| Message ID | 20210308150004.1746089-7-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | LP#1918134 -- LRMv4 switch to signing with Ubuntu Kernel Modules signing key | expand |
On 08.03.21 16:00, Andy Whitcroft wrote: > Consume the pre-built .o's as generated in linux-restricted-modules via > the linux-objects-nvidia-* packages; assembling them as per the end-user > system. Form a signing custom binary upload from these and submit for > signing. Note that this must be embargoed as it represents fully formed > module. > > BugLink: https://bugs.launchpad.net/bugs/1918134 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > debian/rules.lrg | 31 +++++++ > debian/scripts/dkms-build--nvidia-N | 1 + > debian/scripts/gen-rules | 1 + > debian/scripts/gen-rules.lrg | 138 ++++++++++++++++++++++++++++ > 4 files changed, 171 insertions(+) > create mode 100755 debian/rules.lrg > create mode 100755 debian/scripts/gen-rules.lrg > > diff --git a/debian/rules.lrg b/debian/rules.lrg > new file mode 100755 > index 0000000..e431275 > --- /dev/null > +++ b/debian/rules.lrg > @@ -0,0 +1,31 @@ > +##export DH_VERBOSE := 1 > + > +arch = $(shell dpkg-architecture -qDEB_HOST_ARCH) > + > +test:: > + echo "$(src_version) $(src_main_version)" > + > +debian/scripts/fix-filenames: debian/scripts/fix-filenames.c > + $(CC) -o $@ $^ > + > +clean:: > + rm -rf rm -rf $(dkms_dir) > + rm -f debian/scripts/fix-filenames > + > +%: > + dh $@ > + > +custom_top=debian/custom > +custom_dir=$(custom_top)/$(src_version) > +custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz > +custom-upload: > + install -d $(custom_dir)/control > + { echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options > + cd $(custom_top) && tar czvf ../../../$(custom_tar) . > + dpkg-distaddfile $(custom_tar) raw-signing - > + > +override_dh_prep: debian/scripts/fix-filenames > + dh_prep > + > +override_dh_auto_install: nvidia-$(arch) custom-upload > + dh_install > diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N > index b79404b..d37082c 100755 > --- a/debian/scripts/dkms-build--nvidia-N > +++ b/debian/scripts/dkms-build--nvidia-N > @@ -77,6 +77,7 @@ sed -e 's/.*-o *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C > if [ "$sign" = "--custom" ]; then > # We are building for and archive custom signing upload. Keep everything. > : > + Does this serve any purpose? > elif [ "$sign" = "--lrm" ]; then > # We are in LRM build the package a copy in any signatures we can > # find for them. These will be added after linking. > diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules > index ff91f48..8952f4b 100755 > --- a/debian/scripts/gen-rules > +++ b/debian/scripts/gen-rules > @@ -2,6 +2,7 @@ > > src_package=$(LC_ALL=C dpkg-parsechangelog -SSource) > case "$src_package" in > +linux-restricted-generate*) pkg='lrg' ;; > linux-restricted-modules*) pkg='lrm' ;; > esac > > diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg > new file mode 100755 > index 0000000..1c13885 > --- /dev/null > +++ b/debian/scripts/gen-rules.lrg > @@ -0,0 +1,138 @@ > +#!/bin/bash > + > +# Pick out relevant version and package information including our predecessor > +# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules > +src_package=$(LC_ALL=C dpkg-parsechangelog -SSource) > +src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion) > +src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p') > +src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//') > + > +# linux/5.8.0-41.46 > +src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//') > +src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//') > + > +# linux-restricted-generate/5.8.0-41.46[+1] > + > +# linux-restricted-signatures/5.8.0-41.46[+1] > + > +# linux-restricted-modules/5.8.0-41.46[+1] > +src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/') > +src_lrm_version=${src_version} > + > +cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL > +#! /usr/bin/make -f > + > +src_package := ${src_package} > +src_version = ${src_version} > +src_abi = ${src_abi} > +src_series = ${src_series} > +src_lrm_package = ${src_lrm_package} > +src_lrm_version = ${src_lrm_version} > + > +EOL > + > +: >"debian/control.interlock-up" > + > +nvidia_desktop= > +nvidia_server= > +nvidia_ignore= > +while read command arg > +do > + case "$command" in > + option) ;; > + suppress) nvidia_ignore="$nvidia_ignore $arg"; continue ;; > + *) continue ;; > + esac > + > + case "$arg" in > + desktop) nvidia_desktop=y ;; > + server) nvidia_server=y ;; > + esac > +done <"debian/package.config" > + > +build_archs= > +while read command flavour archs > +do > + case "$command" in > + build) ;; > + *) continue ;; > + esac > + > + for arch in $archs > + do > + case " $build_archs " in > + *\ $arch\ *) ;; > + *) build_archs="$build_archs $arch" ;; > + esac > + done > + > + targets=$(echo "$archs" | sed -e 's/\</nvidia-/g') > + > + while read package version extra > + do > + case "$package" in > + nvidia-graphics-drivers-*-server) > + [ -z "$nvidia_server" ] && continue > + ;; > + nvidia-graphics-drivers-*) > + [ -z "$nvidia_desktop" ] && continue > + ;; > + *) continue ;; > + esac > + case " $nvidia_ignore " in > + *\ $package\ *) continue ;; > + esac > + > + case " $extra " in > + *\ signonly\ *) continue ;; > + esac > + > + suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//') > + suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g') > + suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g') > + > + echo "II: build $package for $flavour $archs" > + > + cat - >>"debian/control.interlock-up" <<EOL > + linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}], > +EOL > + > + # debian/rules.gen > + # XXX: BUILD should help us here. > + cat - >>"debian/rules.gen" <<EOL > + > +# $package $version $suffix_minus $suffix_under $suffix_short > +$targets:: > + install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short} > + cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short} > + ( \ > + cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1; \ > + sh BUILD unsigned; \ > + sha256sum -c SHA256SUMS || exit 1; \ > + mv *.ko ..; \ > + ) > + rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits > +EOL > + > + done <"debian/dkms-versions" > +done <"debian/package.config" > + > +{ > + cat "debian/control.common" "-" <<EOL > + > +Package: ${src_package} > +Architecture:${build_archs} > +Section: kernel > +Description: Build interlock package > + Build interlock package. You do not want to install this package. > +EOL > +} | sed \ > + -e "/@BUILD-INTERLOCK@/{" \ > + -e " r debian/control.interlock-up" \ > + -e " d" \ > + -e " }" \ > + -e "s/@SRCPKGNAME@/${src_package}/g" \ > + -e "s/@ABI@/${src_abi}/g" \ > + >"debian/control" > + > +rm -f "debian/control.interlock-up" >
On Tue, Mar 09, 2021 at 10:29:22AM +0100, Stefan Bader wrote: > > @@ -77,6 +77,7 @@ sed -e 's/.*-o *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C > > if [ "$sign" = "--custom" ]; then > > # We are building for and archive custom signing upload. Keep everything. > > : > > + > > Does this serve any purpose? > Heh, no. It seems I added an --lrg section here in early versions and on its removal I formatted this section to the area norm which has an extra newline. I'll clear that up. -apw
diff --git a/debian/rules.lrg b/debian/rules.lrg new file mode 100755 index 0000000..e431275 --- /dev/null +++ b/debian/rules.lrg @@ -0,0 +1,31 @@ +##export DH_VERBOSE := 1 + +arch = $(shell dpkg-architecture -qDEB_HOST_ARCH) + +test:: + echo "$(src_version) $(src_main_version)" + +debian/scripts/fix-filenames: debian/scripts/fix-filenames.c + $(CC) -o $@ $^ + +clean:: + rm -rf rm -rf $(dkms_dir) + rm -f debian/scripts/fix-filenames + +%: + dh $@ + +custom_top=debian/custom +custom_dir=$(custom_top)/$(src_version) +custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz +custom-upload: + install -d $(custom_dir)/control + { echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options + cd $(custom_top) && tar czvf ../../../$(custom_tar) . + dpkg-distaddfile $(custom_tar) raw-signing - + +override_dh_prep: debian/scripts/fix-filenames + dh_prep + +override_dh_auto_install: nvidia-$(arch) custom-upload + dh_install diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N index b79404b..d37082c 100755 --- a/debian/scripts/dkms-build--nvidia-N +++ b/debian/scripts/dkms-build--nvidia-N @@ -77,6 +77,7 @@ sed -e 's/.*-o *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C if [ "$sign" = "--custom" ]; then # We are building for and archive custom signing upload. Keep everything. : + elif [ "$sign" = "--lrm" ]; then # We are in LRM build the package a copy in any signatures we can # find for them. These will be added after linking. diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules index ff91f48..8952f4b 100755 --- a/debian/scripts/gen-rules +++ b/debian/scripts/gen-rules @@ -2,6 +2,7 @@ src_package=$(LC_ALL=C dpkg-parsechangelog -SSource) case "$src_package" in +linux-restricted-generate*) pkg='lrg' ;; linux-restricted-modules*) pkg='lrm' ;; esac diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg new file mode 100755 index 0000000..1c13885 --- /dev/null +++ b/debian/scripts/gen-rules.lrg @@ -0,0 +1,138 @@ +#!