/scripts/fix-filenames: debian/scripts/fix-filenames.c
 	$(CC) -o $@ $^
 
 clean:: pre-clean
+	rm -f debian/scripts/fix-filenames
+	rm -rf $(dkms_dir)
 
 %:
 	dh $@
diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N
index d37082c..75a16df 100755
--- a/debian/scripts/dkms-build--nvidia-N
+++ b/debian/scripts/dkms-build--nvidia-N
@@ -79,28 +79,10 @@ sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
 		:
 
 	elif [ "$sign" = "--lrm" ]; then
-		# We are in LRM build the package a copy in any signatures we can
-		# find for them.  These will be added after linking.
-		base="/usr/lib/linux/$abi_flavour"
-
-		# Check the GCC version we are using against that used in the kernel
-		# NOTE: that we treat this as only a warning, as if the binaries did come
-		# out differently then we will actually 
-		echo "II: checking gcc version ..."
-		cat "$base/compiler"
-		gcc --version
-		gcc_was=$(cat "$base/compiler" | sed -e 's/^GCC:/gcc/')
-		gcc_is=$(gcc --version | head -1)
-		if [ "$gcc_was" != "$gcc_is" ]; then
-			echo "WW: gcc version missmatch between linux and linux-restricted-modules"
-			echo "WW: was: $gcc_was  is: $gcc_is"
-		fi
-
-		# Apply any local signatures.
-		echo "II: adding signatures from $base ..."
-		cp "$base/signatures/$package/"*".ko.sig" "$pkgdir/bits"
-		sha256sum -c "$base/signatures/$package/SHA256SUMS" || exit 1
+		# We are in the LRM build; grab sha256 checksums and clean up.
+		sha256sum -b *.ko >"SHA256SUMS"
 		sh ./CLEAN
+
 	else
 		# We are in the main kernel, put the .kos together as we will
 		# on the users machine, sign them, and keep just the signature.
diff --git a/debian/scripts/gen-rules.lrm b/debian/scripts/gen-rules.lrm
index 7dc774e..a79eef0 100755
--- a/debian/scripts/gen-rules.lrm
+++ b/debian/scripts/gen-rules.lrm
@@ -1,12 +1,45 @@
 #!/bin/bash
 
+# Pick out relevant version and package information including our predecessor
+# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules
+src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
+src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion)
+src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
+src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//')
+
+# linux/5.8.0-41.46
+src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-modules//')
+src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//')
+
+# linux-restricted-generate/5.8.0-41.46[+1]
+
+# linux-restricted-signatures/5.8.0-41.46[+1]
+src_sigs_package=$(echo "${src_package}" | sed -e 's/-restricted-modules/-restricted-signatures/')
+src_sigs_version=${src_version}
+
+# linux-restricted-modules/5.8.0-41.46[+1]
+
 mkdir -p "debian/control.d"
-cat "debian/rules.in" >"debian/rules.gen"
-: >"debian/control.gen"
+: >"debian/control.interlock-up"
 : >"debian/control.d/meta-nvidia"
 : >"debian/control.d/nvidia"
 : >"debian/control.d/migrate-nvidia"
 : >"debian/control.d/transitionals-local"
+: >"debian/control.d/signatures"
+
+cat - "debian/rules.in" >"debian/rules.gen" <<EOL
+#! /usr/bin/make -f
+
+src_package := ${src_package}
+src_version = ${src_version}
+src_abi = ${src_abi}
+src_series = ${src_series}
+src_main_package = ${src_main_package}
+src_main_version = ${src_main_version}
+src_sigs_package = ${src_sigs_package}
+src_sigs_version = ${src_sigs_version}
+
+EOL
 
 dkms_build_new=$(grep -c 'shift 7' debian/scripts/dkms-build)
 if [ "$dkms_build_new" -eq 0 ]; then
@@ -39,9 +72,8 @@ do
 
 	targets=$(echo "$archs" | sed -e 's/\</nvidia-/g')
 
