diff mbox series

[08/13] UBUNTU: [Packaging] generate: add HMAC support

Message ID 20220916114642.2953019-9-apw@canonical.com
State New
Headers show
Series [01/13] UBUNTU: [Packaging] generate-depends: relocate to debian/scripts | expand

Commit Message

Andy Whitcroft Sept. 16, 2022, 11:46 a.m. UTC 
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/rules                    | 12 ++++++++++++
 debian/scripts/config.py        |  2 ++
 debian/scripts/generate-control | 14 ++++++++++++++
 3 files changed, 28 insertions(+)
diff mbox series

Patch

diff --git a/debian/rules b/debian/rules
index 711b749..1c8333a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -80,6 +80,18 @@  override_dh_auto_install:
 			-e "s@-$(abi)-.*@@");					\
 		verflav="$(abi)-$$flavour";					\
 										\
+		hmac_pkg="linux-image-hmac-$$verflav";				\
+		if grep -q "^Package: *$$hmac_pkg\\$$" debian/control; then	\
+			unsigned_hmac_pkg="linux-image-unsigned-hmac-$$verflav";\
+			hmac="$$(dirname "$$signed")/.$$(basename "$$signed").hmac";	\
+			sha512hmac "$$signed" |					\
+				awk -vpkg="/boot/$$(basename "$$signed")"	\
+					'{ printf("%s  %s\n", $$1, pkg) }'	\
+				> "$$hmac";					\
+			echo "$$hmac_pkg: adding $$hmac";			\
+			echo "$$hmac boot" >>"debian/$$hmac_pkg.install";	\
+		fi;								\
+										\
 		package="kernel-signed-image-$$verflav-di";			\
 		if grep -q "^Package: *$$package\\$$" debian/control; then	\
 			echo "$$package: adding $$signed";			\
diff --git a/debian/scripts/config.py b/debian/scripts/config.py
index 34bd08d..f937150 100644
--- a/debian/scripts/config.py
+++ b/debian/scripts/config.py
@@ -12,6 +12,8 @@  class Signing:
             self._package_to_flavour_to_arch.setdefault("image", {}).setdefault(flavour, set()).add(arch)
             if "di" in options:
                 self._package_to_flavour_to_arch.setdefault("di", {}).setdefault(flavour, set()).add(arch)
+            if "hmac" in options:
+                self._package_to_flavour_to_arch.setdefault("hmac", {}).setdefault(flavour, set()).add(arch)
 
     @property
     def flavour_archs(self):
diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control
index b9b2f48..b0c3c15 100755
--- a/debian/scripts/generate-control
+++ b/debian/scripts/generate-control
@@ -50,6 +50,20 @@  with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
              Canonical's UEFI signing key.  It is intended for the Debian installer,
              it does _not_ provide a usable kernel for your full Debian system.
         """).rstrip(), file=cfd)
+    for flavour, archs in signing.package_flavour_archs("hmac"):
+        print(dedent(f"""\
+
+            Package: linux-image-hmac-{abi_version}-{flavour}
+            Build-Profiles: <!stage1>
+            Architecture: {" ".join(archs)}
+            Section: kernel
+            Priority: optional
+            Depends: ${{misc:Depends}}, ${{shlibs:Depends}}, linux-image-{abi_version}-{flavour}
+            Suggests: fips-initramfs-generic
+            Description: HMAC file for linux kernel image {abi_version}-{flavour}
+             This package contains the HMAC file for Linux kernel image for version
+             {abi_version}-{flavour}
+            """).rstrip(), file=cfd)
     # XXX: all dbgsym packages _must_ be at the end of debian/control else the
     # build will hang forever on the builder.
     for flavour, archs in signing.package_flavour_archs("image"):