diff mbox series

[6/9] UBUNTU: [Packaging] linux-restricted-generate -- generate unsigned modules for signing

Message ID 20210308150004.1746089-7-apw@canonical.com
State New
Headers show
Series LP#1918134 -- LRMv4 switch to signing with Ubuntu Kernel Modules signing key | expand

Commit Message

Andy Whitcroft March 8, 2021, 3 p.m. UTC
Consume the pre-built .o's as generated in linux-restricted-modules via
the linux-objects-nvidia-* packages; assembling them as per the end-user
system.  Form a signing custom binary upload from these and submit for
signing.  Note that this must be embargoed as it represents fully formed
module.

BugLink: https://bugs.launchpad.net/bugs/1918134
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/rules.lrg                    |  31 +++++++
 debian/scripts/dkms-build--nvidia-N |   1 +
 debian/scripts/gen-rules            |   1 +
 debian/scripts/gen-rules.lrg        | 138 ++++++++++++++++++++++++++++
 4 files changed, 171 insertions(+)
 create mode 100755 debian/rules.lrg
 create mode 100755 debian/scripts/gen-rules.lrg

Comments

Stefan Bader March 9, 2021, 9:29 a.m. UTC | #1
On 08.03.21 16:00, Andy Whitcroft wrote:
> Consume the pre-built .o's as generated in linux-restricted-modules via
> the linux-objects-nvidia-* packages; assembling them as per the end-user
> system.  Form a signing custom binary upload from these and submit for
> signing.  Note that this must be embargoed as it represents fully formed
> module.
> 
> BugLink: https://bugs.launchpad.net/bugs/1918134
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>   debian/rules.lrg                    |  31 +++++++
>   debian/scripts/dkms-build--nvidia-N |   1 +
>   debian/scripts/gen-rules            |   1 +
>   debian/scripts/gen-rules.lrg        | 138 ++++++++++++++++++++++++++++
>   4 files changed, 171 insertions(+)
>   create mode 100755 debian/rules.lrg
>   create mode 100755 debian/scripts/gen-rules.lrg
> 
> diff --git a/debian/rules.lrg b/debian/rules.lrg
> new file mode 100755
> index 0000000..e431275
> --- /dev/null
> +++ b/debian/rules.lrg
> @@ -0,0 +1,31 @@
> +##export DH_VERBOSE := 1
> +
> +arch = $(shell dpkg-architecture -qDEB_HOST_ARCH)
> +
> +test::
> +	echo "$(src_version) $(src_main_version)"
> +
> +debian/scripts/fix-filenames: debian/scripts/fix-filenames.c
> +	$(CC) -o $@ $^
> +
> +clean::
> +	rm -rf rm -rf $(dkms_dir)
> +	rm -f debian/scripts/fix-filenames
> +
> +%:
> +	dh $@
> +
> +custom_top=debian/custom
> +custom_dir=$(custom_top)/$(src_version)
> +custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz
> +custom-upload:
> +	install -d $(custom_dir)/control
> +	{ echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options
> +	cd $(custom_top) && tar czvf ../../../$(custom_tar) .
> +	dpkg-distaddfile $(custom_tar) raw-signing -
> +
> +override_dh_prep: debian/scripts/fix-filenames
> +	dh_prep
> +
> +override_dh_auto_install: nvidia-$(arch) custom-upload
> +	dh_install
> diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N
> index b79404b..d37082c 100755
> --- a/debian/scripts/dkms-build--nvidia-N
> +++ b/debian/scripts/dkms-build--nvidia-N
> @@ -77,6 +77,7 @@ sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
>   	if [ "$sign" = "--custom" ]; then
>   		# We are building for and archive custom signing upload.  Keep everything.
>   		:
> +

Does this serve any purpose?