-	cat - >>"debian/control.gen" <<EOL
- linux-headers-@ABI@-${flavour} (>= @VERSION@) [${archs}],
- linux-buildinfo-@ABI@-${flavour} (>= @VERSION@) [${archs}],
+	cat - >>"debian/control.interlock-up" <<EOL
+ linux-headers-${src_abi}-${flavour} (>= @VERSION@) [${archs}],
 EOL
 
 	while read package version extra
@@ -84,12 +116,14 @@ $targets::
 	mkdir -p \$(dkms_dir)/build \$(dkms_dir)/source
 	install -d debian/linux-modules-nvidia-${suffix_minus}-\$(src_abi)-${flavour}
 	install -d debian/linux-modules-nvidia-${suffix_minus}-\$(src_abi)-${flavour}/usr/lib/linux/triggers
-	\$(call build_dkms, \$(src_abi)-${flavour}, linux-modules-nvidia-${suffix_minus}-\$(src_abi)-${flavour}, \$(CURDIR)/debian/linux-modules-nvidia-${suffix_minus}-\$(src_abi)-${flavour}/lib/modules/\$(src_abi)-${flavour}/kernel, "", nvidia-${suffix_short}, pool/restricted/n/nvidia-graphics-drivers-${suffix_minus}/nvidia-kernel-source-${suffix_minus}_\$(dkms_nvidia_${suffix_under}_version)_\$(arch).deb pool/restricted/n/nvidia-graphics-drivers-${suffix_minus}/nvidia-dkms-${suffix_minus}_\$(dkms_nvidia_${suffix_under}_version)_\$(arch).deb)
 	\$(call install_control,linux-modules-nvidia-${suffix_minus}-\$(src_abi)-${flavour},${flavour},nvidia,${suffix_short},postinst postrm prerm config templates)
+	install -d debian/linux-objects-nvidia-${suffix_minus}-\$(src_abi)-${flavour}
+	\$(call build_dkms, \$(src_abi)-${flavour}, linux-objects-nvidia-${suffix_minus}-\$(src_abi)-${flavour}, \$(CURDIR)/debian/linux-objects-nvidia-${suffix_minus}-\$(src_abi)-${flavour}/lib/modules/\$(src_abi)-${flavour}/kernel, "", nvidia-${suffix_short}, pool/restricted/n/nvidia-graphics-drivers-${suffix_minus}/nvidia-kernel-source-${suffix_minus}_\$(dkms_nvidia_${suffix_under}_version)_\$(arch).deb pool/restricted/n/nvidia-graphics-drivers-${suffix_minus}/nvidia-dkms-${suffix_minus}_\$(dkms_nvidia_${suffix_under}_version)_\$(arch).deb)
 EOL
 
 		# debian/control.d/meta-nvidia
 		cat - >>"debian/control.d/meta-nvidia" <<EOL
+
 Package: linux-modules-nvidia-${suffix_minus}-${flavour}\${variant:suffix}
 Build-Profiles: <!stage1>
 Architecture: ${archs}
@@ -97,16 +131,16 @@ Section: kernel
 Provides: \${dkms:nvidia-${suffix_minus}-modules}, nvidia-prebuilt-kernel
 Depends:
  \${misc:Depends},
- linux-modules-nvidia-${suffix_minus}-@ABI@-${flavour} (= \${binary:Version}),
- \${nvk:nvidia-${suffix_minus}}
+ linux-modules-nvidia-${suffix_minus}-${src_abi}-${flavour} (= \${binary:Version}),
+ \${nvk:nvidia-${suffix_minus}},
 Description: Extra drivers for nvidia-${suffix_minus} for the ${flavour}\${variant:suffix} flavour
  Install extra signed nvidia-${suffix_minus} modules compatible with the ${flavour}\${variant:suffix} flavour.
-
 EOL
 