/bin/bash + +# Pick out relevant version and package information including our predecessor +# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules +src_package=$(LC_ALL=C dpkg-parsechangelog -SSource) +src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion) +src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p') +src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//') + +# linux/5.8.0-41.46 +src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//') +src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//') + +# linux-restricted-generate/5.8.0-41.46[+1] + +# linux-restricted-signatures/5.8.0-41.46[+1] + +# linux-restricted-modules/5.8.0-41.46[+1] +src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/') +src_lrm_version=${src_version} + +cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL +#! /usr/bin/make -f + +src_package := ${src_package} +src_version = ${src_version} +src_abi = ${src_abi} +src_series = ${src_series} +src_lrm_package = ${src_lrm_package} +src_lrm_version = ${src_lrm_version} + +EOL + +: >"debian/control.interlock-up" + +nvidia_desktop= +nvidia_server= +nvidia_ignore= +while read command arg +do + case "$command" in + option) ;; + suppress) nvidia_ignore="$nvidia_ignore $arg"; continue ;; + *) continue ;; + esac + + case "$arg" in + desktop) nvidia_desktop=y ;; + server) nvidia_server=y ;; + esac +done <"debian/package.config" + +build_archs= +while read command flavour archs +do + case "$command" in + build) ;; + *) continue ;; + esac + + for arch in $archs + do + case " $build_archs " in + *\ $arch\ *) ;; + *) build_archs="$build_archs $arch" ;; + esac + done + + targets=$(echo "$archs" | sed -e 's/\</nvidia-/g') + + while read package version extra + do + case "$package" in + nvidia-graphics-drivers-*-server) + [ -z "$nvidia_server" ] && continue + ;; + nvidia-graphics-drivers-*) + [ -z "$nvidia_desktop" ] && continue + ;; + *) continue ;; + esac + case " $nvidia_ignore " in + *\ $package\ *) continue ;; + esac + + case " $extra " in + *\ signonly\ *) continue ;; + esac + + suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//') + suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g') + suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g') + + echo "II: build $package for $flavour $archs" + + cat - >>"debian/control.interlock-up" <<EOL + linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}], +EOL + + # debian/rules.gen + # XXX: BUILD should help us here. + cat - >>"debian/rules.gen" <<EOL + +# $package $version $suffix_minus $suffix_under $suffix_short +$targets:: + install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short} + cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short} + ( \ + cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1; \ + sh BUILD unsigned; \ + sha256sum -c SHA256SUMS || exit 1; \ + mv *.ko ..; \ + ) + rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits +EOL + + done <"debian/dkms-versions" +done <"debian/package.config" + +{ + cat "debian/control.common" "-" <<EOL + +Package: ${src_package} +Architecture:${build_archs} +Section: kernel +Description: Build interlock package + Build interlock package. You do not want to install this package. +EOL +} | sed \ + -e "/@BUILD-INTERLOCK@/{" \ + -e " r debian/control.interlock-up" \ + -e " d" \ + -e " }" \ + -e "s/@SRCPKGNAME@/${src_package}/g" \ + -e "s/@ABI@/${src_abi}/g" \ + >"debian/control" + +rm -f "debian/control.interlock-up"
Consume the pre-built .o's as generated in linux-restricted-modules via the linux-objects-nvidia-* packages; assembling them as per the end-user system. Form a signing custom binary upload from these and submit for signing. Note that this must be embargoed as it represents fully formed module. BugLink: https://bugs.launchpad.net/bugs/1918134 Signed-off-by: Andy Whitcroft <apw@canonical.com> --- debian/rules.lrg | 31 +++++++ debian/scripts/dkms-build--nvidia-N | 1 + debian/scripts/gen-rules | 1 + debian/scripts/gen-rules.lrg | 138 ++++++++++++++++++++++++++++ 4 files changed, 171 insertions(+) create mode 100755 debian/rules.lrg create mode 100755 debian/scripts/gen-rules.lrg