From patchwork Thu Feb 18 16:17:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 1441751
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DhKd65HlNz9sVF;
	Fri, 19 Feb 2021 03:18:18 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1lCm0M-0000kV-Nw; Thu, 18 Feb 2021 16:18:14 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0G-0000fG-JQ
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:08 +0000
Received: from mail-wm1-f71.google.com ([209.85.128.71])
 by youngberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <apw@canonical.com>) id 1lCm0G-0002LT-1X
 for kernel-team@lists.ubuntu.com; Thu, 18 Feb 2021 16:18:08 +0000
Received: by mail-wm1-f71.google.com with SMTP id x20so1427518wmc.0
 for <kernel-team@lists.ubuntu.com>; Thu, 18 Feb 2021 08:18:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=0noFZtvRRadsW1FUYuQFYgrC8q+ruxeeOX3tU4r9yRs=;
 b=tXcEsYxi6yGg76hFN4xC5HltjQ7ZCxADhZX1NEmpEqNZLi0wyeXxqd66hhRXZNjGmz
 R86TAoDJg213SzbzkM9ac2Q+raQEEoTHdPbCH3r7XDZ4Qhi37cNP2idY3ciL3lfVbf8L
 mdumkpDS10cGJYLjHt8wVG7eiYoe4CnTlFfsgmMCKfvrHgXFRfy47taJHYbt94jonw7P
 ShKSn5RWQu0Z7fv/PxVig7zFUmiH9Oiomfn+UIadOSfNltmfvHZwK10oRJWRuivPKHIQ
 KmwurHuzMYldWzU2q9/1IQBkFr70NGcqrFxHwls8cbbajyAO4JLwl44ohLo0QLwAXIiB
 XZTg==
X-Gm-Message-State: AOAM531HR9dygJ6GLJCAHsACKudcJYhRxaFnCSU5NL7BhYAmqrz/5RZi
 UoQ7Lk4edxLyCgvBYiDHTRjt96MgS5TzyTTdiBFZwOs4W+XOSw76EnwLr/bTeadfCDX400bKBkv
 rYVEdBMhUvSTwuJ262o5LxI+jfFrC3oShDdaBC3UOQw==
X-Received: by 2002:a5d:4282:: with SMTP id k2mr4992746wrq.315.1613665087427;
 Thu, 18 Feb 2021 08:18:07 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJxBsqhILIn8KnMLhe4O54L7q7juAYo7NnusMKy90155JCao9GjfSKTIr2SEVHzvFYGlYk1Ywg==
X-Received: by 2002:a5d:4282:: with SMTP id k2mr4992718wrq.315.1613665087048;
 Thu, 18 Feb 2021 08:18:07 -0800 (PST)
Received: from localhost ([2001:470:6973:2:4191:5ae2:921e:d619])
 by smtp.gmail.com with ESMTPSA id r7sm8053602wmh.38.2021.02.18.08.18.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Feb 2021 08:18:06 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [groovy:linux 2/4] UBUNTU: [Packaging] build canonical-certs.pem from
 branch/arch certs
Date: Thu, 18 Feb 2021 16:17:52 +0000
Message-Id: <20210218161754.1840146-7-apw@canonical.com>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20210218161754.1840146-1-apw@canonical.com>
References: <20210218161754.1840146-1-apw@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: Andy Whitcroft <apw@canonical.com>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Merge common, branch-specific, and arch-specific certs and form
a certs database for inclusion in the kernel keyring.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian.master/config/annotations          |  2 +-
 debian.master/config/config.common.ubuntu |  2 +-
 debian/rules                              | 14 +++++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index f025f78dfb11..7cce122fbfd2 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -359,7 +359,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 80ed0bdb1f15..66710b9bfaeb 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -10192,7 +10192,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y
diff --git a/debian/rules b/debian/rules
index 4f64f55b8d8f..33558795e30a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -127,7 +127,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
 	dh_testdir
 	dh_testroot
 	dh_clean
@@ -225,3 +225,15 @@ debian/control: $(DEBIAN)/control.stub
 	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
 		perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
 		>>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem)
+	for cert in $(sort $(notdir $^));					\
+	do									\
+		for dir in $(DEBIAN) $(DROOT);					\
+		do								\
+			if [ -f "$$dir/certs/$$cert" ]; then			\
+				cat "$$dir/certs/$$cert";			\
+				break;						\
+			fi;							\
+		done;								\
+	done >"$@"