>   	elif [ "$sign" = "--lrm" ]; then
>   		# We are in LRM build the package a copy in any signatures we can
>   		# find for them.  These will be added after linking.
> diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules
> index ff91f48..8952f4b 100755
> --- a/debian/scripts/gen-rules
> +++ b/debian/scripts/gen-rules
> @@ -2,6 +2,7 @@
>   
>   src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
>   case "$src_package" in
> +linux-restricted-generate*)	pkg='lrg' ;;
>   linux-restricted-modules*)	pkg='lrm' ;;
>   esac
>   
> diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg
> new file mode 100755
> index 0000000..1c13885
> --- /dev/null
> +++ b/debian/scripts/gen-rules.lrg
> @@ -0,0 +1,138 @@
> +#!/bin/bash
> +
> +# Pick out relevant version and package information including our predecessor
> +# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules
> +src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
> +src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion)
> +src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
> +src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//')
> +
> +# linux/5.8.0-41.46
> +src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//')
> +src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//')
> +
> +# linux-restricted-generate/5.8.0-41.46[+1]
> +
> +# linux-restricted-signatures/5.8.0-41.46[+1]
> +
> +# linux-restricted-modules/5.8.0-41.46[+1]
> +src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/')
> +src_lrm_version=${src_version}
> +
> +cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL
> +#! /usr/bin/make -f
> +
> +src_package := ${src_package}
> +src_version = ${src_version}
> +src_abi = ${src_abi}
> +src_series = ${src_series}
> +src_lrm_package = ${src_lrm_package}
> +src_lrm_version = ${src_lrm_version}
> +
> +EOL
> +
> +: >"debian/control.interlock-up"
> +
> +nvidia_desktop=
> +nvidia_server=
> +nvidia_ignore=
> +while read command arg
> +do
> +	case "$command" in
> +	option)		;;
> +	suppress)		nvidia_ignore="$nvidia_ignore $arg"; continue ;;
> +	*)		continue ;;
> +	esac
> +
> +	case "$arg" in
> +	desktop)	nvidia_desktop=y ;;
> +	server)		nvidia_server=y ;;
> +	esac
> +done <"debian/package.config"
> +
> +build_archs=
> +while read command flavour archs
> +do
> +	case "$command" in
> +	build)		;;
> +	*)		continue ;;
> +	esac
> +
> +	for arch in $archs
> +	do
> +		case " $build_archs " in
> +		*\ $arch\ *)    ;;
> +		*)              build_archs="$build_archs $arch" ;;
> +		esac
> +	done
> +
> +	targets=$(echo "$archs" | sed -e 's/\</nvidia-/g')
> +
> +	while read package version extra
> +	do
> +		case "$package" in
> +		nvidia-graphics-drivers-*-server)
> +			[ -z "$nvidia_server" ] && continue
> +			;;
> +		nvidia-graphics-drivers-*)
> +			[ -z "$nvidia_desktop" ] && continue
> +			;;
> +		*) continue ;;
> +		esac
> +		case " $nvidia_ignore " in
> +		*\ $package\ *)		continue ;;
> +		esac
> +
> +		case " $extra " in
> +		*\ signonly\ *)		continue ;;
> +		esac
> +
> +		suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//')
> +		suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g')
> +		suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g')
> +
> +		echo "II: build $package for $flavour $archs"
> +
> +		cat - >>"debian/control.interlock-up" <<EOL
> + linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}],
> +EOL
> +
> +		# debian/rules.gen
> +		# XXX: BUILD should help us here.
> +		cat - >>"debian/rules.gen" <<EOL
> +
> +# $package $version $suffix_minus $suffix_under $suffix_short
> +$targets::
> +	install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
> +	cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
> +	(													\
> +		cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1;	\
> +		sh BUILD unsigned;										\
> +		sha256sum -c SHA256SUMS || exit 1;								\
> +		mv *.ko ..;										\
> +	)
> +	rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits
> +EOL
> +
> +	done <"debian/dkms-versions"
> +done <"debian/package.config"
> +
> +{
> +	cat "debian/control.common" "-" <<EOL
> +
> +Package: ${src_package}
> +Architecture:${build_archs}
> +Section: kernel
> +Description: Build interlock package
> + Build interlock package.  You do not want to install this package.
> +EOL
> +} | sed \
> +	-e "/@BUILD-INTERLOCK@/{"		\
> +	-e " r debian/control.interlock-up"	\
> +	-e " d"					\
> +	-e " }"					\
> +	-e "s/@SRCPKGNAME@/${src_package}/g"	\
> +	-e "s/@ABI@/${src_abi}/g"		\
> +    >"debian/control"
> +
> +rm -f "debian/control.interlock-up"
>
Andy Whitcroft March 10, 2021, 9:13 a.m. UTC | #2
On Tue, Mar 09, 2021 at 10:29:22AM +0100, Stefan Bader wrote:

> > @@ -77,6 +77,7 @@ sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
> >   	if [ "$sign" = "--custom" ]; then
> >   		# We are building for and archive custom signing upload.  Keep everything.
> >   		:
> > +
> 
> Does this serve any purpose?
> 

Heh, no.  It seems I added an --lrg section here in early versions and
on its removal I formatted this section to the area norm which has an
extra newline.  I'll clear that up.