 		# debian/control.d/nvidia
 		cat - >>"debian/control.d/nvidia" <<EOL
-Package: linux-modules-nvidia-${suffix_minus}-@ABI@-${flavour}
+
+Package: linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour}
 Build-Profiles: <!stage1>
 Architecture: ${archs}
 Section: kernel
@@ -116,15 +150,34 @@ Depends:
  \${misc:Depends},
  \${shlibs:Depends},
  binutils,
- linux-image-@ABI@-${flavour} | linux-image-unsigned-@ABI@-${flavour},
-Description: Linux kernel nvidia modules for version @ABI@
- This package contains the Linux kernel nvidia modules for version @ABI@.
+Description: Linux kernel nvidia modules for version ${src_abi} (objects)
+ This package contains the Linux kernel nvidia modules for version ${src_abi}.
  .
  You likely do not want to install this package directly. Instead, install the
  one of the linux-modules-nvidia-${suffix_minus}-${flavour}* meta-packages,
  which will ensure that upgrades work correctly, and that supporting packages are
  also installed.
 
+Package: linux-modules-nvidia-${suffix_minus}-${src_abi}-${flavour}
+Build-Profiles: <!stage1>
+Architecture: ${archs}
+Section: kernel
+Priority: optional
+Built-Using: \${linux:BuiltUsing}
+Depends:
+ \${misc:Depends},
+ \${shlibs:Depends},
+ linux-image-${src_abi}-${flavour} | linux-image-unsigned-${src_abi}-${flavour},
+ linux-signatures-nvidia-${src_abi}-${flavour} (= ${src_sigs_version}),
+ linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (= \${binary:Version}),
+Description: Linux kernel nvidia modules for version ${src_abi}
+ This package pulls together the Linux kernel nvidia modules for
+ version ${src_abi} with the appropriate signatures.
+ .
+ You likely do not want to install this package directly. Instead, install the
+ one of the linux-modules-nvidia-${suffix_minus}-${flavour}* meta-packages,
+ which will ensure that upgrades work correctly, and that supporting packages are
+ also installed.
 EOL
 		# debian/control.d/migrate-nvidia
 		for cmd in $extra
@@ -135,13 +188,13 @@ EOL
 				from_minus=$(echo "$from" | sed -e 's/nvidia-graphics-drivers-//')
 				echo "II: general transition $from -> $package ($from_minus -> $suffix_minus)"
 				cat - >>"debian/control.d/migrate-nvidia" <<EOL
+
 Package: linux-modules-nvidia-${from_minus}-${flavour}\${variant:suffix}
 Architecture: ${archs}
 Section: oldlibs
 Depends: linux-modules-nvidia-${suffix_minus}-${flavour}\${variant:suffix}
 Description: Extra drivers for nvidia-${from_minus} for the ${flavour} flavour (dummy transitional package)
  Transitional package for upgrades of -${from_minus} to -${suffix_minus}.
-
 EOL
 				;;
 			esac
@@ -162,12 +215,12 @@ do
 	# debian/control.d/transitionals-local
 	echo "II: manual transition linux-modules-nvidia-$from -> linux-modules-nvidia-$to"
 	cat - >>"debian/control.d/transitionals-local" <<EOL
+
 Package: linux-modules-nvidia-${from}
 Architecture: ${archs}
 Section: oldlibs
 Depends: linux-modules-nvidia-${to}
 Description: Extra drivers for nvidia-${from} (dummy transitional package)
  Transitional package for upgrades of ${from} to ${to}.
-
 EOL
 done <"debian/package.config"
diff --git a/debian/source/options b/debian/source/options
index 693e1f7..34a8b9f 100644
--- a/debian/source/options
+++ b/debian/source/options
@@ -3,4 +3,4 @@ diff-ignore
 tar-ignore
 tar-ignore debian/control.d
 tar-ignore debian/rules.gen
-tar-ignore debian/control.gen
+tar-ignore debian/control.interlock-up