From patchwork Thu Feb 18 16:17:50 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1441752
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DhKd72cYkz9sCD;
	Fri, 19 Feb 2021 03:18:19 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lCm0L-0000jU-Dr; Thu, 18 Feb 2021 16:18:13 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0C-0000dt-Pd
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:04 +0000
Received: from mail-wr1-f70.google.com ([209.85.221.70])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0C-0002Kk-IB
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:04 +0000
Received: by mail-wr1-f70.google.com with SMTP id q5so1159287wrs.20
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Feb 2021 08:18:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=UvcErdZ14c/RFL3l2TEsQUCB0anrmQDkzDkKgIM/4Ac=;
 b=tLUo1Vn+n7bsSBnmPxAvptveatUxy6UYRBt7PQC8twpj7V2VM26p/ZacSVbXYqvcOI
 s6ALD1Qco4bZUM03lxmBrAV70Pm/RUW9QSUeD85p+UHKNeDQo41QhL47NHw8JNPecsPD
 8nu9GoECIkwNyOtHtWuhZu1Z+SKIO7jyy4Y1P0dUEXdElmLmyFLVXWPgt9rduIxXxyxo
 fGaMnlkItvyWksvJ0OtFaeHAlyNKGrc33LnsqdcKiAMVJv7sw/uUsVIKht9aUfr6tKnp
 tEBvt0FzIy87sw8N/jCWMUwtQE/II9zcPd0ENzBcdjjndIc5VrTwKKIq2McXH/EoqGAY
 yPsQ==
X-Gm-Message-State: AOAM5306Z+U/nAAX/S/3yteAsjDO+AvF3TnIZk/iV9BRfC2DYBMXHl1P
 nAdl1lz86wQC1WM8krnVzRp5ZjGIg2pS4Mo9FHo+AS8iTvgSLoTfNd/5VXcjSgtRMtzEFBI9ofX
 qtvrnBHjoIkE4Jfg+c+hQqD5VB9Vxfc7/SZAtJ3bjUQ==
X-Received: by 2002:a7b:c152:: with SMTP id z18mr2459156wmi.0.1613665083973;
 Thu, 18 Feb 2021 08:18:03 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJyrRyYlQRENQ7IxAlIBSQkCy3lXisofCuDxNyn3YCThvSy7upFxOU9KCZDBXAXlvCLa+PCXhQ==
X-Received: by 2002:a7b:c152:: with SMTP id z18mr2459136wmi.0.1613665083705;
 Thu, 18 Feb 2021 08:18:03 -0800 (PST)
Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619])
 by smtp.gmail.com with ESMTPSA id b10sm437915wmh.36.2021.02.18.08.18.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Feb 2021 08:18:03 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [focal:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from
 branch/arch certs
Date: Thu, 18 Feb 2021 16:17:50 +0000
Message-Id: <20210218161754.1840146-5-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210218161754.1840146-1-apw@canonical.com>
References: <20210218161754.1840146-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Merge common, branch-specific, and arch-specific certs and form
a certs database for inclusion in the kernel keyring.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          |  2 +-
 debian.master/config/config.common.ubuntu |  2 +-
 debian/rules                              | 14 +++++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 9ab7828ccdd7..7dacf2164531 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -351,7 +351,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'i386': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 0d2f337b2010..4625768cba78 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -9924,7 +9924,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y
diff --git a/debian/rules b/debian/rules
index e490836b813d..f8d53afa2890 100755
--- a/debian/rules
+++ b/debian/rules
@@ -137,7 +137,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
 	dh_testdir
 	dh_testroot
 	dh_clean
@@ -235,3 +235,15 @@ debian/control: $(DEBIAN)/control.stub
 	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
 		perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
 		>>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem)
+	for cert in $(sort $(notdir $^));					\
+	do									\
+		for dir in $(DEBIAN) $(DROOT);					\
+		do								\
+			if [ -f "$$dir/certs/$$cert" ]; then			\
+				cat "$$dir/certs/$$cert";			\
+				break;						\
+			fi;							\
+		done;								\
+	done >"$@"