-apw
diff mbox series

Patch

diff --git a/debian/rules.lrg b/debian/rules.lrg
new file mode 100755
index 0000000..e431275
--- /dev/null
+++ b/debian/rules.lrg
@@ -0,0 +1,31 @@ 
+##export DH_VERBOSE := 1
+
+arch = $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+test::
+	echo "$(src_version) $(src_main_version)"
+
+debian/scripts/fix-filenames: debian/scripts/fix-filenames.c
+	$(CC) -o $@ $^
+
+clean::
+	rm -rf rm -rf $(dkms_dir)
+	rm -f debian/scripts/fix-filenames
+
+%:
+	dh $@
+
+custom_top=debian/custom
+custom_dir=$(custom_top)/$(src_version)
+custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz
+custom-upload:
+	install -d $(custom_dir)/control
+	{ echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options
+	cd $(custom_top) && tar czvf ../../../$(custom_tar) .
+	dpkg-distaddfile $(custom_tar) raw-signing -
+
+override_dh_prep: debian/scripts/fix-filenames
+	dh_prep
+
+override_dh_auto_install: nvidia-$(arch) custom-upload
+	dh_install
diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N
index b79404b..d37082c 100755
--- a/debian/scripts/dkms-build--nvidia-N
+++ b/debian/scripts/dkms-build--nvidia-N
@@ -77,6 +77,7 @@  sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
 	if [ "$sign" = "--custom" ]; then
 		# We are building for and archive custom signing upload.  Keep everything.
 		:
+
 	elif [ "$sign" = "--lrm" ]; then
 		# We are in LRM build the package a copy in any signatures we can
 		# find for them.  These will be added after linking.
diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules
index ff91f48..8952f4b 100755
--- a/debian/scripts/gen-rules
+++ b/debian/scripts/gen-rules
@@ -2,6 +2,7 @@ 
 
 src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
 case "$src_package" in
+linux-restricted-generate*)	pkg='lrg' ;;
 linux-restricted-modules*)	pkg='lrm' ;;
 esac
 
diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg
new file mode 100755
index 0000000..1c13885
--- /dev/null
+++ b/debian/scripts/gen-rules.lrg
@@ -0,0 +1,138 @@ 
+#!/bin/bash
+
+# Pick out relevant version and package information including our predecessor
+# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules
+src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
+src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion)
+src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
+src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//')
+
+# linux/5.8.0-41.46
+src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//')
+src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//') 
+
+# linux-restricted-generate/5.8.0-41.46[+1]
+
+# linux-restricted-signatures/5.8.0-41.46[+1]
+
+# linux-restricted-modules/5.8.0-41.46[+1]
+src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/')
+src_lrm_version=${src_version}
+
+cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL
+#! /usr/bin/make -f
+
+src_package := ${src_package}
+src_version = ${src_version}
+src_abi = ${src_abi}
+src_series = ${src_series}
+src_lrm_package = ${src_lrm_package}
+src_lrm_version = ${src_lrm_version}
+
+EOL
+
+: >"debian/control.interlock-up"
+
+nvidia_desktop=
+nvidia_server=
+nvidia_ignore=
+while read command arg
+do
+	case "$command" in
+	option)		;;
+	suppress)		nvidia_ignore="$nvidia_ignore $arg"; continue ;;
+	*)		continue ;;
+	esac
+
+	case "$arg" in
+	desktop)	nvidia_desktop=y ;;
+	server)		nvidia_server=y ;;
+	esac
+done <"debian/package.config"
+
+build_archs=
+while read command flavour archs
+do
+	case "$command" in
+	build)		;;
+	*)		continue ;;
+	esac
+
+	for arch in $archs
+	do
+		case " $build_archs " in
+		*\ $arch\ *)    ;;
+		*)              build_archs="$build_archs $arch" ;;
+		esac
+	done
+
+	targets=$(echo "$archs" | sed -e 's/\</nvidia-/g')
+
+	while read package version extra
+	do
+		case "$package" in
+		nvidia-graphics-drivers-*-server)
+			[ -z "$nvidia_server" ] && continue
+			;;
+		nvidia-graphics-drivers-*)
+			[ -z "$nvidia_desktop" ] && continue
+			;;
+		*) continue ;;
+		esac
+		case " $nvidia_ignore " in
+		*\ $package\ *)		continue ;;
+		esac
+
+		case " $extra " in
+		*\ signonly\ *)		continue ;;
+		esac
+
+		suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//')
+		suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g')
+		suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g')
+
+		echo "II: build $package for $flavour $archs"
+
+		cat - >>"debian/control.interlock-up" <<EOL
+ linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}],
+EOL
+
+		# debian/rules.gen
+		# XXX: BUILD should help us here.
+		cat - >>"debian/rules.gen" <<EOL
+
+# $package $version $suffix_minus $suffix_under $suffix_short
+$targets::
+	install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
+	cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
+	(													\
+		cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1;	\
+		sh BUILD unsigned;										\
+		sha256sum -c SHA256SUMS || exit 1;								\
+		mv *.ko ..;										\
+	)
+	rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits
+EOL
+
+	done <"debian/dkms-versions"
+done <"debian/package.config"
+
+{
+	cat "debian/control.common" "-" <<EOL
+
+Package: ${src_package}
+Architecture:${build_archs}
+Section: kernel
+Description: Build interlock package
+ Build interlock package.  You do not want to install this package.
+EOL
+} | sed \
+	-e "/@BUILD-INTERLOCK@/{"		\
+	-e " r debian/control.interlock-up"	\
+	-e " d"					\
+	-e " }"					\
+	-e "s/@SRCPKGNAME@/${src_package}/g"	\
+	-e "s/@ABI@/${src_abi}/g"		\
+    >"debian/control"
+
+rm -f "debian/control.interlock-up"